
After more than twenty years handling business transaction law, contracts, and disputes for companies in South Florida and beyond, I have seen how new technology changes legal exposure long before many businesses appreciate what is happening. What I am seeing now is that AI due diligence is rapidly becoming part of serious transactional planning. The companies that have not built that into their process are likely to feel the gap at the worst possible time, when a deal is already moving and the leverage is no longer entirely theirs.
The Shift from Operational Risk to Transaction Risk
My earlier article focused on what happens when employees use AI tools in ways that create legal exposure. That may involve feeding confidential information into a third party platform, creating work product with ownership questions, or relying on automation that conflicts with an existing agreement. That is operational AI risk. It usually starts inside the company.
AI due diligence is different. It asks what legal exposure exists before a transaction closes, before an investor funds the business, before an acquirer signs a letter of intent, before a material vendor relationship is finalized, or before a founder presents the company as more AI-ready than its documentation actually supports.
The problem is straightforward. Many businesses have adopted AI tools in ways that created exposure they have not fully documented, reviewed, or disclosed. Once a transaction starts, those issues do not stay theoretical. They become diligence questions, negotiation points, and sometimes post-closing problems. At that point, the discussion is no longer about innovation. It is about representations, warranties, indemnity, and who is carrying the risk.
Ownership of AI-Assisted Work Product
One of the first questions in any AI diligence exercise sounds simple, but it is not: who actually owns what the company has created?
If a company has used AI tools to generate or substantially shape marketing copy, technical documentation, software code, internal materials, or other valuable work product, the ownership analysis is not automatic. Under current copyright principles, a work created entirely by AI without meaningful human authorship may not enjoy the same protection as a work created and directed by a person. That means a company may be describing its intellectual capital more broadly than the law would ultimately support.
That issue matters in intellectual property diligence. If the company’s value story depends on proprietary materials, content, software, processes, or brand assets, the other side is eventually going to ask who created them, how they were created, and whether the company can actually claim ownership the way it says it can. Those are questions that should be answered before diligence starts, not while a transaction is already under pressure.
The practical fix is not especially dramatic, but it does require discipline. Companies should document where AI was used, preserve evidence of human direction and revision, and review the ownership chain early enough to correct problems before the issue is raised by an investor, buyer, or opposing counsel.
Vendor Terms and the Model Training Problem

The next issue is vendor paper. A surprising number of businesses are using AI-enabled tools under terms that were accepted quickly and never revisited. In a live business, that is understandable. In a transaction, it can become a real problem.
Many companies do not realize that their AI vendors may claim broad rights over user inputs, improvement data, or model training materials. If a business has fed confidential business plans, customer information, internal documents, pricing logic, or proprietary methods into an AI tool, those terms matter. This is why careful review by a business contract lawyer is not optional once the company starts relying on AI-driven tools in any meaningful way.
For diligence purposes, I would want to know what tools are being used, what data has been processed through them, what the contracts say about ownership and retention, and whether the company has already made separate promises to customers about confidentiality or data handling that may be inconsistent with how these systems are operating. Those are not academic questions. They go directly to risk allocation and disclosure.
Customer Contracts and Hidden AI Conflicts
Another area that gets missed is the conflict between AI use and existing customer commitments.
A company may have signed service agreements, NDAs, master service agreements, or industry-specific terms that limit how customer information can be processed or shared. Then, somewhere in the ordinary course of business, employees begin using AI tools to summarize client communications, review intake materials, prepare internal drafts, or speed up operational tasks. Nobody may have intended to change the service model, but the legal effect can still be significant.
That kind of mismatch can eventually lead to claims, regulatory questions, or leverage in a dispute. From a business litigation standpoint, this is exactly the kind of issue that can sit quietly in the background until the wrong customer, the wrong deal, or the wrong discovery request brings it to the surface. A business preparing for a transaction should compare its current AI use against its existing contractual commitments well before diligence is underway.
What AI Representations, Warranties, and Indemnities Should Cover
As AI due diligence becomes more common, the contracts around transactions are going to change with it. Sophisticated buyers, investors, and counterparties are already asking more pointed questions, and that is only going to continue.
Representations should address whether the company is using AI in products, operations, or customer-facing functions, which vendors and systems are involved, what categories of data have moved through those systems, and whether the company is complying with its own policies and outside obligations.
Warranties should address ownership of AI-assisted work product, the absence of material breaches in AI vendor terms, accuracy of AI-influenced disclosures, and compliance with privacy and confidentiality obligations connected to AI use.
Indemnity language should be looked at carefully as well, especially where there may be third-party claims involving model training data, output-based infringement claims, or regulatory exposure tied to AI-enabled data handling. Generic provisions may not be enough if AI plays a meaningful role in the company’s operations or value proposition.
Governance, Audit Trails, and Internal Accountability
There is also a governance issue here that goes beyond vendor contracts and ownership questions. Investors and acquirers increasingly want to know not just whether a company uses AI, but how that use is governed internally.
That means asking whether the company has a written policy, whether anyone has been trained on what is allowed and what is not, whether there is an approval process for higher-risk use cases, and whether the business can reconstruct what the tools did if something goes wrong. In my experience, that last point matters more than people realize. A company that cannot explain how an AI tool was used is in a much weaker position if a dispute later arises.
This is where leadership teams need to start thinking a little differently. Internal AI governance should be treated more like data security, document retention, or financial controls. It is part of the company’s infrastructure. If it is built early, diligence is cleaner. If it is missing, people wind up trying to recreate order while a deal is already moving.
That is especially true for companies operating across jurisdictions or dealing with counterparties outside Florida. My own practice increasingly includes New York and South Florida business issues, and counterparties in those markets are not becoming less sophisticated about diligence. They are becoming more sophisticated. AI governance is very much part of that conversation.
AI Due Diligence Is Not Just a Technology Company Issue
This is probably the most important point in the article. AI due diligence is not only for software companies or venture-backed technology platforms. It is now relevant to service businesses, healthcare-adjacent companies, e-commerce companies, professional firms, logistics businesses, and founder-led companies that use AI in even modest ways.
A company does not have to think of itself as an AI company for AI to affect the legal analysis. If the business uses AI in customer service, sales support, document drafting, workflow automation, analytics, content development, hiring, or internal operations, then AI already sits somewhere in its risk profile. Once that company enters a financing event, strategic partnership, acquisition, or major vendor deal, the questions are going to follow.
That is why I see AI due diligence as a business issue, not just a technology issue. It belongs in the legal planning process because it affects value, disclosure, negotiation leverage, and post-closing risk.
What to Do Now
The companies that are going to be in the best position later are the ones doing this work now, before they need it.
That means auditing AI vendor agreements for data rights and training provisions. It means reviewing customer contracts for conflicts with current AI use. It means creating internal governance and approval procedures. It means documenting AI’s role in work product and checking the ownership issues early. And it means thinking through what future transaction documents should say about AI before someone else writes those provisions for you.
None of this is exotic. It is the same kind of disciplined legal work that businesses have always needed when technology changes the way they operate. The difference now is speed. AI adoption is happening faster than many companies are documenting it. That gap is where the risk lives.
The founders, investors, and growth companies that take AI diligence seriously now will be in a much better position than those who wait until a live deal forces the issue.
Matthew Fornaro is an experienced business law attorney and the founder of Matthew Fornaro, P.A., a South Florida business law firm serving entrepreneurs, startups, and growth companies in business transactions, contract matters, business disputes, commercial litigation, and intellectual property matters.
Contact Information
Matthew Fornaro, P.A.
Commercial Litigation
Coral Springs, Florida
FornaroLegal.com
954-324-3651 (office)
954-461-6475 (mobile)
Social Media
LinkedIn: https://www.linkedin.com/in/MatthewFornaro
Instagram: https://www.instagram.com/Fornaro_Legal
Facebook: https://www.facebook.com/FornaroLegal
TikTok: https://www.tiktok.com/@FornaroLegal
X: https://x.com/FornaroLegal
LinkedIn Company: https://www.linkedin.com/company/16239137/
Link Hub: https://bit.ly/FornaroLegal
YouTube: https://youtube.com/@MatthewFornarop.a.7953



