If you are acquiring another business, or if someone is trying to buy your own company, what questions will be asked as part of acquirer due diligence? The list is a matter of common sense; although AI is complex and troublesome, the questions are clear:
- May I have an inventory of Company use of AI in any form, whether Company developed or sourced from a third party?
- May I have a a copy of all internal Company policies concerning use of AI, including relating to AI embedded in any software sourced from third parties?
- May I please see your diligence reports on AI conducted relative to all third parties whose software interacts with the Company, and third party policies relative to information those third parties will have maintained internally relating to your Company information.
- Does your HR department use any AI in hiring? Same information for hiring agencies you use.
- May we see all materials used by the Company to provide training to employees about AI?
- May we have copies of all policies or riders from third party insurers relating to claims based on AI?
- Do you have any information relating to the possibility that your Company data is in the possession of any trade association, marketing group or other party that may be subject to being scraped by third parties?
- Are you party to any litigation, or have you received any communications or governmental contacts, claiming possible or actual breach of your data systems?
- List all third party entities which have access to any part of your Company computer records or information.
By the way, the above also provides to your business a list of questions you should be asking yourself so that you are not at risk from AI issues during your own independent operations. Do you have an identifiable person with a job description relating to AI risks? Does your Board have someone with sensitivity to these issues; does management have in-house expertise or a third party AI consultant? Does your Risk Committee (or other committee such as F&A which has been assigned risk responsibility) have a grasp of AI risks, and does the risk analysis avoid departmental informational silos and provide for some consideration of all reports touching AI to be considered together, holistically?
No need to panic, but–no time to be asleep.