AI evidence in due diligence: what counts, and what is theatre

The shift that is actually happening

PwC and other major buy-side advisors have begun publishing frameworks for AI-specific diligence — not as a future trend, but as something already showing up in mid-market processes[1]. The reason is straightforward: target companies are increasingly making AI-related claims in management decks, and buyers want to know what is actually installed versus what is aspiration.

Two international reference points anchor the bar. ISO/IEC 42001 sets out an AI management-system standard increasingly cited as the benchmark for "governed" AI in enterprise diligence [2]. NIST's AI Risk Management Framework is the U.S. equivalent and is the source most QofE and IT-diligence providers reference when scoring AI maturity in lower-middle-market deals [3].

What counts as evidence

1. An inventory

A documented list of every AI and automation system in use: what it does, which workflow it serves, who owns it, which model it calls, what it costs per month. If you can't produce this in a day, you don't have a system — you have shadow IT.

2. Logs

Every AI call: input, output, model, cost, latency, timestamp, requesting user. Retained for at least 12 months. This is the difference between "we use AI" and "here is what our AI did last quarter".

3. Evaluations

A fixed set of test cases each significant AI workflow has to pass, run on a schedule, with results stored. This is how you demonstrate the system's quality is monitored, not assumed.

4. Human-in-the-loop rules

Documented escalation rules for high-stakes outputs: which actions require human review, who reviews them, and how the review is recorded.

5. Vendor and model documentation

A short policy that names which models are approved, which vendors are in use, and how vendor concentration is managed. This is what makes the answer to "what's your AI vendor risk?" a one-page document instead of a panic.

What is theatre

• A ChatGPT Team subscription with no logs of what it is used for.
• "Productivity gains" stated in management decks with no measurement methodology behind them.
• A single demo of an impressive workflow, with no evidence it runs in production.
• An AI policy document with no controls actually implemented.

Buyers — particularly private-equity-backed strategics — have become quick at spotting these. The discount applied is not subtle.

How to assemble the evidence before the room opens

The good news: none of the five evidence categories above are expensive in absolute terms. The cost is operator attention and a six-to-twelve-week installation window. We treat this as part of the standard XLev programme — see the 90-day operational readiness checklist for the broader picture.