Summary
AI investment is growing rapidly, making fundraising and acquisitions more common for AI startups.
- IP – Audit where your training data, code, and outputs came from; ensure licences are in place and ownership is clearly documented.
- Data Protection – Map all personal data flows, anonymise where possible, and have UK GDPR documentation ready (especially a legitimate interests assessment)
- Contracts – Have all customer/supplier agreements reviewed; watch for uncapped indemnities, unbalanced data rights, and unprotected token costs
- Future Regulations – Get ahead of the EU AI Act (main provisions due 2027) and monitor evolving copyright and AI laws globally
Bottom line: AI due diligence is more intensive than other sectors. The best thing founders can do is get legally organised early — clean IP, solid contracts, and GDPR compliance will make you far more attractive to investors.
Introduction
The recent commercial success of AI companies has drawn significant attention from investors.
At the top end:
- OpenAI (ChatGPT) raised $122 billion in capital funding in a March 2026 round, giving a valuation of $852 billion.
- Anthropic (Claude) has just filed for an October 2026 IPO with a valuation at $965 billion.
- Silicon Valley Bank recently reported that 163 new AI “unicorns” (startups with venture capital/private equity backing that have achieved a valuation of $1 billion or more) were created in the financial year 2025/2026.
Hamilton Lane and JP Morgan predict that the AI sector will continue to grow, and will do so at an even faster rate than the SaaS era of 2010-2018 and the Dot Com boom of 1997-2006.
This eyewatering growth is not only confined to the major players. AI focused SMEs have also reaped the rewards of private equity and venture capital firms.
As at the end of Q4 2025, over 50% of deal value in venture capital has been directed towards AI-oriented transactions and businesses – a sharp rise from a comparatively mere 20% in 2022. Silicon Valley Bank further predicts that the AI sector will continue to grow not just in North America and the UK but globally, noting that Europe and Asia in particular have increased potential for greater private investment into AI SMEs.
If you are a founder of young AI company, private investment is going to be a key consideration in plans to scale. Similarly, founders may be looking to exit to move onto new products or to join forces with larger companies.
However, you should be prepared for when such an opportunity arises. Part of the investment process is “due diligence”. As we have detailed in other blog posts, due diligence is:
…the process of investigating and verifying key information before entering into a transaction. It allows a buyer, investor or commercial partner to properly understand what they are paying for and the risks they are taking on. It equally allows the seller to give the buyer as much information as is necessary to protect itself from any post-sale claims from the buyer.’
AI tools bring with them a host of legal and compliance complications and uncertainties. Investors are likely to opt for a more expansive and detailed due diligence process when assessing an AI company for investment or acquisition.
In this blog, we will go through what buyers typically pay more attention to in the AI due diligence process and how young AI companies can best prepare for it and prevent any deal-ending blocks.
Intellectual Property in AI due diligence
Why investors are worried
Intellectual property is arguably the largest area of concern for firms investing in AI companies, and potential issues arise around both IP infringement and IP ownership at every aspect of the AI development and deployment process. Investors will most likely be concerned with:
- Training and input data : If your AI model is trained via data mining and/or web scraping, there is a chance that it will be using data which, whilst being publicly available, is subject to copyright. In using this data without obtaining a license, your model will potentially be committing IP infringement. Despite the future of the law in this area being uncertain (as discussed in a previous blog), investors will want reassurance that your model is currently committing as little IP infringement as possible by virtue of this.
- Output data : Generative AI solutions also produce material that, in certain jurisdictions (including the UK), may attract intellectual property protection. Questions will inevitably arise surrounding the ownership of that output. Ownership of output is typically dealt with contractually in your customer agreements (such as an AI-as-a-service agreement). Private investors will want to know about all your agreements and their IP provisions, and, if the output of an AI system is not owned by the developer, whether that is important or not.
- Third party code : Some other aspects of your AI model (e.g. functionalities, algorithms, other open-source components etc.) may have been developed using some third-party software or by engaging a freelancer – that freelancer may use third party code or code that has been open sourced. Investors will want to know if you own all the IP in the AI software, or, if not, whether the necessary licences have been obtained.
- AI generated source code : It is becoming increasingly common for software developers to utilise AI pre-existing generative AI models (e.g. Claude) to create source code for the platforms they are working on. If this is the case, ensuring that AI generated code has been adequately checked from both a quality assurance and intellectual property perspective.
How you can prepare:
- Examine the construction and note the source of each part of your AI model. If any part came from outside your organisation, analyse the documentation governing your use of the external material to see if you are bound by certain IP provisions, and ensure that you obtain the necessary licenses if you have not already done so.
- Conduct a detailed investigation into how your AI model is trained and assess if the data used is subject to copyright, and obtain the licenses necessary to legalise the training of the model. Note that not all copyrighted data (e.g. data from the UK Government website) requires a license to legalise its use – if you are unsure, seek legal advice.
- Review the IP provisions under your current customer agreements to assess the ownership of the generated output or other data, and amend your template documentation for future deployment such that it is more favourable, if necessary.
Data Protection in AI due diligence
Why Investors are worried
Similarly to IP law, there is much uncertainty surrounding the future of AI in the context of the UK GDPR. It remains unclear if there will be any reforms to data protection rules to allow AI companies with easier ways to comply.
Some of the issues include:
- Personal data in training data : if personal data is used to train or improve an AI model, and that personal data is comprised within that model, that is likely to be a form of data processing that will not stop unless the model is deleted. Given the rights that data subjects have to stop the processing of personal data, training in this way can pose a serious commercial risk. If any training data is obtained without the direct knowledge of the data subject, that is considered by the UK data protection regulator as a high-risk form of processing that may attract more scrutiny.
- Bias : AI systems can replicate human bias. Without appropriate oversight, AI systems can perpetuate this bias and cause AI developers to breach the obligation under the UK GDPR to process personal data in a way that is fair.
- Automated decision making : AI tools that can make “decisions” without human input can result in high risks to data subjects if those decisions have significant legal effects on those data subjects (think about credit rating or financial checks). Automated decision making is subject to tighter control under the UK GDPR.
- Processor obligations : almost all providers of AI systems are going to be considered data processors under the UK GDPR. There are specific obligations on data processors that need to be strictly complied with.
- Compliance burden: achieving compliance with the UK GDPR is administratively intensive. Numerous documents, assessments, policies and procedures are required that need to be continually updated and/or enforced.
How you can prepare
Smaller AI companies can prepare by addressing the UK GDPR head on now:
- Data map : one of the best places to start is to document all the personal data flows and personal data sources in your organisation. That is highly compliant with the UK GDPR, and gives a full and comprehensive answer to a question that will be asked by investors: ‘what personal data does your organisation process?’
- Consider the scope of data processing/anonymisation practices : data that is anonymous (that it does not allow the controller to ascertain the identity of the data subject) is not personal data under the UK GDPR. Anonymisation can help reduce a significant amount of data protection risks.
- Policy documentation : reviewing your compliance requirements, in view of the data map, will inform what documentation you need. For example, all organisations need to publish a privacy notice informing data subjects about how their personal data will be processed.
- Legitimate interests assessment : All organisations will rely on legitimate interests to process personal data. Where AI companies use personal data to develop or train their models, legitimate interests is likely the only legal basis that can be relied upon. The UK GDPR requires that organisations relying on legitimate interests carry out an assessment (read more here). The most basic due diligence exercises will request this assessment.
Contracts in AI due diligence
Why Investors are worried
Approaches to commercial contracting in the tech space has changed rapidly following the widespread adoption of AI tools.
These approaches are yet to settle, and we have seen a wide variety of different approaches – some better than others.
Investors will be looking at your commercial contracts with close attention, including in relation to:
- Usage restrictions : many AI suppliers, especially at the smaller end of the market, are dependent on the leading AI providers’ infrastructure to make their AI systems work. Each use of an AI by a customer in this scenario will have a downstream cost (the cost of a “token”) that is borne by the AI supplier unless it is passed down to the customer. Pay close attention to how customers are charged or how the supplier is protected from these additional costs.
- Data rights : customers will consistently push to ensure that their data is protected when provided to the AI supplier (e.g. restrictions on training). Drafted incorrectly, certain provisions can favour the customer in an unbalanced way that can limit the supplier’s rights.
- Liability allocation : generative AI is predictive in nature and accuracy is not guaranteed. AI specific disclaimers should be contained in all customer contracts to ensure that liability is properly allocated between the customer and the AI supplier.
- IP indemnities : customers will routinely ask AI suppliers to indemnify them in respect of any claims brought against the customer as a result of using the supplier’s AI system. Crafted too widely, this can result in massive risk exposure.
How you can prepare
Companies that have consistent contracting practices and clearly documented positions on risk allocation are generally in a stronger position during diligence.
As such, it would be best to consider:
- Having any dodgy contracts looked at: bootstrap AI suppliers may never have thought of going to a lawyer to have their contracts reviewed. This should be done from the start of doing business or, if not, as soon as sale or investment is contemplated.
- Developing a negotiation playbook: contract negotiations, whether with customers or suppliers, is typical. Developing a consistent approach to negotiations (e.g. around limit of liability caps) can go a long way in controlling risk.
Future looking compliance
As above, the future of the laws and regulations governing the AI industry are developing rapidly.
The EU AI Act, for example, is partially in force but its main provisions have been delayed until 2027.
Getting ahead of the curve and carrying out an EU AI Act assessment to determine whether its regulation of “high risk” AI systems (read more here) will apply to you is an exercise worth doing. If it does apply, you have time to get prepared; this is a question we see getting asked in due diligence processes already.
Similarly, it is worth staying ahead of changes to global laws affecting AI development. For example, copyright laws in the UK may change to facilitate some form of licencing for AI training materials rather than risking the legal grey areas of web scraping.
Canada has just recently announced forthcoming legislative changes to address AI. The US Government also appears to be mulling over taking regulatory action.
Conclusion
In short, if your AI company is approached for an investment / acquisition, the best position you can be in is to be prepared and organised.
On top of this, you should ensure that your AI models are compliant with IP laws, GDPR, cybersecurity regulations and any other legislation that will dictate the operation of your AI business.
You should also review your current contractual obligations, and revise any contracts such that you are more legally protected if necessary, to increase your attractiveness to private investors.
EM Law are experts in AI law. If you need help navigating AI, the due diligence process, or any of the issues listed above, please contact us here or visit our AI Lawyers, Software & Tech Lawyers, Data Protection Lawyers, and Corporate Law Firm pages for more information.
