When our team gathers evidence for an AI assessment, we request specific artefacts, not summaries. A summary is the company's interpretation of its own situation. An artefact is the thing itself, and the gap between the two is often the most revealing finding of the whole engagement. Here is the shape of what a serious AI vendor or target should expect to be asked for, and why each category matters.
What we ask for
On the model. Model documentation or a model card, evaluation results with the methodology behind them, and the actual test data or a representative sample. Not the accuracy slide. The basis for it.
On the data. Where training data came from, how it was licensed, how it was labelled, and evidence that its use is permitted for a commercial product. Data provenance is where legal and technical risk meet, and it is the area companies are least prepared to document.
On the architecture. A system architecture overview, the dependencies the product relies on, including third-party models and APIs, and how the pieces fit. This is where "proprietary AI engine" claims either hold up or quietly turn into a wrapper on someone else's API.
On governance and security. Data handling and retention policies, access controls, any security assessments, and the team's process for monitoring and retraining models in production.
On the team. Who built the system, who maintains it, and what happens to that capability if key people leave.
Why founders push back, and which pushbacks matter
Some resistance is reasonable. A company protecting genuinely sensitive material will want an NDA and a controlled process, and that is fine. We work within that. The question is what the pushback is actually about.
"We will share that under NDA in a controlled environment" is a normal, healthy response. "We do not really have that documented" is a finding in itself, because it tells you the company has not done the work, not that it is protecting it. "Why would you need to see that" about a basic artefact like evaluation methodology is a red flag, because a team confident in its work expects to be asked. The most informative moments in diligence are often not in the documents. They are in watching how a company reacts to being asked for them.
What good looks like
A well-run company treats the request list as routine. They have the artefacts, they share them through a sensible process, and they answer follow-up questions without defensiveness because they have anticipated them. That posture, more than any single document, is a strong signal. A company that has prepared to be examined is usually a company worth examining favourably. One that is surprised by ordinary requests is telling you how much of its own house it has actually put in order.
If you are weighing an AI investment, acquisition, vendor selection, or training programme, our team is happy to start with a conversation about scope and approach.
The views and findings in this article are shared for general information only. They are high-level perspectives, not legal, financial, regulatory, or other professional advice, and should not be relied upon for any specific decision or circumstance. For guidance tailored to your situation, please consult a qualified adviser.