DealLawyers.com Blog

Earlier this month, President Trump signed an executive order focused on promoting AI development while also strengthening cybersecurity and national security protections for frontier AI models. This excerpt from a recent Thompson Hine memo highlights the issues raised by the executive order for M&A transactions:

For private equity sponsors and M&A buyers, the order has immediate and practical implications. Transactions involving AI developers, software companies, data-intensive platforms, cybersecurity providers, critical infrastructure vendors, and any business that relies on advanced AI models should now expect more focused diligence on model governance, data architecture, security controls, and regulatory exposure.

Buyers should assess whether a target’s models could meet future “covered frontier model” thresholds, based on factors such as compute capacity, deployment scale, integration with federal or critical infrastructure systems, and intended use cases. Even if a model does not currently qualify, the order sets in motion a classified benchmarking process that may reclassify systems as they evolve. This means diligence must account for both current and potential future regulatory categorization.

Data architecture and model training practices are now central to AI-related risk. Buyers should evaluate data provenance, licensing, and chain-of-custody for training data; whether data is properly segmented between customers, models, and internal use; and whether models are trained on public, proprietary, or third-party data with restrictive terms. These issues directly expose sellers and buyers to IP, trade secret, and unfair competition claims, and they are likely to be scrutinized in both regulatory and commercial diligence.

The memo says that the order’s emphasis on an AI cybersecurity clearinghouse and federal vulnerability scanning suggests heightened expectations regarding the target’s cybersecurity program, and buyer’s need to ask whether that program would satisfy diligence expectations from the government, government contractors, and regulated industries.

It also notes that, due to the order’s focus on unlawful AI data access, buyers need to closely examine agent design and permissions, identity and access management controls, and safeguards against automation that could cross into “unauthorized access” under criminal statues.

– John Jenkins