AboutBlogBusiness First AIFounder FreedomBook a conversation

Retrofit AI maturity before due diligence finds the gaps

Person reviewing documents spread across a desk, with a laptop open beside them
TL;DR

Acquirers now audit AI maturity across five dimensions, and delegated AI estates frequently fail these checks because they were built fast and documented never. The fix is a deliberate remediation sequence starting with discovery and documentation, moving through data handling and governance, and ending with a founder dependency audit before the data room opens.

Key takeaways

- Acquirers audit AI maturity across five dimensions: data governance, process integration, ownership clarity, refresh discipline, and founder dependency. - Delegated AI estates commonly fail due diligence checks because they lack documentation, named ownership, and governance processes. - Retrofitting AI maturity follows a sequence: discovery first, data handling second, governance third, founder dependency audit last. - An AI asset register covering tool name, owner, purpose, data classification, and review date is the single most important document to have ready before a data room opens. - Owner dependency is a significant driver of exit multiple discounts; AI built around founder instincts without documented processes adds to that problem rather than reducing it.

You’ve just been told the business is heading for a sale in eighteen months. The AI programme has been running under your oversight for two years, the tools are embedded in daily workflows, and the outputs are real. The ownership records, refresh protocols, and data handling documentation, however, have never been audited. Working and ready for due diligence are different standards. The gap between them is where acquirers find their discount.

What does acquirer AI due diligence actually check?

Acquirers don’t audit AI maturity to satisfy curiosity. They audit it because an unmanaged AI estate introduces liability, dependency, and operational fragility that erodes enterprise value. Commercial due diligence on AI typically covers five dimensions, and each one can surface a gap that becomes a negotiating lever. The business that addresses them in advance controls the conversation. The one that doesn’t explains itself.

The five dimensions are:

  • Data governance. What data the business uses to power its AI tools, how it’s stored, whether it’s licensed for AI processing, and whether personal data has been handled lawfully under UK GDPR.
  • Process integration. Whether AI is genuinely embedded in operational workflows or exists as a set of individual subscriptions that would disappear if a few employees left.
  • Ownership clarity. For each AI tool in use, who is accountable for it? Delegated AI estates often lack a clean answer.
  • Refresh discipline. How prompts, models, and integrations are kept current. An AI tool configured a year ago and never reviewed is a technical debt item. A whole estate of them is a red flag.
  • Founder dependency. M&A advisors have long identified owner dependency as the single largest driver of exit multiple discounts, with discounts of 30 to 40 per cent common when decisions and processes are founder-centric. An AI estate built around the way the founder thinks, without capturing the underlying process in documentation, creates a new layer of that dependency rather than reducing it.

Why do delegated AI estates fail these checks?

The pattern is predictable. A founder hands over an AI mandate verbally, with broad intent and limited documentation. The delegate builds fast, deploys tools that work, and demonstrates progress. What rarely follows is the ownership records, governance documentation, refresh schedules, and process maps that make the estate legible to an outside examiner. The result is an AI estate that works day-to-day and reads poorly in a data room.

The research is consistent on why this happens. BCG’s 2025 AI Adoption Puzzle found roughly half of businesses stuck in stagnating or emerging AI stages, unable to move from proof-of-concept to genuine operational integration. MIT’s NANDA study found that only around 5 per cent of generative AI pilots achieve meaningful revenue acceleration; the cause is a gap in workflow integration, not model quality. Both findings point to the same underlying problem: AI is adopted but not institutionalised.

There is also a more subtle failure specific to delegated estates. When AI tools are built to replicate the way a founder thinks and decides, without capturing the underlying logic in documented processes, the business ends up more dependent on the founder’s presence. The business appears to have adopted AI while its founder dependency has increased.

Where are the gaps most likely hiding?

Before you can fix anything, you need to know what the estate actually contains. Many delegated AI programmes carry a shadow layer, tools adopted by individual teams without central oversight. A business heading for a sale may have AI running in customer service, finance, and marketing alongside tools in operations or product that surfaced through individual initiative and were never formally logged.

Three areas concentrate the most common gaps.

Ownership and documentation are the most frequently absent. An AI tool with no named owner is a liability in a data room. If the question “who is responsible for this?” cannot be answered by the team, an acquirer will treat the tool as unmanaged. The fix is a simple register covering tool name, owner, purpose, data it touches, and last review date. One document, significant signal.

Data handling under AI processing is a second risk area. Many businesses have added AI tools to workflows that involve customer or employee data without reviewing whether their existing data agreements cover that use. Under UK GDPR, using personal data in an AI system without a proper lawful basis creates a compliance gap that due diligence will surface.

The third area is refresh discipline. Prompts that were effective at deployment go stale as the business changes. Models release new versions. Integrations break. A business with no process for reviewing and updating its AI tools is carrying technical debt that an acquirer will identify and factor into the offer.

How do you sequence the remediation?

With eighteen months, the gaps can be closed methodically rather than in a scramble. The sequencing matters because some tasks unblock others. Documentation has to precede ownership assignment. Ownership has to be established before refresh protocols can be meaningful. Shadow AI needs to be surfaced before data handling can be reviewed. Get the order wrong and you correct the same problem twice.

A workable sequence in a pre-exit context:

  1. Months one to three: discovery and documentation. Audit the full AI estate, including tools adopted by individual teams as well as the formal programme. For each tool, record the owner, use case, data it touches, and when it was last reviewed. This single step closes the ownership clarity gap and creates the inventory for everything that follows.

  2. Months four to eight: data handling review. With the inventory in place, assess each tool’s data use against the business’s existing agreements and UK GDPR obligations. Where gaps exist, close them before they appear in due diligence. This is also when process maps should be updated to show AI’s actual role in key workflows.

  3. Months nine to twelve: refresh protocols and governance. Establish a light-touch governance layer covering who reviews which tools, how often, and against what criteria. A one-page policy with named owners and a review calendar is enough to demonstrate that the estate is managed rather than inherited.

  4. Months twelve to eighteen: founder dependency audit. Review where the AI estate relies on founder-specific knowledge or decisions. Codify the underlying process. If a tool was built around the way the founder has historically called certain judgements, document that logic explicitly so an acquirer can assess whether the capability is institutional or personal.

What should be ready before the data room opens?

A defensible AI estate is what due diligence requires, not a perfect one. An acquirer wants to see that the business knows what it’s running, who owns it, how it connects to operations, and whether it functions independently of any individual. A business that can answer those questions clearly, with documentation to support the answers, is in a fundamentally different position to one that cannot.

Three things should be ready before the data room opens.

An AI asset register covering every tool in use, with owner, purpose, data classification, and last review date. This is typically the audit’s first request. Having it ready signals maturity immediately; not having it signals a programme that was never managed.

A data handling assessment for AI processing. A documented review confirming that tools handling personal data do so lawfully, with records of any changes made to meet that standard, is sufficient for initial due diligence. It doesn’t require a legal opinion to be useful.

A governance framework covering decision rights and refresh cadence. A written policy with named owners and a review schedule demonstrates that the business has moved from AI adoption to AI management. Change management research consistently shows that technology investments fail not on technical merits but when the human and governance structures around them are underdeveloped. An AI estate is no different. The returns compound when the system is documented, owned, and refreshed, not just when the tools are first switched on.

If you’re eighteen months or fewer from a transaction and want a clear view of where your AI maturity gaps sit, Book a conversation.

Sources

- BCG (2025). AI Adoption Puzzle: Why Usage Is Up but Impact Is Not. Finds roughly half of organisations stuck in stagnating or emerging AI stages, unable to scale past proof-of-concept; supports the claim that AI adoption without institutionalisation is the common failure mode. https://www.bcg.com/publications/2025/ai-adoption-puzzle-why-usage-up-impact-not - Fortune/MIT NANDA (2025). MIT Report: 95% of Generative AI Pilots at Companies Are Failing. Only around 5% of generative AI pilots achieve rapid revenue acceleration; the cause is workflow integration gaps, not model quality. https://fortune.com/2025/08/18/mit-report-95-percent-generative-ai-pilots-at-companies-failing-cfo/ - NACD (2024). Director FAQs: Implementing AI Governance. Director-level guidance on AI governance, oversight, and accountability structures relevant to the governance dimension of AI due diligence. https://www.nacdonline.org/all-governance/governance-resources/governance-research/director-faqs-and-essentials/implementing-ai-governance/ - Spencer Stuart (2024). Don't Delegate AI: A Power-User Playbook for CEOs. Covers the risks of full founder withdrawal from AI leadership and the founder dependency dimension of AI programmes. https://www.spencerstuart.com/research-and-insight/dont-delegate-ai-a-power-user-playbook-for-ceos - PCE Companies (2024). How to Reduce Owner Dependency and Build Long-Term Business Value. M&A advisory analysis of owner dependency as the largest single driver of exit multiple discounts, with discounts of 30-40% common in founder-centric businesses. https://www.pcecompanies.com/resources/how-to-reduce-owner-dependency-and-build-long-term-business-value - Mercer (2024). Delivering the Deal: The Unrealised Potential of People in Deal Creation. M&A research on how people-dependency risks factor into deal value creation and acquirer pricing. https://www.mercer.com/insights/people-strategy/mergers-and-acquisitions/delivering-the-deal-the-unrealized-potential-of-people-in-deal-creation/ - PMC/PubMed Central (2021). Change Management in Digital-Change Programmes (PMC7784639). Peer-reviewed research finding technology projects fail not on technical merits but when human and governance structures are underinvested. https://pmc.ncbi.nlm.nih.gov/articles/PMC7784639/ - ICO (2024). Guidance on AI and Data Protection. UK regulator guidance on lawful basis for processing personal data in AI systems, covering the compliance obligations relevant to AI tool data handling. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/ - Valutico (2024). Business Exit Valuation: How to Maximise Your Company's Worth. Practitioner analysis of valuation drivers, including how operational and ownership dependencies affect buyer pricing. https://valutico.com/business-exit-valuation/

Frequently asked questions

What do acquirers check when they audit AI maturity in due diligence?

Commercial AI due diligence typically examines five dimensions. Data governance covers what data the business uses and under what terms. Process integration tests whether AI is genuinely embedded in workflows. Ownership clarity asks who is accountable for each tool. Refresh discipline covers how prompts and models are kept current. Founder dependency examines whether the business can operate its AI estate without the founder present.

How long does it take to retrofit AI maturity before a sale?

With eighteen months, the remediation is manageable if sequenced correctly. The first three months focus on discovery and documentation. Months four to eight address data handling. Months nine to twelve establish governance and refresh protocols. The final six months close founder dependency gaps. Attempting all of this in parallel, or leaving it until the data room is open, creates avoidable pressure and leaves gaps unresolved.

What is an AI asset register and do I need one before due diligence?

An AI asset register is a central record of every AI tool the business uses, with tool name, named owner, business purpose, the data it processes, and the date it was last reviewed. It is typically the first thing a due diligence team requests when examining AI maturity. A business without one signals immediately that the AI estate is unmanaged, which becomes a negotiating lever for the acquirer.

Written by Dr Dave Heath, AI consultant and business strategist.

This post is general information and education only, not legal, regulatory, financial, or other professional advice. Regulations evolve, fee benchmarks shift, and every situation is different, so please take qualified professional advice before acting on anything you read here. See the Terms of Use for the full position.

Ready to talk it through?

Book a free 30 minute conversation. No pitch, no pressure, just a useful chat about where AI fits in your business.

Book a conversation

Related reading

Two people in a meeting room in conversation across a desk with papers between them

Frame AI around the exit to win your founder over

Technology pitches keep bouncing off founders who are already thinking about exit value. Here is how to frame AI work around owner-dependency reduction and change the conversation.

A professional reviewing documents spread across a boardroom table

AI earn-outs and your mandate

When the founder's earn-out includes AI milestones, the senior operator handed that mandate is carrying a direct financial weight they may never have been explicitly told about.

Two people in discussion across an office table, one speaking and gesturing while the other takes notes

Use AI to document the founder's instincts, not mirror them

Using AI to document the logic behind a founder's decisions, rather than just mirror them, is what reduces dependency and lifts exit value.

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation
AboutBlogBusiness First AIFounder FreedomContactBook a conversation
Privacy PolicyTermsCookie Policy

© 2026 Larocca Consulting Ltd