“The greatest risk posed by proprietary, fine-tuned AI models is not that they will fail on a technical level—but rather that they can continue to evolve and scale beyond the current team, the current framework, and the circumstances under which they were developed.”

— Egon Wuchner, Co-Founder & CEO Cape of Good Code

In Part 6 of our blog series on 'Software Due Diligence: The Key to Successful M&A Deals', we examine the new challenges posed by technology due diligence for fine-tuned AI foundation models, as opposed to AI-based software that “merely” utilizes external AI models without further customization (as described in Part 5).

Definition and Strategic Context

Proprietary fine-tuned AI foundation models build on large open-source or commercially licensed base models (e.g., LLaMA, Falcon, T5, or BERT) and are further trained on organization-specific, internally curated and labeled datasets. Their primary purpose is to address narrowly defined, domain-specific use cases such as contract analysis, clinical document summarization, or manufacturing anomaly detection.

When executed effectively, this approach can represent a significant source of competitive differentiation. Ownership extends beyond the underlying data to include model weights, training configurations, fine-tuning methodologies, and alignment strategies. This enables organizations to embed domain-specific behavior, optimize interpretability, and maintain full control over deployment and governance.

At the same time, the confidentiality of training data and the ability to generate new, proprietary intellectual property through the fine-tuning process are critical value drivers. Sensitive or hard-to-replicate datasets—combined with structured labeling and training pipelines—can create defensible IP that is not easily reproducible by competitors.

In contrast to black-box API-based AI solutions, proprietary models allow for deeper analysis, customization, and operational control—factors that are critical for long-term defensibility, regulatory compliance, and sustainable value creation.

Implications for Technology Due Diligence

In addition to standard AI software due diligence considerations, the assessment of proprietary fine-tuned foundation models must address a more fundamental question:

To what extent do the models—and the surrounding organizational capabilities—create a sustainable and transferable competitive advantage beyond the current team and setup?

This includes evaluating not only technical performance, but also reproducibility, scalability, IP ownership, data confidentiality, cost structure, security, regulatory readiness, and operational resilience.

Key Value Drivers and Red Flags from a Technology Perspective

Compared to a standard AI software due diligence, the following areas of focus aim to (i) assess the specific value contribution of proprietary, fine-tuned foundation models to the investment case and (ii) identify indicators of potential technical and structural risk.

The seven dimensions below represent the primary value levers—and, if insufficiently addressed, key sources of downside risk.

1. Model Selection & Rationale

Value Drivers
A clearly articulated and well-documented model selection rationale (e.g., transformer vs. encoder-based architectures) indicates strategic intent rather than some initial  experimentation only. Strong signals include alignment with target use cases, evidence of scalability, and reliance on models supported by a stable ecosystem and forward-looking roadmap.

Red Flags
Generic justifications such as “best available model” without any validation of alternatives or frequent model changes without defined evaluation criteria, typically indicate low AI maturity. Overreliance on a single proprietary third-party model may further constrain strategic flexibility post-transaction.

2. Architecture & Optimization

Value Drivers
Well-structured, modular architectures and a clearly defined fine-tuning strategy demonstrate technical depth and cost awareness. Optimized inference pipelines, along with explicit trade-offs between accuracy, latency, and operational costs, are strong indicators of defensible technical capabilities.

Red Flags
Black-box end-to-end architectures, ad-hoc fine-tuning practices, and the absence of robust MLOps frameworks typically lead to scalability constraints and increasing operating costs. Limited reproducibility of training or deployment processes is particularly critical in carve-out and post-merger integration scenarios.

3. Ownership, Licensing & Data/IP Governance

Value Drivers
Clear and well-documented ownership of fine-tuned models, training data, and derived artifacts strengthens the target’s intellectual property position. This includes well-governed access to confidential training data, traceable data lineage, and explicit rights to use and further develop both input data and resulting model artifacts.

The ability to demonstrably create new, proprietary IP through fine-tuning (e.g., domain-specific model behavior, labeled datasets, and training pipelines) materially enhances defensibility and valuation. The use of foundation models with explicit commercial usage and fine-tuning rights further reduces transaction risk.

Red Flags
Ambiguous licensing terms, unclear ownership of training data or model outputs, or insufficient safeguards around confidential or sensitive data represent material deal risks.

Reliance on datasets with unclear provenance, missing usage rights, or potential regulatory exposure (e.g., personal or protected data) can lead to significant post-deal liabilities. Weak documentation of how new IP is created and protected is another common gap that may limit defensibility.

4. Product Integration & Competitive Advantage

Value Drivers
Deep integration of AI capabilities into core product workflows, data structures, and user experience is a strong indicator of a sustainable competitive moat. Where AI functionality is tightly coupled to the value proposition and cannot be removed without degrading the product, its strategic relevance is significantly enhanced.

Red Flags
Superficial AI implementations—such as loosely coupled features or purely marketing-driven use cases—are typically easy to imitate. In such cases, the AI component contributes limited incremental value and should be reflected accordingly in the transaction pricing.

5. Cost Structure & Scalability

Value Drivers
A transparent and well-understood cost structure across both training and operational inference is critical for assessing scalability. Strong signals include stable or improving unit economics at scale, efficient resource utilization, and architectural decisions that reduce dependency on high-cost infrastructure.

Flexibility in infrastructure choices (e.g., multi-cloud readiness, hardware abstraction) further supports long-term margin expansion and operational resilience.

Red Flags
Highly sensitive or poorly understood cost drivers—particularly in inference at scale—can materially impact margin potential. Strong dependencies on specific hardware (e.g., GPUs) or single cloud providers may constrain scalability, pricing flexibility, and negotiating leverage post-transaction.

Limited visibility into how costs evolve with usage is a common and material diligence gap.

6. Security & IP Protection

Value Drivers
Robust security measures to protect proprietary AI assets—such as controlled access to model weights, training data, and prompts—are essential to preserve IP value. Mature setups include role-based access controls, monitoring of model usage, and safeguards against model leakage or extraction.

Clear internal policies and technical controls that prevent unintended knowledge transfer further strengthen defensibility.

Red Flags
Unrestricted or poorly governed access to models, training data and training methods increases the risk of leakage and IP erosion. Exposure to reverse engineering or model extraction attacks, particularly in externally accessible systems, represents a critical vulnerability.

Security is frequently underestimated, yet failures in this area can directly undermine the core value of proprietary AI.

7. Regulatory & Compliance Readiness

Value Drivers
Proactive alignment with relevant regulatory frameworks—particularly in jurisdictions such as the EU—demonstrates maturity and reduces execution risk. This includes established practices for explainability, auditability, and documentation, as well as clear governance over training data provenance and permitted use cases.

Early compliance readiness can materially reduce future friction, especially in regulated industries.

Red Flags
Limited awareness of or preparation for emerging regulation (e.g., documentation of fine-tuning modifications, training data summaries, and traceability of data provenance as required under the EU AI Act for modified or fine-tuned general-purpose AI models) can result in significant remediation effort post-acquisition. Missing documentation, insufficient explainability, or unclear data provenance may restrict deployability or trigger regulatory exposure.

Reactive rather than proactive compliance approaches are a common indicator of elevated risk.

Takeaways for an AI Tech Due Diligence

Proprietary fine-tuned AI foundation models can represent a powerful source of competitive advantage. They enable the creation of differentiated, defensible intellectual property—rooted in proprietary data, domain-specific model behavior, and tightly integrated product capabilities.

However, this additional value comes with increased complexity and execution risk. Unlike AI solutions based on external APIs or third-party models, proprietary approaches require ownership and control across a broader set of dimensions—including data provenience, quality, protection and confidentiality, IP governance, cost structure, security, and regulatory compliance.

As a result, value creation does not stem from the model itself, but from the organization’s ability to build, operate, and protect these models in a scalable and compliant manner.

Conversely, many of the most critical risks arise not from model performance, but from gaps in fundamentals—such as unclear data rights, weak protection of proprietary assets, insufficient cost transparency, or limited regulatory readiness.

Ultimately, the key due diligence question is not whether the model works—but whether its value is sustainable, transferable, and defensible independent of its original operating environment.

Preview of Part 7

Next, in Part 7 of this blog series, we will take a closer look at the topic: ‘AI Coded Software: How to deal with it in Software Due Diligence?’

Act Now: Integrate AI Expertise Into Your Transaction Evaluation

Whether you're acquiring a tech company or investing in a data-driven business model – if AI plays a role, you need new criteria, new methods, and partners with hands-on experience.

👉 Cape of Good Code combines deep technology analysis with AI-specific expertise – delivering clear insights on the viability, scalability, and sustainability of your target technology in no time.

📞 Schedule a non-binding initial consultation or request our AI Software Due Diligence.

Links

[0] Photo by wal_ 172619