IRON-CHECKLIST-2026.05
AI Diligence Readiness · Pre-Process Scorecard

How exposed is your
target's AI stack?

Work through this scorecard before you order a full IRON report. Every unchecked item is a signal gap. Your score tells you how much exposure to expect.

Readiness Score
0/100
Complete the checklist to generate your score.
0%
Section 01
AI Stack Discovery
0 / 6
We have a complete list of every AI tool and vendor the target uses in production. Critical
3 pts — Foundation of all downstream analysis
The target has disclosed any AI tools used by employees that are not under formal IT management (shadow AI). High
2 pts
We have reviewed the target's GitHub repositories or technical documentation for AI library dependencies. High
2 pts
We have cross-referenced job postings from the past 12 months for AI tool and model name references. High
2 pts
The target's sub-processor list has been reviewed and all AI vendors are confirmed listed. Standard
1 pt
We know whether the target trains, fine-tunes, or hosts any proprietary models vs. using API-only access to third-party LLMs. High
2 pts
Why this matters: Targets routinely disclose 30–60% of their actual AI stack in questionnaires. IRON finds what they did not list by reading GitHub dependencies, job postings, and privacy policies against each other.
Section 02
EU AI Act Exposure
0 / 5
We have determined whether any AI system the target operates qualifies as high-risk under Annex III of the EU AI Act. Critical
3 pts — Annex III triggers conformity assessment obligations
For any Annex III systems identified, a conformity assessment is on file and was completed before August 2, 2026. Critical
3 pts — Missed deadline triggers enforcement
Annex IV technical documentation exists for each high-risk system and would survive an audit. High
2 pts
We know whether the target uses any GPAI model with over 10²⁵ FLOPs (systemic risk threshold under Article 51). High
2 pts
The target has registered any applicable high-risk systems in the EU AI Act public database. Standard
1 pt
Enforcement risk: EU AI Act penalties reach €35M or 7% of global annual turnover — whichever is higher. This liability transfers with the entity at close.
Section 03
Data & Privacy Exposure
0 / 5
Every AI vendor processing personal data has a signed Data Processing Agreement (DPA) or Business Associate Agreement (BAA) in place. Critical
3 pts
We have confirmed no protected health information (PHI) routes through any AI system without an executed BAA. High
2 pts
The target's privacy policy accurately discloses all third-party AI tools that process customer or employee data. High
2 pts
Standard Contractual Clauses (SCCs) are in place for any EU-US data transfers to AI vendors. High
2 pts
GDPR Article 22 disclosures are current and cover all automated decision-making systems in use. Standard
1 pt
Section 04
Vendor Contract Risk
0 / 4
We have reviewed all AI vendor contracts for change-of-control clauses that could void or alter terms at close. Critical
3 pts — AWS Bedrock, OpenAI, Anthropic and others carry CoC provisions
Model usage rights are confirmed: the target owns any fine-tuned weights and has the right to transfer them. High
2 pts
We know whether any AI vendor uses the target's data for model training, and whether there is a data opt-out provision. High
2 pts
AI vendor indemnification carve-outs have been reviewed and IP liability exposure is quantified. Standard
1 pt
Section 05
SPA Protective Language
0 / 4
The SPA includes representations that no AI system constitutes a high-risk system under Annex III without a completed conformity assessment. High
2 pts
A specific indemnity covers EU AI Office enforcement actions arising from pre-close deployment of AI systems. High
2 pts
Escrow or price adjustment mechanisms are in place to cover AI regulatory remediation costs identified post-LOI. High
2 pts
Post-close covenants require the target to complete any outstanding AI Act compliance milestones within 90 days. Standard
1 pt
Download your scorecard as PDF
Branded with your target company name. Ready for the data room or internal memo.
No email required. Downloads instantly as PDF.
Ready for the full picture?
IRON finds what this checklist cannot: undisclosed AI tools, shadow AI, unverified sub-processor chains, and regulatory exposure your target never put in the data room. Written report in 48 hours. From $4,500.
Order IRON Report →

© 2026 Velxa LLC  ·  Signal intelligence only · Not legal advice