TL;DR: VCs at Series A and beyond are now asking specific, document-level questions about how portfolio companies govern their AI systems. This 18-item checklist covers every area investors probe: policies, bias testing, data provenance, and regulatory exposure. Use it to walk into a diligence call prepared.
Fundraising conversations used to move past AI in a sentence or two. Investors would note that you used AI tools, tick a box, and move on to unit economics. That changed in 2025 when the EU AI Act's first enforcement deadlines arrived, when the FTC started naming companies in AI-related consent orders, and when several portfolio company AI incidents landed on front pages. By early 2026, AI governance had become a standard section in growth-stage diligence questionnaires, not a bonus topic for impact funds.
The shift is not driven by ethics alone. It is driven by liability. Investors who sit on boards bear exposure when a portfolio company ships a biased hiring tool, violates GDPR through an AI vendor, or faces an FTC action for deceptive AI outputs. Funds with LP agreements that include ESG or responsible-investment clauses face their own reporting obligations. The result is that diligence teams are asking founders to produce documents, not just describe intentions.
Why VCs care about AI governance now
There are four concrete reasons AI governance moved up the diligence agenda in 2026.
Regulatory liability is real and it attaches fast. The EU AI Act places direct obligations on companies that deploy AI systems in high-risk categories, including hiring, credit scoring, and some customer-facing decision systems. Fines are calculated as a percentage of global annual turnover, and investors who acquire meaningful equity stakes can inherit exposure through indemnification clauses. Andreessen Horowitz's AI governance guidance, published for portfolio companies in late 2024, specifically flags EU AI Act classification as a pre-investment requirement for companies with EU market access.
Insurance requirements are tightening. Several major insurers now require documented AI governance programmes as a condition of cyber or professional-liability coverage. If a portfolio company lacks adequate documentation and suffers an AI-related incident, coverage can be voided. This is a direct financial risk to returns, not just a reputational concern.
Reputational incidents are becoming acquisition blockers. In several 2025 M&A deals, acquiring companies discovered undisclosed AI governance gaps during integration diligence and either reduced their offer or walked. PE firms in particular have started adding AI governance representations and warranties to purchase agreements, which means the issue flows upstream to the VC's own exit modelling.
Training data IP disputes are rising. Lawsuits over unlicensed training data used by AI vendors are now in discovery in multiple jurisdictions. Portfolio companies that cannot demonstrate they reviewed their vendors' training data terms face contingent liabilities that must be disclosed in a fundraising data room.
The 18-item AI governance due diligence checklist
The items below reflect what investors are asking for in practice in 2026 diligence processes. For each item, the note in parentheses indicates the form of evidence investors typically want to see, not just a verbal confirmation.
Group 1: Policy and documentation
1. Written AI acceptable use policy
Investors want a signed, dated document that defines which AI tools employees may use, what data classifications are permitted in prompts, and who is responsible for AI decisions. A one-page internal policy is enough at Series A. By Series B, investors expect version history showing the policy has been reviewed and updated. See our AI acceptable use policy template 2026 for a starting point.
2. AI system inventory or register
A list of every AI tool in production use, including the vendor name, purpose, data types it processes, and the date you last reviewed the vendor's terms. Spreadsheet format is acceptable. Investors check this against your vendor contracts to see whether the actual usage matches what you told the vendor you would do.
3. Data processing documentation for AI tools
For every AI tool that processes personal data, you need a signed Data Processing Agreement (DPA) and a record in your Article 30 register if you operate under GDPR. Investors ask for the DPA list specifically because missing DPAs are a GDPR violation that regulators have started enforcing against smaller companies.
4. AI incident response procedure
A documented process for what happens when an AI system produces harmful, inaccurate, or non-compliant output at scale. This does not need to be a separate document; it can be a section of your existing incident response plan. Investors look for a clear escalation path, a named decision-maker, and at least one prior drill or tabletop exercise.
5. Employee AI training records
Evidence that employees who use AI tools have received guidance on acceptable use, data handling, and how to escalate concerns. Sign-off records from an internal training session are sufficient. Investors are checking for basic hygiene, not a certified training programme.
Group 2: Bias, fairness, and harm
6. Bias testing conducted before deployment
If you use AI in any workflow that produces outputs about people (scoring, ranking, filtering, or recommending), investors will ask whether you tested for demographic bias before go-live. The evidence they want is a testing log: what you tested, the method, and the result. This applies to third-party models you call via API, not just models you built yourself.
7. Demographic impact analysis for hiring, lending, or scoring decisions
This is a more formal version of item 6, required when AI outputs directly influence consequential decisions. Investors with LP obligations around responsible investment, including several Sequoia-backed funds and most European VCs, specifically request this analysis for any AI product touching protected characteristics. The EEOC has issued guidance making clear that employers remain liable for discriminatory outputs even when those outputs come from a third-party AI tool.
8. Human review process for high-stakes AI outputs
Documentation showing that a human reviews AI outputs before they are acted upon in high-stakes contexts. Define what counts as high-stakes for your product. Investors are looking for a defined process, not manual review of every output.
9. Feedback mechanism for end users
A way for users to flag AI outputs they believe are incorrect, harmful, or biased, plus a process for reviewing those flags. This is now included in Sequoia's standard portfolio company governance guidance. A simple feedback button that routes to a named internal owner satisfies the requirement.
10. Third-party audit or red-team exercise (if high-risk)
For AI products in regulated sectors or with high potential for harm, investors expect evidence of at least one external review. This could be a penetration test that covered AI inputs, a red-team session, or an independent bias audit. At Series A this is a nice-to-have; at Series B for a high-risk product it is often required.
Group 3: Data and IP
11. Training data provenance documented
If you fine-tune, train, or operate any AI model, investors want to know where the training data came from. This means a document describing the data sources, their licences, and whether any personal data was included. The question has moved from specialist IP funds to general investors after the wave of 2024-2025 training data litigation.
12. No unlicensed training data used
A positive representation that your training data is either proprietary, publicly licenced for commercial AI training, or covered by a licence you can produce. Some investors now ask for a solicitor's or counsel's sign-off on this point before closing.
13. Customer data not used to train third-party models
A review of your AI vendor contracts confirming that customer data you pass to those vendors is not used to improve or train the vendor's models. This is a data protection requirement under GDPR and a contractual obligation in most enterprise customer agreements. Investors ask specifically because many founders have signed vendor terms without reading the training-data clauses.
14. IP ownership of AI outputs clarified
A brief legal analysis of who owns outputs generated by AI tools used in your product or operations. This matters most where outputs are customer deliverables or form part of your IP portfolio. The analysis should address your jurisdiction and the terms of the specific models you use.
Group 4: Regulatory exposure
15. EU AI Act risk classification completed
If you sell into the EU or process data about EU residents, investors expect you to have completed a classification exercise against the EU AI Act's risk tiers. Even if the result is "general purpose, no high-risk classification," having the classification documented shows you engaged with the question. See our EU AI Act compliance guide for small teams for how to approach this.
16. GDPR and CCPA data processing agreements with AI vendors
A checklist of your AI vendors with a column confirming whether a DPA or CCPA service agreement is in place for each one. Investors who have seen portfolio companies receive GDPR enforcement notices now check this systematically.
17. EEOC and employment law AI review (if AI is used in hiring)
If AI touches any part of your hiring process (screening CVs, ranking candidates, scheduling interviews, or scoring assessments), investors will ask whether you have reviewed the EEOC's 2024 guidance on AI and employment discrimination. Several US states also have their own AI-in-hiring disclosure laws. A short legal review memo satisfies this requirement.
18. Evidence of ongoing regulatory monitoring
Some form of process for staying current on AI regulation relevant to your business. This could be a named person who monitors regulatory developments, a subscription to a compliance newsletter, or membership of an industry working group. Investors are checking whether regulatory compliance is a one-time exercise or a managed programme.
How to use this checklist before each funding stage
The depth of documentation investors expect scales with the amount of money and the stage of the round.
At pre-seed and seed, investors are not typically requesting formal documents. But founders should at least be able to name the AI tools they use, explain what data those tools see, and describe who is responsible for AI decisions. If these questions come up in a call, a thoughtful verbal answer is enough.
At Series A, investors expect items 1 through 5 to exist as written documents, and they expect items 6 through 10 to have been considered even if the documentation is lightweight. A data room at Series A should include your acceptable-use policy, your AI tool inventory, and your DPA list as standard. Missing these is a yellow flag that experienced diligence teams will note.
At Series B and growth equity, all 18 items should be documented. Items 11 through 14 attract particular attention when the round includes investors from the EU or when the company has announced plans to expand into European markets. Items 15 through 18 are now standard in PE and late-stage VC diligence questionnaires, and gaps here can translate directly into representations and warranties exposure at exit.
For a practical starting point, use our third-party AI tool risk assessment template to build your AI inventory, then work through each group of checklist items to identify what documentation you need to create. Most founders who are not in regulated industries can cover Groups 1 and 3 in a week with existing information. Groups 2 and 4 take longer if bias testing has not been done, but a documented plan for completing testing is better than silence.
The goal is not to produce paperwork for its own sake. Investors who ask these questions are trying to assess whether a founder understands the risks their AI systems create and has taken reasonable steps to manage them. A clear, direct set of answers backed by simple documentation is more persuasive than an elaborate compliance programme that does not match how the company actually operates.
Related reading
- AI acceptable use policy template for small teams
- AI governance: complete guide for small teams
- AI vendor evaluation checklist
- Third-party AI tool risk assessment template
- Use our free AI risk assessment tool to score your current AI governance posture in under 10 minutes.
