Acquiring AI: considerations for representations and warranties in transaction documents

 
Increased M&A and investment activity involving companies developing, selling, or leveraging artificial intelligence (AI) raises questions regarding how to best address the unique risks associated with AI. One response has been the increasingly common inclusion of AI-specific representations and warranties in agreements. This bulletin sets out several considerations for parties contemplating the use of AI-specific representations and warranties.

What you need to know

• AI-specific representations and warranties are an increasingly common method of addressing the unique risks posed by AI.
• Buyers or investors may seek to include representations and warranties that address a range of topics, including privacy and data use, IP, AI functionality and training, internal AI governance frameworks, and compliance with applicable laws and regulations.
• Whether and how these representations and warranties are included will depend on the importance of AI to the company target, the nature of the AI involved, and traditional deal dynamics.
• AI-specific representations and warranties may be used most often with companies where AI is critical to an element of the target’s business but, depending on the circumstances, may also be appropriate where the target only leverages AI in certain parts of its activities.

Increased attention to AI in M&A

2024 saw increasing investor interest in technology companies¹. With M&A and investment activity involving AI-focused companies forecasted to rise in 2025, parties must remain aware of the various considerations these technologies bring to transaction terms. Furthermore, as more companies incorporate AI into their day-to-day processes, parties are increasingly including representations and warranties in their transaction agreements for targets—regardless of whether the target would be classified as an “AI company”. As such, investors and buyers will want to address the relevant risks of AI adoption regardless of industry.  

AI’s impact on M&A is evolving, including its influence on the valuation of many businesses (albeit with varying degrees). At the same time, the AI risk and regulatory landscape continues to evolve. The scope of what is market with respect to AI representations and warranties continues to change in parallel.

AI representations and warranties

Factors shaping AI representations and warranties

Below is a non-exhaustive list of AI-related items parties should consider in transactions. While investors or buyers may seek to address the risks associated with these items through representations and warranties, sellers and targets may consider these items to help prepare for an anticipated transaction, such as shoring up potential gaps or preparing appropriate diligence materials and disclosures.

Whether and how the considerations listed below should be included as specific representations and warranties will depend on a number of factors. One important factor is the nature of the target’s business and the extent of the target’s reliance on AI. For example, where AI underlies the core of the target’s business or valuation, sellers can expect buyers to seek more extensive AI-specific representations and warranties. The nature of the AI system(s) in question is similarly relevant. For example, buyers may be more inclined to seek certain assurances in relation to generative AI (genAI).

More traditional transaction dynamics are also relevant. The relative bargaining power of the parties, whether representations and warranties insurance is being obtained, and the results of the buyer’s diligence will all impact AI representations and warranties. In addition, the scope of other representations and warranties may make some AI-specific assurances redundant.

Considerations for AI representations and warranties

• Scope of AI
  • Parties should consider the scope of AI representations and what references to AI are intended to capture.  Some buyers may be primarily concerned with specific types of AI (e.g., genAI) or use cases of AI (e.g., AI interfacing directly with individual customers).
  • Tied to this is the consideration of whether AI should be a defined term and, if so, the potential scope of the definition. Definitions of AI should generally be drafted considering the ordinary meaning of “artificial intelligence”, which includes AI beyond genAI and the factual matrix surrounding the transaction.
• AI training and data use
  • Targets may use data (whether their own or a third party’s) to train AI or operate AI models. This raises considerations of the target’s rights or authorization to do so, and the risks associated with supplying data without sufficient authorization. For example, the use of personal information for training AI models without sufficient consent or other authorization raises privacy risks.
  • Another consideration for the parties is whether the data used to train the AI models was accurate and appropriate. Inaccurate, incomplete, or otherwise inappropriate data can create risks, including with respect to the AI’s functionality. For example, an AI model developed to serve as a customer service chatbot may not function appropriately if it has only been trained based on text messages between friends.
  • Where the target has developed its own AI model, buyers may seek assurances that it has been developed appropriately, potentially with reference to industry standards or practices. To the extent the target’s development incorporates open-source code and materials, buyers may also look for assurances as appropriate policies and procedures in the target’s use, incorporation, and distribution of open-source code and materials to manage proprietary rights and exposure from non-compliance with open-source licenses.
• Ownership and license
  • Parties should consider whether the target owns or has appropriate rights, license, and/or authorization to use (i) the data input into the AI model (including data not used for training); (ii) the AI model itself; and (iii) the AI model’s output.
  • These considerations may be particularly important to buyers where genAI is involved.
• Use and functionality
  • Parties should consider whether assurances can or should be given regarding the functionality and overall performance of an AI model, including its accuracy, reliability, robustness, and security. Similarly, buyers may seek assurances regarding the ongoing functionality of the AI model in line with the target’s associated documentation and specifications, including ensuring that the usage limitations of such AI model are clearly documented and that such documentation is current and accurate.
  • Buyers will often seek to confirm that AI models are free from unintended or undesired biases. The parties should also consider whether and how to address mitigants that have been put in place to address identified biases.
  • Depending on the circumstances, whether the target’s personnel have sufficient internal expertise to perform the various applicable oversight, use, maintenance, and similar functions within the organization may also be a consideration.
• Governance and oversight
  • Parties should consider the governance and oversight measures that the target has in place to mitigate its AI risks. Such measures may include (i) documented policies, procedures, and practices; (ii) user training and attestations; (iii) ongoing testing, monitoring, and incident reporting; and (iv) “human in the loop” requirements.
  • In certain circumstances, buyers may seek to confirm AI models have sufficient logs and that results are sufficiently explainable and auditable.
  • Data governance considerations, including those related to retention periods, data rights, and segregation, are also often raised when assessing AI risk.
• Use of third-party AI or open-source code
  • Where the target uses third-party AI systems or products, buyers may seek to confirm compliance with applicable contracts.
  • Similarly, if the AI system or product contains or was built using open-source code, buyers may seek to confirm the target’s compliance with any open-source licenses, as well as potential effects of those licenses and code on the target’s own proprietary code.
• Compliance with applicable laws and/or industry standards
  • Buyers may seek assurances that the target’s use and development of AI complies with applicable laws. In the absence of AI-specific legislation in many jurisdictions across North America, buyers may instead seek to rely on industry standards as an alternative benchmark.
  • On the seller side, organizations should consider whether references to laws and regulations should be limited to those that are then in existence. This is to avoid extending representations to potential future ambiguous notices or rulings, given the evolving nature of the law on AI.
  • Wherever possible, reference to laws and standards should be as precise as possible to avoid ambiguity. For example, laws may be applicable to each party and/or the AI itself.
  • Where there is a lack of consensus as to the relevant industry standard, or where such standards are underdeveloped, parties may be better served by drafting properly scoped sector-specific representations to address compliance.
• Incidents and litigation
  • The parties should consider whether there are any (i) instances of the target’s use of AI causing harm to individuals or demonstrating an undesired bias; (ii) complaints regarding the target’s use of AI; or (iii) threatened or pending litigation relating to the target’s use of AI.

Additional takeaways for businesses

The importance of due diligence

In conducting due diligence, buyers should ensure they understand how a target currently leverages AI, how they intend to leverage AI in the future, and the target’s policies and procedures governing such use. Diligence efforts should, of course, be proportionate to the potential level of risk posed. This may not be obvious at the outset of the diligence process. Here, sufficient legal and technical expertise will be important to gain an accurate understanding of the target’s AI-related risks.

Likewise, sellers should be prepared to explain their use of AI. In advance of the transaction, sellers should identify the target’s current uses of AI and how any corresponding risks are managed.

The dynamic AI risk landscape

Businesses should continue to monitor the AI risk landscape as it evolves². Many jurisdictions, including Canada and the United States, may not have applicable laws, rules, or regulations that comprehensively address the target’s specific development and deployment of AI. However, a patchwork of various requirements and regulatory guidance has begun to emerge. As AI continues to advance, and as countries pass legislation to fill the oversight gap, the regulatory landscape governing AI remains in flux. Trends in class action litigation and regulatory scrutiny also indicate increasing risk associated with certain AI initiatives.

Prior to sale, sellers should pay particular attention to the risk landscape, as it can inform buyer expectations and sensitivities. Likewise, buyers should understand the regulatory landscape in which a potential investment currently operates.

Post-acquisition, buyers should remain aware of the risk landscape, as new risks or requirements may emerge, creating new compliance burdens on the acquired entity. If the buyer intends to use AI in a new way, the buyer should also consider how such new use case may amend previously conducted due diligence.

Parties should also note that as the risk landscape continues to evolve, so too will the scope of what is market in relation to AI in M&A transactions.

Conclusion

Businesses should continue to monitor the rapidly evolving market and risk landscape as it relates to AI. Each impacts the other, and both can have significant consequences for businesses leveraging AI. For more on the benefits and risks of AI, we share ongoing guidance in our collection of AI resources for business leaders.