19. AI for cyber, data, and risk detection in deals

The diligence team had two weeks left before signing. Management had provided the cyber questionnaire, a data architecture deck, the top vendor list, and a risk register. Nothing looked severe enough to slow the deal.

Then the buyer ran targeted AI-assisted reviews across four evidence sets: identity exports, endpoint inventory, contract commitments, and data samples from the customer platform.

The findings were not a single smoking gun. They were a pattern. Several privileged accounts had no named owner. Some customer data fields looked more sensitive than the data inventory claimed. Contract language for two regulated customers required breach notification and data-location controls that were not reflected in the operating model. A set of old integration jobs appeared to move production data into a reporting environment with weaker access controls.

The first reaction was predictable: the tool was noisy. Some alerts were false positives. Some were duplicates. Some required context the model did not have.

But three findings were real enough to change the deal plan. The buyer delayed broad data access until a clean-room process was set. It added remediation cash for identity and data controls. It changed the first-100-day plan so customer and regulated-data protections were handled before analytics migration. It also tightened closing deliverables around incident evidence and privileged access.

That is the right role for AI in diligence:

Use AI-driven risk detection when it can change diligence scope, remediation cash, Day-1 controls, or customer and regulatory protections. Do not use it as another issue generator unless each output can be tied to a deal decision.

The deal decision AI should support

AI is useful in diligence when the evidence base is too broad, too messy, or too time-constrained for manual review alone. Cyber logs, identity exports, contracts, data dictionaries, vulnerability records, tickets, system inventories, and policy exceptions can contain the patterns that move value.

The buyer’s decision is not whether the target has risk. Every target has risk.

The decision is whether new signals should change one of four items:

• Diligence scope: expand from questionnaire review to evidence testing, targeted interviews, clean-room analysis, or outside forensic support
• Remediation cash: fund identity cleanup, data classification, monitoring, vulnerability closure, backup testing, or regulatory control work before the value plan starts
• Day-1 controls: restrict connectivity, data sharing, admin access, customer reporting, or production changes until a minimum control baseline is met
• Customer and regulatory protections: add closing conditions, indemnities, escrow, customer notice planning, data-processing controls, or transition covenants

If an AI finding cannot plausibly affect one of those four items, it should not distract the deal team.

Why the old diligence model misses these risks

Traditional diligence works well when the risk is already known and documented. It works less well when the risk sits across systems.

A policy may say all sensitive data is classified. A data sample may show payment tokens, health indicators, employee identifiers, or customer secrets in a table marked “general business reporting.” A cyber deck may show endpoint coverage. A device export may show that the servers running batch jobs are outside the tool. A risk register may say legacy integrations are being retired. Repository evidence or job schedules may show that those integrations still move live data every night.

None of these gaps is unusual. The issue is timing. A buyer often discovers them after close, when it is trying to connect environments, move data, satisfy customers, and start synergy work.

AI can compress the search. It can compare evidence sets, flag contradictions, cluster exceptions, summarize contracts, detect sensitive-data patterns, and surface unusual access or system relationships. That speed matters when a deal team has days, not months.

But speed is not the same as diligence quality. A faster weak review is still weak. The output must be tested against operating evidence and translated into deal actions.

Where AI creates real diligence signal

AI-driven risk detection is most useful in five areas because each one can change price, timing, or post-close control design.

1) Identity and access risk

Identity is often the fastest path from a cyber issue to a Day-1 constraint. AI can compare user exports, privileged groups, last-login records, service accounts, ticket history, and application owner lists to find patterns that a questionnaire misses.

Useful signals include:

• privileged users without named owners or recent recertification
• shared admin accounts used in production, ERP, cloud, or database environments
• dormant accounts with access to customer, finance, or regulated data
• contractor accounts that remain active after contract end dates
• inconsistent access across identity providers, SaaS tenants, and legacy applications

What it changes:

If privileged access cannot be tied to named individuals and business owners, the buyer should not assume broad Day-1 connectivity. The deal plan may need staged access, privileged access cleanup, admin MFA completion, or a clean-room path for early reporting.

2) Data exposure and classification gaps

Data diligence often relies on management’s system inventory and policy labels. AI can test whether the data itself matches those labels.

Useful signals include:

• PII, payment, health, employee, or customer-confidential fields in low-control reporting environments
• production data copied into development, testing, or analytics workspaces
• retention patterns that conflict with policy or customer commitments
• sensitive data in unstructured stores such as ticket attachments, shared drives, call transcripts, or exports
• cross-border data movement that is not reflected in the data-processing inventory

What it changes:

If sensitive data sits outside the declared control perimeter, the buyer may need to expand diligence scope, add remediation cash, limit Day-1 data movement, or change customer and regulator communication planning.

3) Cyber detection and incident blind spots

AI can help compare incident tickets, SIEM alerts, vulnerability records, endpoint inventories, cloud logs, and service desk narratives. The goal is not to find every alert. It is to identify whether the target can detect and explain events in the systems the buyer plans to touch.

Useful signals include:

• repeated malware, phishing, account-lockout, or suspicious-login tickets without root-cause closure
• critical vulnerabilities older than 60-90 days on internet-facing assets
• high-risk servers missing from endpoint or logging coverage
• backup failures tied to systems that support revenue, finance, or customer operations
• incident records that were closed operationally but never linked to control fixes

What it changes:

If the target cannot show detection and response evidence for crown-jewel systems, the buyer should gate connectivity and fund monitoring, vulnerability closure, and restore testing before integration work expands.

4) Contract and regulatory obligation mismatch

Customer, vendor, and data-processing contracts often contain control commitments that do not appear in technology plans. AI can screen large contract sets for security, privacy, data location, audit, breach notice, subcontractor, and business continuity clauses.

Useful signals include:

• customer contracts requiring controls that are not in place or not evidenced
• breach notification windows that the incident-response process cannot meet
• data-location clauses that conflict with cloud or support locations
• audit rights that may be triggered by ownership change, outage, or control changes
• vendor clauses limiting data transfer, model training, subcontracting, or offshore support

What it changes:

If contract commitments are ahead of actual controls, the buyer may need closing deliverables, customer notice planning, indemnity, escrow, or a first-100-day control sprint before customer-facing integration.

5) Operational risk in systems and workflows

Some deal risks are not strictly cyber or data issues. They sit in brittle operations: manual reconciliations, fragile interfaces, old scripts, unsupported tools, and undocumented exception handling.

AI can review tickets, process notes, integration logs, change records, and reporting scripts to find where operations depend on hidden work.

Useful signals include:

• finance or revenue reports produced through manual data extracts
• integration jobs with repeated failures but no permanent fix
• business-owned scripts moving production data outside governed platforms
• change freezes or workarounds around month-end close, billing, or shipment cycles
• support tickets clustered around a small set of people or legacy tools

What it changes:

If operational risk sits in the workflow that supports revenue, close reporting, customer service, or regulatory reporting, it should affect the Day-1 control plan and the first-100-day backlog. It may also reduce confidence in early synergy timing.

What goes wrong when teams use AI badly

AI creates three failure modes in diligence.

Failure mode 1: the tool becomes an issue factory

AI can produce a long list of exceptions. Many will be duplicated, low context, or not material to the transaction. If the deal team treats every output as a finding, diligence slows down and the real risks get buried.

The fix is to set materiality rules before running the review. A finding should pass at least one test:

• it blocks Day-1 connectivity or data access
• it changes remediation cash by more than the diligence reserve can absorb
• it affects a customer or regulator commitment
• it changes synergy timing, TSA exit, or first-100-day execution
• it reveals a control gap in a crown-jewel system

Everything else goes into the post-close backlog unless it compounds another risk.

Failure mode 2: the model sees patterns the evidence cannot support

AI can infer too much from incomplete artifacts. A contract clause does not prove non-compliance. A data sample does not prove full data exposure. A ticket cluster does not prove an active incident.

The fix is triangulation. Every high-risk AI signal needs at least two supporting evidence points before it changes deal terms. For example, a sensitive-data alert in a reporting table should be tested against table lineage, user access, export history, and the data-processing inventory. A privileged-access finding should be tested against identity exports, application admin lists, MFA status, and owner attestation.

Failure mode 3: the review ignores how the buyer will operate after close

AI can identify risk in isolation, but deals create new risk through action. The buyer will connect systems, move data, add users, change vendors, exit TSAs, consolidate reporting, and push synergy work. A finding matters more if those actions increase exposure.

The fix is to map each finding to the first 100 days. If a risk is in a system the buyer will not touch for 12 months, it may be a funded backlog item. If it is in identity, data, reporting, customer platforms, ERP, or cloud connectivity needed in the first 30-90 days, it is a deal execution issue.

Evidence asks that make AI outputs usable

The best teams do not ask management for “all cyber and data evidence.” They ask for evidence sets that can be cross-checked.

1) Identity and privileged access exports

Ask for:

• privileged groups and users by system
• MFA status for admins, remote access, cloud consoles, ERP, databases, and production tools
• service accounts, shared accounts, emergency accounts, and last-login dates
• access recertification records and exception lists
• contractor account owners and planned termination dates

Why it matters:

AI can detect inconsistencies across systems, but the deal team needs owners, dates, and control status to decide whether access blocks Day-1 connectivity.

2) Endpoint, server, and cloud asset inventory

Ask for:

• endpoint and server inventory with security-tool coverage
• cloud account or subscription inventory
• internet-facing assets and owners
• unsupported operating systems, databases, and middleware
• vulnerability scan outputs with finding age and remediation owner

Why it matters:

Asset gaps explain why controls look better in policy than in operation. If assets are missing from security tooling, the buyer cannot price remediation from the deck alone.

3) Data inventory and targeted data samples

Ask for:

• data-processing inventory by system, geography, and data type
• database schemas or data dictionaries for customer, product, finance, employee, and regulated-data stores
• samples from reporting, analytics, test, and export environments
• data retention and deletion rules
• access lists for sensitive-data repositories

Why it matters:

AI can identify sensitive fields and inconsistent labels. The deal team then tests whether controls, contracts, and regulatory obligations match the actual data footprint.

4) Contract corpus for top customers and regulated data

Ask for:

• top customer contracts by revenue and risk profile
• data-processing agreements and security addenda
• breach notification, audit, data-location, subcontractor, and business continuity clauses
• open customer security exceptions and questionnaire responses
• regulator commitments, audit findings, or consent orders where relevant

Why it matters:

Customer and regulator obligations can convert a technical weakness into a revenue, terms, or closing issue.

5) Incident, ticket, and change evidence

Ask for:

• incident register for the last 24 months
• service desk tickets related to malware, access, backup, outage, data export, and failed jobs
• change records for identity, ERP, customer platforms, cloud, and reporting systems
• backup and restore test evidence for crown-jewel systems
• open audit and risk actions with owners and dates

Why it matters:

Tickets and change records show how systems behave under stress. They also show whether management’s risk narrative has operating proof behind it.

Decision triggers that should change the deal plan

Not every AI signal should change the transaction. These triggers should force a decision.

Trigger 1: AI finds sensitive data outside declared control boundaries

If targeted scans find customer PII, payment data, health data, employee data, or confidential customer information in unmanaged reporting, test, export, or collaboration environments, expand diligence scope.

What it changes:

• pause broad data migration until data ownership and access are confirmed
• add remediation cash for classification, access cleanup, retention rules, and monitoring
• test customer and regulator commitments before signing
• consider escrow or indemnity if exposure cannot be bounded

Trigger 2: privileged access cannot be reconciled across systems

If admin users, shared accounts, service accounts, or contractor access cannot be reconciled across identity providers, application admin lists, and system owner attestations within 48-72 hours, do not assume Day-1 connectivity.

What it changes:

• require a minimum identity baseline before buyer connectivity
• fund privileged access cleanup and MFA completion
• use segmented access or clean-room processes for early integration
• move synergy timing tied to shared tools, data access, or network trust

Trigger 3: customer or regulatory commitments exceed current controls

If AI-assisted contract review finds security, privacy, data-location, audit, or breach-notice commitments that the target cannot evidence, treat the issue as commercial risk, not only IT risk.

What it changes:

• identify affected revenue and renewal exposure
• require closing deliverables for named commitments
• prepare customer notice and remediation plans
• adjust terms if the exposure cannot be tested before signing

Trigger 4: detection coverage is too weak for systems the buyer will touch

If endpoint, logging, vulnerability, and incident evidence does not cover roughly 80% of crown-jewel systems the buyer plans to connect, migrate, or report from in the first 100 days, gate integration.

What it changes:

• delay broad connectivity until monitoring and response coverage are in place
• add one-time cash for logging, endpoint, vulnerability closure, and restore testing
• assign security operations ownership before Day 1
• sequence value work after minimum detection coverage

Trigger 5: operational exceptions cluster around revenue, finance, or regulated workflows

If AI review of tickets, change records, or scripts shows repeated failures around billing, revenue recognition, month-end close, shipment, claims, customer support, or regulatory reporting, treat the finding as value-plan risk.

What it changes:

• protect Day-1 cutover windows and freeze periods
• fund stabilization before process automation or system consolidation
• adjust synergy timing if the same teams must remediate and integrate
• add controls around manual extracts and exception handling

How best teams run AI-assisted diligence

Strong teams treat AI as a search and triage layer, not as the diligence conclusion.

1) Start with the deal thesis

Before running any model, define the systems and data that matter to the value plan. For example:

• customer platform and CRM if cross-sell or service integration drives the case
• ERP, data warehouse, and close reporting if working capital or finance controls matter
• identity, endpoint, network, and cloud if fast connectivity is assumed
• regulated-data stores if customer commitments or regulatory exposure can affect revenue

This prevents the team from spending time on low-value risk while missing the systems that determine timing.

2) Set materiality rules

Agree upfront which findings can change price, terms, timing, or controls. The rule should be written in deal language, not model language.

For example:

• any finding that blocks buyer connectivity inside 60 days goes to the integration steering group
• any remediation item above $1 million, or above 10% of planned first-year IT savings, goes into the value bridge
• any finding tied to top-20 customer commitments goes to legal, commercial, and security owners
• any crown-jewel system without monitoring, access ownership, and restore evidence goes into the Day-1 control plan

Materiality rules keep the review from becoming a debate about every alert.

3) Use AI to compare evidence sets, not replace evidence

The highest-value use cases are cross-checks:

• contract commitments vs data-processing inventory
• privileged access exports vs application admin lists
• endpoint inventory vs vulnerability scans
• ticket clusters vs incident register
• data samples vs system classification labels
• integration jobs vs data movement records

This is where AI can find contradictions quickly. The human diligence work is to decide whether the contradiction changes the deal.

4) Force each finding into a decision

Every material finding should have a one-page disposition:

• evidence reviewed
• what the AI found
• what was verified manually
• affected systems, data, customers, or processes
• deal impact: scope, cash, timing, controls, terms
• owner and date for the next decision

If the team cannot fill in those fields, the item is not ready for the investment committee. It is either a workstream question or post-close backlog.

5) Keep humans accountable for judgment

AI can help find risk. It should not own risk acceptance. The buyer’s CISO, CIO, deal lead, legal lead, and operating partner need to decide what level of uncertainty they can underwrite.

For high-impact findings, the team should document:

• what is known
• what is inferred
• what remains untested
• what would change the recommendation
• what control or term protects the buyer if the fact pattern worsens

This discipline matters because diligence is often incomplete by design. The buyer is not buying certainty. It is deciding which uncertainty is acceptable at the agreed price and terms.

The operating model after signing

AI-assisted diligence should feed the first-100-day plan directly. The best handoff is not a list of risks. It is a control backlog tied to owners and gates.

Day-1 controls should cover:

• which systems the buyer can connect to immediately
• which data can be shared, exported, or migrated
• which admin accounts must be removed, renamed, or protected
• which customer commitments require special handling
• which crown-jewel systems need monitoring or restore testing before integration
• which manual workflows require extra review during close, billing, reporting, or customer operations

The first-100-day plan should then separate three types of work:

• blockers: controls needed before connectivity, data access, customer reporting, or production change
• cash items: remediation that must be funded because it protects value or avoids terms exposure
• backlog: issues that matter operationally but do not change the near-term deal path

This is where AI creates value. It helps the buyer move faster from broad uncertainty to targeted action.

Monday morning actions

In the next one to two weeks, the deal lead should ask the CIO, CISO, legal lead, and data owner to run a short AI-assisted risk sprint around the deal thesis.

Start with five evidence packs:

• identity and privileged access exports
• endpoint, server, cloud, and vulnerability inventories
• data inventory plus targeted samples from customer, finance, reporting, and test environments
• top customer contracts, security addenda, and data-processing agreements
• incident, ticket, backup, restore, and change evidence for crown-jewel systems

Then make four calls:

1. Which findings expand diligence scope before signing?
2. Which findings require remediation cash in the model?
3. Which findings gate Day-1 connectivity, data access, or integration work?
4. Which findings require customer, regulatory, escrow, indemnity, or closing protection?

The output should be a two-page decision log, not a long AI report. Each item needs evidence, owner, date, and deal impact.

If the sprint produces no material findings, the buyer has a better basis to keep the deal moving. If it finds real exposure, the team still has time to price it, gate it, or protect against it before the buyer owns the risk.