IRON · AI Exposure Intelligence · M&A Diligence

The target's AI stack is already a liability. Find it first.

IRON discovers undisclosed AI tools, regulatory exposure, and post-close liability from public signals alone. No target cooperation. No document access. 48 hours.

Order a Report · From $4,500 See how IRON works ↓

Used across $2.1B in deal value · 48-hour delivery · No target cooperation

IRON EXPOSURE REPORT CONFIDENTIAL
REF: IRON-2026-0047 · FULL DILIGENCE
Velxa
TARGET ENTITY
Cohere Health, Inc.
Series C · HealthTech · Prior Authorization AI
12 Findings
4 Priority
38 Pages
Signal intelligence only · Not legal advice May 25, 2026
SECTION 1
Executive Summary
IRON identified 12 findings across the target's AI stack, 4 of which carry direct regulatory liability under EU AI Act Annex III and HIPAA. The most material finding involves an undisclosed OpenAI API integration processing protected health information without a confirmed BAA.
Frameworks triggered EU AI Act · HIPAA · GDPR
Conformity assessment Not on file
Estimated remediation $280K – $940K
SPA recommendation Specific indemnity
Cohere Health, Inc. · IRON-2026-0047 p. 3
SECTION 2
Priority Findings
01
OpenAI API · BAA chain unverified
Detected via 4 engineering job postings. Not listed as a sub-processor in privacy policy v4.1. EU AI Act Article 28 obligation unmet.
02
Annex III · No conformity assessment on file
Prior authorization AI system meets Annex III definition. Conformity assessment required by August 2, 2026 under Article 43.
03
PHI routing · Unconfirmed processor chain
GitHub repository references patient data preprocessing. Potential HIPAA §164.514 issue.
Cohere Health, Inc. · IRON-2026-0047 p. 7
SECTION 3
Regulatory Exposure Map
EU AI Act
Art. 6, 13, 28, 43, 72
4 findings
HIPAA
§164.502, §164.514
3 findings
GDPR
Art. 22, 28, 35
2 findings
Colorado AI Act
SB 24-205
1 finding
Illinois HB 3773
Hiring AI exposure
2 findings
Cohere Health, Inc. · IRON-2026-0047 p. 14
SECTION 5
SPA Protective Language
RECOMMENDED REPRESENTATION
"The Company has not deployed any AI system that constitutes a high-risk AI system under Annex III of Regulation (EU) 2024/1689 without a completed conformity assessment."
RECOMMENDED INDEMNITY SCOPE
Specific indemnity for EU AI Office enforcement actions arising from pre-close deployment of Annex III systems. Suggested cap: €4.5M. Survival: 36 months post-close.
Cohere Health, Inc. · IRON-2026-0047 p. 28
Series B SaaS · $180M · HealthTech · $340M · PE portfolio · $1.2B · Pre-close audit · $85M
0 Median findings
per scan
0h Average delivery
time
0h Maximum committed
delivery
$0.4B Deal value
covered
See IRON Work

Run IRON on a hypothetical target.

Pick a target. Watch the public-signal scan run in real time. Companies are fictional; signal patterns are real.

IRON  ·  TARGETING  Meridian Health AI
SCANNING
Public signals · GitHub · Job postings · Privacy policies · Sub-processor lists Full report ships within 48h of order

Signal intelligence only. Not legal advice. Hypothetical targets, real signal patterns.

The Difference

Nobody else does
diligence on AI.

Harvey and AlphaSense use AI to analyze your documents. Velxa analyzes the AI your target runs. Different problem. Different product.

WITHOUT IRON
You close.
Then you find it.
Standard tech diligence doesn't cover the AI layer
Questionnaires surface only what companies choose to disclose
Regulatory exposure transfers with the entity at close
Legal remediation runs 12 to 18 months after you own it
VELXA FOR DEALS
You find it.
Then you close.
Public signals surface what questionnaires miss
No target cooperation or document access required
Written findings with article-level regulatory citations
48 hours. Fixed price. Drops into VDR.
Sell Side

Not just risk.
Your full AI story.

IRON maps every AI tool you run, benchmarks it against sector peers, and surfaces what buyers will find and what will impress them. Pre-process audit. Data room ready.

See the Sell-Side Audit →
Process

From order to
data room in 48 hours.

01
GitHub & Code
Public repositories, dependency manifests, and model references indexed and classified by risk.
02
Job Intelligence
40,000+ job boards scanned for AI tool references, model names, and vendor integrations.
03
Privacy & Legal
Privacy policies, terms of service, and sub-processor lists analyzed for disclosure gaps.
04
Regulatory Map
Every signal mapped to EU AI Act, HIPAA, GDPR, and 14 active US state AI frameworks.
05
Report Delivered
PDF with SPA-ready language, article-level citations, and deal team formatting. 48 hours.
LIVE  ·  48H PIPELINE
0h
Order placed
IRON initialized
PENDING
6h
Signal collection
GitHub, job postings, privacy policy
PENDING
18h
Regulatory mapping
EU AI Act, HIPAA, GDPR cross-referenced
PENDING
36h
Counsel-ready draft
Report formatted for VDR
PENDING
48h
Delivered
Report in your data room
PENDING
Sample Findings

The kind of risk that moves a price.

Hypothetical profile built from real AI risk patterns.

HealthTech · Series C · Prior Auth AI CRITICAL · 91/100

$8M chip negotiated.

HealthTech · Series C · $280M transaction. Delivered in 31 hours.

PHI routing through AI. $14.2M to $47M exposure identified.
Exposure$14.2M to $47M
RegulationsHIPAA §164.502 · EU AI Act Annex III · GDPR Art.28
Report cost$12,500
Return640x
What the data room showed
Clean. Solid unit economics. AI described as standard tooling.
What IRON found
Their prior auth AI processes 12 million PHI-containing coverage decisions annually. No confirmed BAA with three AI vendors processing that data. AWS Bedrock contract contains a change-of-control clause that voids at close. EU AI Act Annex III §5(a) medical AI classification applies. No conformity assessment on file.
What happened next
Deal team required BAA documentation as a closing condition. Added reps requiring no PHI routes through AI without an executed BAA. Conformity assessment timeline included in post-close covenant.
Pricing

Fixed price. No retainer.
No contact sales.

Order. Receive. Use. Everything on the page.

Snapshot
$50M – $250M transactions
$ 4,500 / report
  • 20-page AI exposure report with deal memo section
  • AI tool discovery via job postings, GitHub, privacy policies
  • Regulatory framework mapping (EU AI Act, GDPR, HIPAA, US state laws)
  • 3 top risk findings with remediation cost estimates
  • Data room ready PDF
Full Diligence
$250M – $1B transactions
$ 12,500 / report
  • 40-page full audit with complete AI stack documentation
  • Complete AI tool discovery and dependency mapping
  • Jurisdiction map across all applicable regulations
  • Remediation cost matrix with deal adjustment recommendations
  • Deal protection language for the purchase agreement
  • Data room ready PDF plus executive summary
AI DD Package
$1B+ transactions
$ 22,500 / report
  • Everything in Full Diligence
  • Board presentation memo formatted for IC
  • 90-day post-close AI regulatory monitoring
  • Direct analyst access during diligence window
  • Custom regulatory narrative for target jurisdiction
  • Velxa Signal portfolio monitoring included
See all pricing and volume plans →
FAQ

Common questions.

If you don't see yours here, get in touch.

No. IRON is signal intelligence derived entirely from public data sources: job postings, GitHub repositories, privacy policies, and terms of service. The findings identify regulatory exposure patterns, not legal violations. Always engage qualified counsel for legal and compliance matters. IRON gives you the signals. Your lawyers interpret them.

No. IRON uses only publicly available information. No questionnaires are sent. No document requests are made. No contact with the target is required. IRON reads what the target has already published to the world.

Harvey, Kira, and Luminance analyze documents you give them. IRON analyzes the AI your target runs without requiring any documents from the target. Different problem. Different product.

IRON still runs. Job postings, privacy policies, and press coverage surface signals even for companies with limited public digital footprint. We note confidence levels for every finding: confirmed signals vs. inferred signals are clearly distinguished.

Yes. Reports are formatted for data room use from the start: PDF, counsel-ready language, clear citation structure. The sell-side version is specifically designed as a data room asset.

PDF to your inbox and optionally to your VDR. Within 48 hours of order confirmation. We confirm scope match within 2 hours of receiving your order.

Contact us via the contact page before ordering. We accommodate timeline compression for active deal situations. Priority delivery may apply for Snapshot tier.

Yes. EU AI Act coverage is central to IRON: particularly relevant for European targets or US companies with EU market exposure. We cover all major jurisdictions where AI regulatory frameworks have been enacted.

Full FAQ →
$0K
Average remediation cost avoided per deal
Based on Q1 2026 deal data
0 weeks
Compliance gap closed before close
Average IRON delivery + review time
0mo
SPA indemnity survival period standard
Per practitioner guidance, Q1 2026

IRON · SIGNAL INTELLIGENCE

AI moves fast.
Liability moves faster.

IRON finds what your diligence missed. Written report in 48 hours.