AI Due Diligence: A Checklist for Underwriting AI-Heavy Targets

Traditional PE diligence covers revenue quality, customer concentration, gross margin trajectory, and competitive moats. But AI-heavy targets require a separate diligence workstream that lives alongside financial and operational due diligence. This checklist ensures your team asks the right questions before you close.

The AI Diligence Landscape

AI diligence is not about assessing AI maturity or AI roadmaps. It's about understanding AI cost structure, vendor concentration, and operational risk. A company with world-class AI talent but no cost governance is a red flag. A company with a single offshore vendor controlling the entire AI stack is a risk at exit. A company with opaque AI spend across three different cloud accounts and five different vendors is hard to value.

The questions in this checklist are designed for the operating partner and the CFO to ask during diligence. Many of them will reveal that the target company is in stage 1 or 2 on the 5-Stage AI Cost Maturity Curve (Invisible or Tracked), which is not a deal-killer—it's an opportunity for value creation. But you need to know it before you close.

The AI Due Diligence Checklist

1. What is the current baseline AI spend, and where is it hidden?

Ask for a consolidated view of all AI-related costs. Get the company to list: API subscriptions (OpenAI, Anthropic, Google); cloud infrastructure costs tied to inference (AWS SageMaker, Azure OpenAI, GCP Vertex AI); third-party SaaS tools with embedded AI; in-house infrastructure for fine-tuning or hosting models; and any labor costs directly tied to AI development and prompt engineering.

Red flag: The company can't produce this list or gives you a low number ($20K/month) that feels incomplete compared to the headcount you'd expect for AI development. Most mid-market companies underestimate their AI spend by 40-50% because of hidden infrastructure and labor costs.

Green flag: The company has a consolidated spend register, broken down by vendor, business unit, and cost classification (API, infrastructure, labor, or SaaS).

2. Is AI spend accounted for in the financial statements, or is it buried in shadow charges?

Ask: "Can your CFO point to line items in the income statement where AI spend is reflected?" Some companies capitalize AI development as intangible assets (good governance). Others expense it as R&D. Some bury it in cloud infrastructure bills (cost of goods sold or operating expense) with no visibility into how much is actually AI vs. regular compute.

Red flag: AI spend is not visible in any line of the P&L. It's scattered across multiple cost centers or vendors, and the CFO can't tell you a consolidated number.

Green flag: AI spend is clearly categorized, with a clear attribution path to the business unit or product that uses it.

3. What is the cost-per-outcome for each major AI agent or tool?

Ask the company to calculate the cost to run each AI agent that directly contributes to revenue or cost reduction. For a support team, this is cost per resolved ticket. For a claims processor, cost per adjudicated claim. For an underwriting team, cost per processed application.

If the company can't calculate this, they're at stage 1-2 on the maturity curve. If they can, they're at stage 3 or higher.

Red flag: The company has deployed AI agents but has never calculated cost per outcome. They can tell you how many tickets the agent resolved but can't tell you what it cost to resolve them.

Green flag: The company has cost-per-outcome data for major agents, trended over 2-3 months, showing whether efficiency is improving or degrading.

4. What percentage of AI spend is locked into a single vendor?

Ask the company to break down AI spend by vendor. A healthy portfolio has no single vendor representing more than 40-50% of AI spend. If 75%+ of AI spend goes to OpenAI, you have concentration risk: if OpenAI raises prices, your margins compress; if you need to switch vendors (because a better model emerges or OpenAI changes its ToS), you have switching costs.

Red flag: >70% of AI spend concentrated in a single vendor (OpenAI, Anthropic, or a proprietary model). Migration would be painful and expensive.

Green flag: AI spend distributed across 2-3 vendors with clear migration paths documented.

5. Who owns the model weights, the API keys, and the proprietary prompts?

Ask: "If your CTO leaves tomorrow, can you run the AI stack?" If the answer is "no," you have key-person risk. If the model weights are owned by an external vendor, you have portability risk. If the prompts are locked in a private repo that only one engineer understands, you have documentation risk.

Red flag: The company outsourced all AI development to a single contractor or vendor who controls the model weights, the API keys, and the proprietary recipes. The knowledge is not transferable if the vendor leaves.

Green flag: The company has documented the AI stack, the prompts are version-controlled and understood by multiple team members, and the model weights (if proprietary) are owned by the company and stored securely.

6. Are there contractual or technical dependencies on a single AI vendor?

Beyond concentration risk, ask whether the company has locked itself into a contract with an exclusive clause, a volume discount that makes migration expensive, or a technical architecture that depends on one vendor's proprietary features (e.g., a fine-tuned model that can only be deployed on OpenAI's infrastructure).

Red flag: The company has a multi-year contract with a vendor at a steep discount, but the contract includes a volume-lock-in clause (if you stop buying this volume, you lose the discount retroactively). Migration becomes economically painful.

Green flag: The company uses standard APIs (OpenAI, Anthropic, etc.) with no exclusive contracts. Switching vendors requires engineering effort but not legal or financial penalties.

7. What is the current attribution maturity stage for AI spend?

Using the 5-Stage AI Cost Maturity Curve, ask which stage the company is currently at:

• Stage 1 (Invisible): AI spend is buried in shadow charges.
• Stage 2 (Tracked): AI spend has its own line on the bill but isn't broken down.
• Stage 3 (Allocated): AI spend is split across business units.
• Stage 4 (Optimized): AI spend is tied to specific work items with cost-per-outcome KPIs.
• Stage 5 (Governed): AI spend has SLOs, anomaly detection, and board-grade reporting.

Red flag: The company is at stage 1 or 2. This is an opportunity for value creation, but you need to budget operating time to move them to stage 4.

Green flag: The company is at stage 3 or higher. They have cost attribution infrastructure in place, and you can focus on optimization rather than foundation-building.

8. What is the data governance and compliance posture around AI?

Ask: "Are there regulatory constraints on using AI in this business?" Healthcare companies have HIPAA compliance requirements for any AI processing patient data. Financial services have fair lending requirements. Insurance has regulations around algorithmic bias and explainability. If the company is using proprietary AI agents on regulated data, are they documenting explainability and bias testing?

Red flag: The company is using AI on regulated data (healthcare, financial services, insurance) with minimal documentation of explainability or bias testing. Regulatory risk at exit.

Green flag: The company has documentation of data governance, bias testing, and explainability frameworks for AI systems running on regulated data.

9. What is the model performance and drift risk?

Ask the company to provide: (a) the baseline accuracy/precision/recall metrics for each agent, (b) how often they monitor for model drift, and (c) what happens when the model drifts (do they automatically retrain, or does someone notice and manually fix it?).

Red flag: The company deployed the model 12 months ago and hasn't measured performance since. They don't have a drift-detection process. Model performance has likely degraded but nobody knows it.

Green flag: The company has a monitoring dashboard showing model performance metrics, a monthly drift-detection check, and a clear retraining protocol if performance degrades.

10. What infrastructure debt is hidden in the AI stack?

Ask a technical question: "Can you describe the end-to-end architecture for your main AI agent—how is the model invoked, how are results stored, how does it integrate with your business processes?" Often you'll discover: (a) the model is running on a custom-built infrastructure that's fragile; (b) prompts are hard-coded in production code instead of centrally managed; (c) there's no fallback logic if the API goes down; (d) vector databases are not properly indexed, making retrieval slow; or (e) the entire system depends on a deprecated library that will stop being supported next year.

Red flag: The company's AI stack has significant technical debt (deprecated dependencies, fragile custom infrastructure, poor fallback logic). Migration or scaling will be expensive.

Green flag: The company has built the AI stack using standard, well-supported libraries and cloud infrastructure. The architecture is documented and can be transferred to new teams or acquirers.

11. What is the AI-driven margin expansion story, and can it be validated?

This is the critical valuation question. Ask the company: "What portion of your gross margin improvement over the past 12 months came from AI?" If they deployed an AI agent to support claims processing six months ago and saw a 15% improvement in claims throughput without headcount growth, that's concrete evidence of AI-driven margin expansion. If they claim "AI contributed to growth" but can't isolate the contribution, the story is weak.

Red flag: The company claims AI is driving value but can't point to specific financial metrics that validate it. The margin expansion story is anecdotal, not measured.

Green flag: The company can show before-and-after metrics for a specific process: "We deployed the agent, and cost per claim went from $2.10 to $1.40, adding 8 percentage points to gross margin."

12. What is the AI talent and key-person risk?

Ask: "How dependent are you on your current data science team?" If the answer is "very—they wrote the entire system," you have key-person risk. If they leave, you're left with undocumented code and infrastructure. If the answer is "not at all—we have a team of four with good documentation," you're in better shape.

Red flag: The company has a single AI/ML person or a small team where one person leaving would significantly disrupt operations. There's no documentation of the systems they've built.

Green flag: The company has multiple team members who understand the AI systems. Knowledge is documented. You could replace a key person without losing operational continuity.

13. What is the plan for scaling AI across the business?

Ask: "What AI initiatives are in the pipeline?" Is the company planning to expand the agents to new business processes? Are they planning to build new AI capabilities? This tells you whether AI is a one-off experiment or a strategic priority.

Red flag: The company has built one AI agent and has no clear plan to scale. They're not investing in prompt engineering, model evaluation, or new agent development. AI feels opportunistic rather than strategic.

Green flag: The company has a clear roadmap: agent A will be extended to process claims in a new state, agent B will be deployed in Q3, agent C is in pilot. AI is being treated as a strategic capability with planned investment.

14. What is the regulatory and contractual exposure from AI use?

Beyond compliance, ask whether there are customer-facing implications. If the company is using AI to make decisions that affect customers (support agent denying a claim, underwriting system denying a loan application), can customers request human review? Is that capability built into the system? Are there disclosure requirements to customers that you're using AI?

Red flag: The company is using AI to make high-stakes decisions (claim denials, loan rejections) with no human escalation path and no disclosure to customers. Regulatory and reputational risk.

Green flag: The company has a clear escalation protocol: customers can request human review, AI-made decisions are disclosed, and audit trails are maintained.

How to Use This Checklist

For each of the 14 items, assign a red/yellow/green rating. Green means low risk and potential for optimization. Red means risk that needs to be priced into the deal or addressed during the 100-day plan. Yellow means acceptable risk that requires operating focus.

A target that's all green on AI diligence is rare—most mid-market companies are green on cost baseline, yellow on maturity and governance, and red on vendor concentration and infrastructure debt. That's normal. What you're looking for is visibility. If you can identify the gaps and have a plan to fill them, you can model the value creation.

Targets that are all red on AI diligence—opaque spend, high vendor concentration, no cost attribution, heavy key-person risk—are more expensive to fix and require more operating time. Price that into your model.

For detailed guidance on addressing gaps identified in this checklist, refer to the PE Operating Partner Field Guide and the 100-day AI workstream framework.