Generative AI has been around long enough that many companies have fully embraced its adoption. While most companies have made significant efforts to deploy AI responsibly, others have pursued a more aggressive approach with greater tolerance for the risks. When engaging in a significant corporate transaction such as a merger or acquisition, it will be increasingly important to identify and managing AI-related risks. This article focuses on the intellectual property (IP) and data privacy risks companies should consider when engaging in an M&A or similar transaction that involves a counterparty that has incorporated generative AI into its business.

Due Diligence Process

The due diligence process for a corporate transaction includes identifying the assets and the potential risks and liabilities that the buyer may acquire from the target company. The job of the buyer’s counsel is to work with the buyer to identify the potential risks and liabilities, assess their significance, and propose options to mitigate these risks. In the worst case, these risks and liabilities may compel the buyer to terminate the potential deal.

To effectively undertake the due diligence process, buyer’s counsel should begin by understanding the business, technology, and data assets of the target company and the buyer’s business objectives for making the acquisition. It is important to start with this baseline understanding in order to focus the due diligence on the key potential risks and customize the due diligence inquiries accordingly.

IP Due Diligence for AI

IP Assets

IP due diligence generally involves three lines of inquiry.

The first relates to identifying the target company’s IP assets, which can be categorized as registered IP and unregistered IP. Registered IP includes patents, trademarks, and copyrights that have been filed with a government IP office such as the US Patent and Trademark Office. Unregistered IP includes assets such as trade secrets, proprietary source code, AI models, training data, technical information, proprietary data, and know-how. These assets can be more challenging to identify but they constitute valuable IP assets in most cases.

One of the key AI issues to investigate is whether the target company has protected its unregistered IP from being used by a third-party AI provider to train the third party’s AI models. Some of the AI-focused questions include whether the target company: (a) has an AI governance policy and AI steering committee, (b) has adopted an approved and prohibited list of AI systems, (c) has provided guidance on permitted and prohibited use of company confidential information, (d) has implemented operational controls on excluding sensitive company information from third-party AI models, and (e) provides AI training to its employees.

These operational controls, along with the contract restrictions described in the following section, will reveal how effective the target company has been in protecting its unregistered IP assets. If the target company has not been diligent in protecting is unregistered IP, there may be a significant risk that its trade secrets and proprietary data have been compromised by training third-party AI models. Moreover, if this training has actually taken place, it may be too late to implement any meaningful remedies.

IP Contracts

The second line of inquiry relates to analyzing the target company’s IP and technology contracts such as license agreements and services agreements. In the context of AI, the key terms include confidentiality obligations, restrictions on use of the target’s unregistered IP and data, and IP infringement liability for the use and distribution of AI-generated output. Many of these issues will originate from agreements with AI providers that offer generative AI services.

The confidentiality terms should cover not only the input data that the target company puts into the third-party AI model, but also the AI-generated output which may include confidential information of the target company.

The restrictions on use of the target company’s information should prohibit use for improving any products, services and technologies, and specifically the use for training any AI models. These types of use restrictions are necessary in addition to confidentiality obligations because arguably an AI provider could keep information confidential but nevertheless use it to train its AI models.

Finally, the contract terms should provide an IP indemnification that covers use and distribution of AI-generated output, which is beyond the typical IP indemnification that covers use of the services. Taken together, these contract terms protect the target company’s unregistered IP and provide protection against third party infringement claims for use and distribution of AI-generated content.

IP Infringement Risk

The third type of IP due diligence inquiry relates to evaluating whether the target company is at risk of third party IP infringement claims.

In addition to searching for publicly available IP litigation involving the target company, there are a number of other confidential indicators that should be analyzed. These risks can be identified with questions about whether the target company has obtained any formal opinions on IP infringement or validity or is aware of any third-party allegations of infringement.

The specific infringement risks arising from use of AI relate to training of AI models using third-party content without authorization and use of AI-generated output that infringes third-party IP rights. AI-specific questions should address whether the target company created or fine-tuned any AI models using third-party content without authorization, or has a policy and process for use of AI-generated content, particularly distribution to third parties.

The target company can mitigate this risk with its AI policy which should include a requirement to use any available duplicate detection filters and comply with any other mitigation measures required by AI providers or the target company.

Data Privacy Due Diligence for AI

Compliance with Global Privacy Regulations and AI Laws

Conducting appropriate due diligence on the personal information practices of a target company becomes even more significant given that data is the fuel that powers AI. AI relies on massive volumes of data, including personal information, to train and improve the underlying model. This key characteristic of AI is fundamentally antithetical to the requirements in many global data privacy laws to limit and minimize the collection and storage of personal information.

When acquiring a company that has implemented AI technologies, the buyer should carefully assess the target company’s compliance posture and consider whether it has implemented appropriate policies and procedures for compliance with (1) the comprehensive U.S. state privacy laws, (2) data-specific laws, such as biometric privacy laws, and (3) global privacy laws.

The buyer also should consider whether the target company is subject to any U.S. state AI laws or global AI regimes, such as the EU AI Act. This requires identifying the jurisdictions in which the target company operates, understanding the types of AI technology the target has implemented, determining the kinds of data processing activities in which the target engages involving AI systems, understanding how the company is complying with relevant requirements, and analyzing how the company is managing relevant privacy risks in the context of its AI use.

Failure to comply with relevant global privacy and AI laws can result in significant legal liability and reputational harm for the buyer, making it critical to thoroughly vet the target company’s compliance measures to understand what issues may need remediation and what privacy risks the buyer will be taking on post-closing.

Buyers also should consider how the target is using data with its AI technology to understand whether there are specific information practices that could expose the buyer to privacy and security risks. For example, if a company is using AI technology to make significant automated decisions about individuals and has not implemented any mechanism for users to opt out or object to use of AI for such decision making, the buyer may need to consider scaling back the use of AI for that purpose or implementing new processes to respect individual rights afforded under privacy laws.

In another example, if the target company routinely feeds personal information into AI systems to improve the model, the buyer will need to consider whether the target obtained the appropriate consent to do so. As part of conducting due diligence, the buyer should review the contracts the target has in place with AI service providers and understand how those parties can use the personal information that is input into their AI systems. These service providers often seek to use a company’s personal information to improve their AI models for all their customers. In addition, the buyer should determine whether the target company has an AI governance policy and should review it to understand what limitations on use of personal information in the context of AI the target has put in place.

Conclusion

M&A transactions involving AI are not just about acquiring algorithms – they’re about acquiring an entire data ecosystem, risk profile and governance challenges. Buyers must go beyond the traditional IP and data privacy due diligence considerations and think broadly about the unique challenges associated with acquiring AI technology as part of an M&A deal. In today’s increasingly regulated AI-environment, overlooking the entanglement of IP, privacy and AI can turn an attractive merger or acquisition into a long-term liability. With a comprehensive due diligence process, those risks can be effectively identified and managed.

---

Originally published on August 7, 2025, online with The AI Journal. Reprinted with permission. Further duplication without permission is prohibited. All rights reserved.