How acquirers audit AI-built apps: the 2026 diligence playbook

The acquirer's diligence team has a checklist. Most of it didn't exist three years ago because AI-built apps weren't being acquired. Now they are, and the questions are specific: which AI tools did you use, what percentage of the codebase, whose IP is it, what compliance posture do you ship in. This is the actual checklist from the buyer's side — and how to prepare yours before the acquisition email arrives.

Why this matters now

AI-built apps started getting acquired at scale in 2025. Lovable apps, Cursor projects, and Bolt builds are now legitimate M&A targets — typically at the $250K–$5M range for small acquisitions, with the occasional $20M+ exit. As the volume has grown, acquirer due-diligence playbooks have evolved specifically for AI-built code. The questions are harder than they used to be, and the documentation gap is what kills deals.

The 3 phases of AI-built-app diligence

Modern diligence questionnaires for AI-built apps split into three phases. Each phase has a distinct set of questions and a distinct failure mode.

Phase 1 · Code provenance and IP

The hardest phase for AI-built apps. Acquirers want to know that what you're selling is actually yours to sell, and that they won't inherit a copyright dispute or copyleft obligation. Per the US Copyright Office's 2025 guidance, pure AI-generated code may not be copyrightable — meaning if you can't show human authorship, the acquirer may not be getting enforceable IP.

1. What percentage of the codebase was AI-generated vs hand-written? They want a real number, not 'mostly hand-written'. Acquirers in 2026 expect 30-70% AI-assisted for vibe-coded apps; the answer being above or below changes only what they ask next.
2. Which AI tools were used? On what dates? Under what license terms? Each tool has different IP terms — GitHub Copilot's indemnification policy differs from Cursor's, which differs from Lovable's. The acquirer's lawyer needs to verify each.
3. Is there a chain of custody — prompts, responses, modifications — showing human creative direction? This is what salvages copyrightability under the 2025 Copyright Office guidance.
4. Are you aware of open-source code in your bundle? Which licenses? Is your use compliant? The killer here is copyleft: AGPL, GPL, LGPL. A single contaminated dependency can require open-sourcing your entire app.
5. Have you scanned your bundle for copyleft contamination? If yes, when and what did it find?
6. Do you have an SBOM (Software Bill of Materials)? CycloneDX or SPDX format. CISA published SBOM guidance in 2023; serious acquirers now expect one.
7. Has any third party claimed your code copies theirs? Any pending or threatened disputes?
8. Are you using any AI-generated content (images, copy, audio) under licenses you haven't verified?

Phase 2 · Compliance posture

Acquirers don't want to inherit lawsuits. They will pay for diligence reports that confirm the app isn't sitting on regulatory exposure. The four areas they check:

Accessibility (ADA, EAA)

• When did you last run a WCAG conformance audit? On which pages?
• Have you ever received an ADA demand letter? Settlement terms if yes?
• If you have EU users, has the European Accessibility Act (EAA, June 2025) assessment been done?
• Is there an accessibility statement on the site? When was it last updated?

Privacy (GDPR, CCPA, state laws)

• What personal data do you collect and process? Categories, purposes, retention.
• If you have EU users: GDPR lawful basis for each processing activity. Documented DPIA (Data Protection Impact Assessment) for high-risk processing.
• What's in your privacy policy and is it accurate to actual data flows?
• Have you received any data-subject access requests? Erasure requests? How were they handled?
• Cookie consent setup — does it actually block tracking until consent, or is the banner cosmetic?
• Do you sell or share data with third parties under CCPA / VCDPA definitions?

Security

• Any secrets exposed in the client bundle? When were they last rotated?
• Database access controls — row-level security on all user-data tables?
• Any past breaches or incidents? Disclosed per applicable law?
• Encryption at rest and in transit? Documented?
• Backup strategy and recovery testing?

Sector-specific

• Health data: HIPAA covered entity or business associate? BAA in place with vendors?
• Financial data: PCI DSS scope and assessment status?
• Children's data: COPPA applicability and verifiable parental consent setup?
• AI features: EU AI Act tier classification, Article 50 transparency setup if applicable?

Phase 3 · Operational risk

The acquirer wants to know what could go wrong post-acquisition. Concentrated dependencies, key-person risks, regulatory tail risks.

1. Founder concentration — is the founder (you) the only person who knows how the code works? Knowledge-transfer plan?
2. Vendor concentration — what percentage of revenue depends on a single vendor (Stripe, AWS, OpenAI)? What happens if any of them changes pricing or terms?
3. AI-platform concentration — if your app is built on Lovable / Cursor / Bolt / Replit, what's your migration plan if the platform shuts down or changes terms?
4. Regulatory tail risk — any pending regulations that would materially change your compliance burden? EU AI Act, state privacy laws, FTC actions in your sector?
5. Customer concentration — what percentage of revenue from your top customer? Top 5?
6. Litigation history and pending disputes — anything threatened, mediated, settled?

What 'good' looks like in each phase

None of this requires a lawyer or a consultant. It's documentation hygiene. Sellers who have it close deals at higher valuations because the acquirer's risk discount disappears. Sellers who don't have it either lose 20-50% of valuation in the negotiation or trigger an extended diligence period during which their leverage erodes.

What kills deals

Based on M&A advisor and R&W-insurance underwriter post-mortems on failed AI-built-app deals in 2025–2026:

1. Copyleft contamination discovered during diligence — AGPL or GPL package in the bundle, app's source must be opened, deal-killer in 60-80% of cases.
2. Exposed secrets discovered during scan — service-role keys or Stripe live keys in client bundle, signals operational sloppiness that scares acquirers.
3. Inability to demonstrate human authorship — pure AI output with no documentation trail, acquirer can't confirm IP transfers.
4. Pending compliance enforcement — open ADA demand letter, GDPR complaint, FTC inquiry. Acquirers want to inherit clean books, not active disputes.
5. Founder knowledge concentration with no transfer plan — acquirer can't operate the asset post-purchase.
6. Privacy policy doesn't match actual data flows — discovered by an acquirer's privacy lawyer in 30 minutes of testing. Signals lack of compliance hygiene generally.

How to prepare proactively

Even if you have no near-term acquisition plans, doing this prep now is cheap insurance. The list:

1. Commit an AI_NOTICE.md to your repo today. Describe which AI tools you use, on what timelines, on which features. Update monthly.
2. Generate a current SBOM. cyclonedx-cli or syft both work; commit it to /docs/sbom.json and regenerate via CI on every deploy.
3. Run a copyleft contamination scan. Comply Code, FOSSA, Snyk, ScanCode all work. Fix anything that's found before it becomes an acquirer's finding.
4. Run a compliance scan against your live URL. Comply Code does the four-pillar check; save the report to /docs/compliance-scans/ with a date.
5. Document every customer-support escalation, refund, and incident. A Notion or Linear workspace with the history is enough.
6. Write a one-page operational risk memo. What are your biggest vendor dependencies? What's your migration plan if each fails? What's your founder-concentration mitigation? Update annually.
7. Maintain an up-to-date /about page with your full name, photo, and bio. Anonymous founder = lower valuation; trust is part of what's being sold.

Timeline expectations

Prepared sellers close in 4-8 weeks. Unprepared sellers close in 12-20 weeks, during which the acquirer's enthusiasm cools, the market moves, and surprises accumulate. Every additional week post-LOI marginally favors the buyer.