Most weak due diligence fails for the same reason: there is no structure behind it. A few calls, a look at the codebase, a gut read on the team, and a verdict. Our team runs every AI and technical due diligence engagement through four phases. Each phase has a defined output, and each one feeds the next. A baseline engagement runs about four to eight weeks, with each phase taking one to two weeks depending on scope.
Phase 1: Scoping and planning
The first phase decides what the assessment is actually for. An investor about to lead a Series B has different questions than an enterprise choosing between two vendors. We define the decision the client needs to make, the systems in scope, the standards we will reference, and the evidence we expect to see.
This is the phase most people skip, and it is the one that determines whether the rest of the work is useful. A poorly scoped assessment produces a thorough answer to the wrong question.
Phase 2: Information gathering
Once the scope is set, we collect evidence. Architecture documentation, model evaluation results, data governance records, security posture, team background, and commercial metrics. We request specific artefacts, not summaries. The gap between what a company claims and what it can actually show is often the most revealing finding of the whole engagement.
How a target responds in this phase matters as much as what they provide. A team that cannot produce its own model evaluation methodology is telling you something.
Phase 3: Assessment and analysis
This is where the evidence gets tested against the standards. We evaluate across structured dimensions, technology architecture, model performance, data quality, team capability, governance maturity, security, and commercial alignment, and we rate each finding by how strongly the evidence supports it. A metric we verified against production logs carries more weight than a number from a slide.
We reference established frameworks here rather than inventing our own scoring in a vacuum. NIST AI RMF for risk, ISO 42001 for governance maturity, ISO 25010 for software quality, and the EU AI Act for regulatory classification. The standards keep the analysis honest and give the client a common language for the findings.
Phase 4: Synthesis and reporting
The final phase turns analysis into a decision the client can act on. Every report ends with a clear verdict: proceed, conditional proceed, or do not proceed. Conditional proceed is the most useful and the most underused, it names the specific pre-conditions that would make the deal or the purchase safe, with timelines attached.
A report that lists findings without a verdict leaves the decision-maker exactly where they started. The point of the engagement is not to catalogue what exists. It is to tell you what to do about it.
Why the sequence matters
Each phase depends on the one before it. Skip scoping and the analysis answers the wrong question. Rush information gathering and the analysis rests on claims instead of evidence. Drop the verdict and the whole exercise becomes a reading assignment. The structure is what makes the difference between a real assessment and an expensive opinion.
If you are weighing an AI investment, acquisition, vendor selection, or training programme, our team is happy to start with a conversation about scope and approach.
The views and findings in this article are shared for general information only. They are high-level perspectives, not legal, financial, regulatory, or other professional advice, and should not be relied upon for any specific decision or circumstance. For guidance tailored to your situation, please consult a qualified adviser.