Due Diligence in the Age of AI: New Risks for Business

The conduct of Due Diligence is evolving today: in addition to performing a comprehensive audit, attention must be paid to the Due Diligence of business processes. This is a living mechanism that enables ongoing reviews of a company’s operational workflows to prevent financial and reputational losses.

In this article, we will discuss the Due Diligence of artificial intelligence, which is already embedded in nearly every business or actively used by company employees in their day-to-day work.

While AI helps to automate many processes, it can also introduce risks that businesses must be prepared for—from leaks of confidential information via generative AI services to reputational threats posed by deepfake technologies. We will focus on the practical aspects of identifying such risks during AI Due Diligence: what to watch for and how to respond.

AI & Data Confidentiality Risks in Business Models

With the integration of generative AI models (such as ChatGPT, Copilot, Claude, Gemini, Midjourney, DeepSeek, and others) into companies’ daily operations, a new layer of risks emerges.

It is crucial to pay attention to prompt leakage—situations in which employees, using public AI services, inadvertently share confidential or commercial information with the system, which may later become accessible to external users.

To prevent the loss of personal data, strategic plans, and proprietary information, companies should implement the following measures:

1. If AI tools are to be used on an ongoing basis by employees, start by setting up an in-house, closed-access system. Store all data on dedicated on-premises or securely rented servers, or in trusted cloud environments. Only after this foundation is in place should you develop or deploy your own AI models for staff use.

2. Implement the new policies within the company. Institute clear rules forbidding the upload of any documents that may contain confidential or commercial information to public AI services.

3. Provide employees with instructions explaining the risks of prompt leakage and the potential penalties for violating the new policies.

4. Update NDAs to cover AI interactions. Amend existing non-disclosure agreements to explicitly address the handling of confidential information when interacting with AI systems.

5. Designate a responsible individual—such as an IT manager/AI-officer or in-house counsel—to oversee AI policy compliance and governance.

Below are a few illustrative cases that led to significant financial and reputational losses. 

Samsung: Leakage of Internal Information via ChatGPT

Case summary: In 2023, Samsung employees unintentionally transmitted the company’s confidential data to ChatGPT on three occasions in one month. The data shared included fragments of source code, notes from internal meetings, and technical information about equipment. These actions occurred while using ChatGPT to solve work-related tasks.

Consequences: Samsung banned the use of public generative AI services for employees. The company began developing its own internal AI solution to prevent similar incidents in the future.

OpenAI: ChatGPT User Data Leak

Case summary: In March 2023, due to a bug in ChatGPT, some users were able to see the chat titles and portions of personal information belonging to other users. The leak included names, email addresses, payment information, and chat histories. OpenAI temporarily disabled ChatGPT to fix the issue.

Consequences: The incident raised concerns about data security in AI services. OpenAI strengthened its security measures and improved its user data handling processes.

DeepSeek: Transmission of User Data Without Consent

Case summary: In 2025, South Korea’s regulator discovered that the Chinese AI start-up DeepSeek had been transmitting users’ personal information—including prompts and technical metadata—to companies in China and the United States without proper consent. The data transmitted included the content of prompts, device information, network details, and application data. Following the findings, South Korea suspended new downloads of the DeepSeek app.

Consequences: DeepSeek ceased transmitting prompt content as of 2025. The regulator recommended that the company delete previously transmitted data and establish a legal basis for any future international data transfers. 

General Findings: studies have shown that employees often input confidential information into ChatGPT, which can lead to data leaks. According to Cyberhaven research, 11 % of the data entered into ChatGPT by employees is confidential. 

Before defining the scope of the audit, it is worth beginning with the identification of AI usage in business processes. First and foremost, you must check whether AI is being used for:

1. Marketing and content — is content (posts, texts, banners, SEO materials) being created using ChatGPT, Jasper, Midjourney, etc.?

2. HR — is candidate screening or initial resume evaluation being carried out using AI solutions?

3. Legal support — is AI used to generate documents, contract templates, or memoranda?

4. Software development — do engineers use GitHub Copilot or similar tools that can automatically generate code?

5. Internal communications — are AI-bots used to respond to employee or client inquiries?

6. Accounting, CFO — is AI used for calculations or to provide financial analyses?

7. Other structural units/departments, depending on the company’s industry.

Next, begin assessing the presence of risks in order to subsequently minimize them.

Review of AI model Documentation

If we have a closed system you need to check: How and where are the algorithms stored (own server, cloud)? What security measures are in these solutions, reputation. Who has access? It is necessary to clearly understand, if this is your server, in whose name the ownership right is registered and who has the right to manage and access it. It is recommended to have at least two people. A similar procedure is recommended when storing information in the cloud.

Public AI models:

Who uses them, what data is uploaded, is there any personal/confidential information?

Legal Status and Intellectual Property Rights (who owns the code and the data) 

Ownership of the AI system’s source code should be reviewed: Does the company fully own the rights to the code? Are there contractual relationships with the developers and rights to transfer intellectual property?

Ownership of the data: Who owns the data used for training? What agreements have been concluded regarding the use of this data?

Backup Copies

Even a well-protected system can fail—due to hardware malfunction or a hacker attack. Therefore, it is necessary to implement the storage of backup copies of your models and data. Check exactly where the backup will be stored, at what frequency be do the copy, and who has access.

It is better to keep copies in two locations at once (for example, on two different servers or in different cloud). If one location becomes “white noise,” you can instantly switch to the other and minimize downtime.

Personal Data

Be attentive if employees use AI for processing/storing personal data. In the event of a violation of personal data usage rules, the company may incur both reputational and financial losses.

Case: Blocking of ChatGPT in Italy

In 2023, the Italian regulator stopped ChatGPT’s operation because it found that the service stores and processes personal data without sufficient consent. This led to the platform being temporarily unavailable in Italy and additional reviews by OpenAI.

Fine and Further Consequences

In December 2024, the Garante (Italian Data Protection Authority) imposed a fine of €15 million on OpenAI for violating personal data processing rules. In addition, the company was required to conduct a six-month information campaign in Italy regarding the collection and use of data in ChatGPT.

For many businesses, this became a lesson: even global products can be blocked in a single country. Check your AI processes for compliance with local regulations before they lead to fines or bans.

Reputational Risk and Crisis Management

Media and Social Media Monitoring

Create a simple alert system: check leading media and social networks once a week for mentions of your brand alongside “AI,” “leak,” or “error.”

This way, you will identify negative trends at an early stage and can react quickly—issue a press release, clarification, or apology. Do not wait for outraged customers to start posting harsh comments.

Ethical Aspects Assessment (Amazon Monitoring)

Even if an AI system operates without technical failures, it can spoil reputation through ethical missteps. For example, Amazon faced criticism for monitoring warehouse employees and created tension in the media.

Assess what ethical questions they may raise: employee surveillance, use of video and audio data, discrimination. Involve HR and PR departments in this assessment—their perspective will help to avoid conflicts.

Development of a PR Strategy in Case of a Scandal

Every company must have a “Plan B” in case of bad news. This can be a short press release template, prepared key messages, and contact information of responsible persons.

In a crisis situation, fast and transparent communication often saves reputation: public acknowledgment of the issue, explanation of causes, and specific steps to address it—all of this helps reduce damage and restore customer trust.

Above, we reviewed a list of elements that can be part of an AI audit in a company’s operations. Of course, taking into consideration the request and specifics, the components can and should change.

Creation of a Simplified Review System

Important! If you do not have the ability to deploy secure environments for AI models, we would suggest creating a system of filters or a risk matrix.

Creating filters or a risk matrix can consist of the following steps:

1. Structure the information with a list of departments or employees and the information and documents they work with.

2. Classify documents and information by type and mark them with different levels of risk.

3. Identify what categorically cannot be used in public AI models.

4. Organize information and documents by category. For example: information related to government contracts, information subject to client NDAs, confidential agreements, documents containing personal data.

5. Extract risky information and documents into a separate list and create an obligation for employees not to upload them to public AI models.

6. Amend internal policies and NDAs. Re-sign the documents, and also explain the new rules to employees.

These recommendations are general, and when reviews are being conducted the creation of a roadmap is recommended in accordance with the current business model, number of employees, and other factors. Conducting an audit will enable you to manage risks rather than merely mitigating consequences.