Bolt-on AI reviews look at the AI program. The risk is everywhere else.
Every diligence provider now sells an AI module. Most of them are a questionnaire stapled to the back of a report: does the target have an AI strategy, an AI policy, an AI roadmap. Tick, tick, tick. The problem is that AI risk in a mid-market business almost never lives where the questionnaire is pointed.
In the businesses changing hands today, AI looks like this. A customer support team quietly pasting customer records into a public chatbot because it makes the job faster. An engineering team that bolted a language model API into the product last quarter, with the cost scaling per request. An AI feature on the roadmap that is already priced into the multiple, owned by a team that has never shipped one. None of this is labelled AI program. All of it moves value.
Security. The question is not whether there is an AI policy. It is what sensitive data is already flowing into public models, from which teams, and with what access controls.
Vendors and contracts. AI suppliers get contracted casually, often on consumer terms. Data rights, model training clauses, and change-of-control provisions deserve the same scrutiny as any critical supplier.
Cost. AI spend rarely has its own line. It hides inside SaaS subscriptions and cloud bills, and the per-request pricing models scale with exactly the growth the thesis assumes.
People. One enthusiast with a personal subscription is not an AI capability. Diligence should establish who can actually build, evaluate, and operate AI in production.
Roadmap. If AI claims are in the deck that priced the deal, the delivery record behind those claims is a diligence question, not a marketing one.
Operations. Undocumented automations doing real work are inherited liabilities. If a model is making decisions in a workflow, someone needs to own what happens when it is wrong.
A separate AI workstream interviews whoever owns AI strategy and reviews whatever is labelled AI. Shadow usage is invisible to it by definition, because shadow usage is precisely the AI nobody owns. The only reliable way to find it is to ask AI questions inside every domain: in the security review, the vendor review, the cost review, the people review.
There is an honest exception. If the model is the product, an AI-native target where the valuation rests on proprietary models or data, then standalone technical depth on those assets is justified and necessary. For everyone else, which is most of the mid-market, the lens beats the module.
Bridgepoint assesses AI risk and readiness inside every domain of every Tech DD engagement, included by default and never as an upcharge. How our Tech DD works.
A scoping call is confidential and obligation-free.
