Artificial intelligence has gone from a supporting feature to a primary driver of deal value. Yet many AI-heavy dealmakers still assume the classic software premise that code defects can be fixed after closing.
AI breaks that assumption.
In AI-driven mergers and acquisitions, the primary risk may not be damage that can be mitigated through indemnities, holdbacks, escrows, or insurance. The loss of the asset itself often is the most significant risk and the classic M&A toolkit of monetary risk allocation isn’t enough when the core asset may be irreparably impaired.
As the adage goes, a bandage can’t cure cancer.
Lately, we’ve observed a trend in AI-heavy deals where buyers are negotiating technical walk rights, allowing termination of the deal if a deep-dive audit reveals unverifiable model lineage or foundational licensing issues. Buyers increasingly require a forensic “pedigree log” of every dataset and fine-tuning weight, and if the target can’t produce a verifiable history of data sets and training logs, the asset may be treated as impaired from the outset.
These practices reflect an emerging standard: AI assets are treated not just as intellectual property, but as operationally material technology that requires validation before closing.
This is particularly true for large language models that inherently are data-hungry and require vast volumes of information for effective pre-training and meaningful outcomes. In practice, nearly all existing LLMs have relied on copyrighted materials obtained without consent or explicit licensing.
The prevailing developer mindset has been to “move fast and break things,” prioritizing rapid advancement over compliance. The belief was that missing out on the data rush posed a greater risk than facing potential legal claims for copyright infringement or breach of contract.
This sentiment is shifting, particularly following last year’s massive settlement in Bartz v. Anthropic, swiftly reached after the court pushed part of the case forward by denying the application of a fair-use defense. The landmark agreement included approximately $1.5 billion in monetary relief along with the destruction of the infringing datasets.
The substantial dollar amount—and the underlying destruction of the allegedly infringing datasets—has prompted more developers and deployers to ask thoughtful questions about the validity of their training datasets and how to ensure outputs comply with existing laws and emerging AI governance principles.
The rise of legal obligations in the AI space is pushing attention to these issues.
The EU AI Act, along with at least four states (California, Colorado, Texas, and Utah) have passed private sector AI governance laws. If and when they’ll be enforced is unclear, particularly after President Donald Trump’s executive order challenging the validity of state AI measures.
But these laws are still giving buyers and licensees pause as they look at their own legal exposure and whether they can mitigate that exposure.
When defects live in a model’s training provenance or foundational licensing, “fixes” may be technically possible but commercially unrealistic post-closing: Think wholesale retraining or re-papering core data rights at enterprise scale.
The bottom line for buyers is clear: A target’s development history and its data retention practices can create ongoing liability, risk of injunction, and forced destruction of the asset you are trying to buy.
The result is that sellers who can’t provide evidence of lineage, data rights, and risk controls consistent with developing risk frameworks (such as the NIST AI Risk Management Framework), regulations, and laws face significant risks of closing delays, carve-outs, and increased costs of risk transfer, all of which put downward pressure on valuation.
Conversely, verifying governance and tracing the origins of training data lessen problems with integration.The industry is moving toward documented data provenance, strong source data governance, and licensing for training datasets.
Buyers of AI technology must understand these risks and emerging trends as issues related to training data are extremely difficult to unwind after closing. Sellers must understand that their development practices early in their product lifecycle can ultimately crater a deal before it even gets started.
Buyers in particular should consider:
Assessing the legal use and retention of training data. Test for shadow-library sourcing and “forever” central libraries, confirming acquisition rights and destruction/retention practices that can withstand regulatory and litigation scrutiny, thereby preserving long-term asset value.
Mapping model components and intended uses. All data and model components should be mapped to their risk tier, and applicable jurisdictions before closing. Address transparency, labeling, deepfake obligations, and deployer disclosures, resolving any licensing conflicts prior to integration.Conduct deep-dive audits to confirm all datasets, sources, and libraries are lawful and well-documented.
Making verification a closing condition. License assessments and compliance documentation should be prerequisites for closing the deal, ensuring unresolved issues aren’t silently absorbed into the purchase price. Set clear covenants and closing conditions to resolve any identified conflicts.
Educating teams on AI-specific risks. Ensure legal, technical, and acquisition teams are familiar with AI risks, standards, and emerging governance requirements.
If you’re an AI developer, put yourself in a position to deliver up-to-date development, testing and training documentation with an eye toward applicable legal frameworks and regulatory standards. For example, confirm that the software meets applicable EU AI Act provider/deployer duties, Colorado documentation/impact-assessment/disclosure requirements, and California’s training-data transparency and risk-assessment mandates.
Buyers are seeking warranties regarding up-to-date model cards and compliance with recognized frameworks (such as NIST) and regulations. Stay alert to evolving statutory requirements and regulatory frameworks to ensure ongoing compliance.
In AI-driven M&A, the deal risk isn’t likely fines or monetary damages. It’s the real possibility that the key asset becomes unusable because origin, licensing, or governance can’t withstand enterprise-scale scrutiny.
The most valuable model isn’t the flashiest—it’s the one with lawful origins, verifiable lineage, and documentation that stands up to regulatory and customer audits.
This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., the publisher of Bloomberg Law, Bloomberg Tax, and Bloomberg Government, or its owners.
Author Information
Hannah Ji-Otto is a partner at Quarles & Brady in St. Louis focused on data privacy, cybersecurity and use of technology, including AI.
Jianfei Chen is an associate at Quarles & Brady in Chicago focused on complex commercial matters.
Heather Buchta is a partner at Quarles & Brady in Phoenix focused on AI, information technology, and data privacy.
Write for Us: Author Guidelines
To contact the editors responsible for this story: