Skip to main content
Three Questions Investment Committees Should Ask About AI Risk
All Insights
M&A Due Diligence·9 min read·

Three Questions Investment Committees Should Ask About AI Risk

By Dritan Saliovski

Investment committees see more AI-intensive deals every quarter, and the committee process was not designed for the pattern. The traditional IC agenda covers financials, management, market, and thesis. AI risk, when it appears at all, is folded into "technology" and receives a fraction of the scrutiny the magnitude of the exposure warrants. That is a structural gap, not a diligence failure: the questions that surface AI risk are not the questions an IC is built to ask.

The fix is not a new workstream or a longer memo. It is three questions, pitched at the level the committee already operates at, that convert AI from an unexamined assumption into a defined, priced component of the deal. Each has surfaced real issues in real transactions. Each is answerable inside a normal diligence timeline. And each gives the committee something concrete to do when the answer is unsatisfactory.

Key Takeaways

  • The IC process was built for financials, management, market, and thesis. AI risk does not sit cleanly in any of them, so it gets under-scrutinized by default
  • 53% of M&A deals encounter critical cybersecurity issues that jeopardize the transaction (Forescout), and AI widens that surface rather than narrowing it
  • 92% of organizations lack confidence in managing AI risk with current tools (CSA / Oasis, 2026); a target inherits that gap by default
  • Three IC-level questions close the gap: the threshold question (does AI change the threat model or compliance posture), the durability question (how controlled is the AI the value story depends on), and the integration question (what does connecting this asset to the portfolio introduce)
  • AI non-compliance transfers on close. EU AI Act enforcement begins August 2026 with fines up to 3% of global turnover; GDPR remains at 4%. Post-close remediation has an empirical cost and should be priced, not assumed away
53%Share of M&A deals that encounter critical cybersecurity issues jeopardizing the transactionForescout Global M&A Cybersecurity Report
92%Organizations lacking confidence in managing AI risk with current tools; targets inherit this by defaultCSA / Oasis Security, 2026
3% / 4%EU AI Act maximum fine (global turnover) from August 2026, alongside GDPR's 4%; both transfer on closeEuropean Commission

Question One: Does AI Materially Change This Asset's Threat Model or Compliance Posture?

This is the threshold question, and it does real work precisely because it can end the inquiry. If the answer is no, the AI story is not material to the valuation. The committee should ask management to confirm that in writing and move on. There is no value in AI diligence theater on an asset where AI is incidental.

If the answer is yes, the posture of the entire diligence process changes: AI becomes a first-class consideration in every subsequent question rather than a line in the technology section. The useful follow-up is what specifically changes, and the concrete answer almost always lands in four areas at once, the data the company processes, the systems it depends on, the regulatory regimes that apply, and the incident surface. The committee needs a written position on each, because a "yes" without those four specifics is not an answer the committee can underwrite. This is the same discipline we apply to AI in deal diligence generally, covered in AI in diligence: what PE deal teams actually need to check.

Question Two: How Dependent Is the Value Story on AI Behaviors That Aren't Under Strong Control?

This is the durability question, and it is the one most likely to change the price rather than merely the diligence scope. If the investment thesis assumes the target's AI-driven margin expansion continues through the hold period, the committee should ask how the AI behavior that produces that margin is actually controlled.

Three specifics decide it. Is the margin driven by a proprietary model the target controls, or by an external AI provider whose pricing and terms can change under it. Is the capability dependent on a specific employee or small team whose departure would degrade it. Is it subject to a regulatory restriction that could emerge during the hold period. If the value story rests on AI behavior the target does not control, the committee is underwriting a capability, not a business, and that is a materially different risk profile from a traditional thesis. It can still be a good deal, but it should be priced as what it is.

Question Three: What Integration Risks Are Introduced by Connecting This Asset to the Portfolio?

This is the post-close question, and it is where the most unpleasant surprises occur, because they arrive after the committee has already committed.

Three integration risks are worth naming explicitly. When the target's AI agents gain access to acquirer or portfolio-company systems, the blast radius of a compromised agent expands to whatever those systems reach. When the target's AI vendor relationships combine with the acquirer's, a single provider can quietly come to support a material share of portfolio operations, which is concentration risk arriving through the back door. And when the target's AI-driven data flows integrate with the portfolio, they can create new regulated-data exposure that neither side had alone, for instance a US target whose AI capabilities begin processing EU customer data under the acquirer's ownership. Each of these has an incident precedent, each is preventable if surfaced before close, and each becomes expensive if surfaced after. The blast-radius question in particular is why AI agents need their own identity and access discipline, which we set out in you cannot secure AI agents with human-era identity models.

What the Committee Does With the Answers

The three questions are only useful if the committee knows what to do with a weak answer. If all three have clear, sourced answers backed by diligence evidence, the committee can underwrite the AI risk as a defined, priced component of the deal and proceed with confidence. That is the goal: not a clean bill of health, but a measured one.

If one or more answers are vague, the committee has three defensible choices, and should make one of them explicitly: require additional diligence before approval, adjust the price to reflect the unmeasured risk, or decline. What it should not do is approve on the assumption that post-close remediation will quietly resolve the issues. In 2026, remediating AI exposure after close has an empirical cost and timeline. It should be priced into the deal or not taken on, and the committee that treats it as a later technicality is the committee that meets it as a board-level problem eighteen months in. For the parallel view on how AI-heavy targets should be diligenced before they reach the IC, see how deal teams should diligence AI-heavy targets and the risk-committee framing in what technology and risk committees need to know about AI coding tools.

How Innovaiden Approaches It

The three questions are designed to fold into the IC process a committee already runs, not to replace it. Innovaiden works with deal teams and investment committees to make AI risk answerable at IC altitude: framing the threshold, durability, and integration questions for the specific asset, sourcing the evidence that turns each into a defensible position, and providing the decision matrix for what to do when an answer comes back vague. The objective is narrow and practical, that the committee votes on AI risk it has measured and priced, rather than on an assumption it did not know it was making.

Work With Us

Bring AI Risk Into Your IC Process

Innovaiden helps deal teams and investment committees fold AI risk into the existing IC process: the threshold question, the durability question, the integration question, and a decision matrix for what to do when the answers are vague. Reach out to walk through it against a live or upcoming deal.

Get in Touch

Frequently Asked Questions

Why do investment committees need AI-specific questions at all?

Because the standard IC process was built for financials, management, market, and thesis, and AI risk does not sit cleanly in any of them. When AI exposure appears, it is usually folded into 'technology' and receives a fraction of the scrutiny its potential magnitude warrants. AI can change a target's threat model, its regulatory obligations, and the durability of its margins, and each of those is a first-order IC concern rather than a technical detail. Three targeted questions let the committee treat AI as a priced, defined component of the deal rather than an unexamined assumption.

What is the single most important AI question for an IC?

The threshold question: does AI materially change this asset's threat model or compliance posture? If the answer is no, the AI story is not material to the valuation and the committee can confirm that in writing and move on. If the answer is yes, every subsequent diligence question needs to treat AI as a first-class consideration, because the concrete changes typically land in four areas at once: the data the company processes, the systems it depends on, the regulatory regimes that apply, and the incident surface.

How should an IC treat a target whose margins depend on AI?

As a durability question. If the thesis assumes AI-driven margin expansion continues, the committee should ask how the behavior producing that margin is controlled: is it a proprietary model the target owns, or an external provider whose pricing and terms can change; is it dependent on a small team whose departure would degrade it; is it subject to regulatory restriction that could emerge during the hold period. If the value story rests on AI behavior the target does not control, the committee is underwriting a capability rather than a business, which is a different risk profile and should be priced accordingly.

What should an IC do when the AI answers are vague?

Not approve on the assumption that post-close remediation will resolve them. In 2026, remediating AI exposure after close has an empirical cost and timeline, so vagueness has a price. The committee has three defensible choices: require additional diligence before approval, adjust the price to reflect the unmeasured risk, or decline. What it should avoid is treating an unanswered AI question as a technicality to be cleaned up later, because the integration phase is exactly where the unpleasant surprises surface and where they become expensive.

Does AI risk transfer to the acquirer on close?

Yes. A target's AI non-compliance, its uncontrolled model dependencies, and its AI-driven data flows become the acquirer's exposures at close, and integration can amplify them. Connecting a target's AI agents to acquirer or portfolio systems changes the blast radius of a compromised agent; combining AI vendor relationships can create concentration risk; and merging data flows can create new regulated-data exposure, for example a US target whose AI now processes EU customer data under the acquirer's ownership. Each has an incident precedent, each is preventable if surfaced before close, and each is expensive if surfaced after.

Subscribe