The deals came faster than anyone expected. ServiceNow closed its $2.85 billion acquisition of Moveworks in December 2025. Automation Anywhere absorbed Aisera the same quarter. In April 2026, Cohere and Aleph Alpha merged at a combined valuation of roughly $20 billion. Each time, enterprise customers woke up to find their vendor had a new parent — and their negotiated protections may not have survived the handover.
The AI consolidation wave that began reshaping the market in 2025 has made vendor acquisition risk a live procurement concern, not a planning-horizon abstraction. Most enterprise AI contracts were written before consolidation accelerated. They lack the clauses that protect buyers when a vendor is absorbed, acquihired, or rolled into a platform stack.
So here is a structured due diligence framework: capital structure, contract clauses, data export rights, sovereign compliance, agentic lock-in, and ongoing monitoring. Treat these as engineering decisions. Exit clauses, data-portability obligations, and model-deprecation rights need resolving before the first agent is deployed — not after an acquisition announcement.
The three consolidation patterns — acquihire, full merger, and platform roll-up — are covered in detail in the companion taxonomy article. This checklist addresses all three.
Why is AI vendor due diligence different from standard SaaS procurement?
Standard SaaS due diligence covers uptime SLAs, SOC 2 certification, pricing stability. These matter in AI contracts too — but they miss where AI-specific risk actually accumulates.
AI vendor lock-in compounds at four simultaneous layers:
- API dependency and model versioning — Your architecture bends around the vendor’s API design, prompt format, and response schema. Switching requires re-engineering prompts, integration code, and your evaluation suite.
- Agent orchestration framework capture — If your agents are built on a vendor-proprietary orchestration layer, you cannot swap the underlying model without rebuilding the agent.
- Data gravity — Fine-tuned weights, embeddings, and institutional memory grow heavier over time. The longer the relationship, the more operational knowledge is encoded in artefacts that only exist inside the vendor’s system.
- Developer workflow integration — CI/CD pipelines, API keys, webhook configurations, and MCP server registrations accumulate across engineering teams. These live in repositories and runbooks, not the MSA.
💡 An MSA (Master Service Agreement) is the primary contract governing an ongoing vendor relationship — pricing, SLAs, data handling, and termination rights; individual project orders sit beneath it.
There is a fifth layer the standard checklist misses: acquirer roadmap conflict. When ServiceNow acquired Moveworks, customers did not lose their product overnight — but they landed on the acquirer’s MSA template at the next renewal. That’s the slow version of a bad outcome. The acquihire, full merger, and platform roll-up taxonomy covers the fast version.
How do you read a vendor’s capital structure as a procurement stability signal?
Not all funding is equivalent. A vendor’s capital structure is a readable signal about acquisition probability and exit pressure — and you can learn to read it.
A clean equity round (Series A through E) means investors hold shares at a set valuation with no repayment obligation. Convertible debt is a loan that converts to equity under defined conditions — if it matures without conversion, repayment is due, and that creates exit pressure that can accelerate an acquisition on unfavourable terms. Structured financing blends debt and equity. Schwarz Group’s €600 million commitment in the Cohere–Aleph Alpha deal is the current example — it secured runway and introduced European strategic alignment, though the convertible instrument details remain undisclosed.
💡 ARR (Annual Recurring Revenue) is the annualised value of subscription contracts; ACV is the value of a single customer’s contract annually — a vendor can report high ARR while most of it comes from a handful of accounts.
Before signing, request ACV data for the top three accounts as a percentage of total ARR. Concentration above 40% from a single customer signals structural vulnerability. That vendor is more likely to accept acquisition terms on unfavourable timelines.
Cap table signals matter too. Cohere’s pre-deal investors included Nvidia, Salesforce Ventures, Cisco, and Fujitsu. Nvidia simultaneously holds equity in Cohere, OpenAI, xAI, and Poolside — your sovereign AI vendor’s primary hardware supplier also holds stakes in its largest competitors. That is worth raising in procurement.
Ask before signing: What is the maturity profile of your current financing? What percentage of ARR is contractually committed vs. pilot or expansion? Who holds board seats and what protective rights do they carry?
The 80+ ARR survival calculus covers the full set of financial health indicators that signal acquisition risk.
What contract clauses should you demand before signing an AI vendor agreement?
The change-of-control clause is the one that matters most. The spectrum runs from weak to strong, and most AI vendor MSA templates default to the weak end.
At the weak end you get notification-only: the vendor tells you an acquisition occurred. You are informed but not empowered. At the strong end you get notification plus termination-for-convenience: a defined window — 90 to 180 days — to terminate at original pricing, with data export obligations intact.
Demand two additions on top of that: coverage for indirect acquisitions (where the acquirer buys a parent holding company rather than the vendor entity directly), and automatic triggering of data export obligations without requiring a request from you.
Contract portability must appear separately. Portability means all MSA terms survive an acquisition and bind the acquirer without modification. Without it, the acquirer can treat the assumed contract as subject to its own standard terms at renewal. That is how customers with perfectly reasonable MSAs end up on worse terms.
The “controlled in Europe” sovereignty clause is the concrete benchmark. Aleph Alpha’s public-sector contracts with German federal agencies and Bundesländer including Baden-Württemberg and Bavaria required the vendor to remain “controlled in Europe.” When the Cohere merger was announced, those customers had the strongest available outcome. Enterprise buyers in EU-regulated sectors should demand equivalent language.
Data export rights need explicit scope. Most MSAs define “customer data” narrowly — raw files and structured records. Cover explicitly: derived embeddings and retrieval indices, fine-tuned model weights, persistent agent memory and conversation traces, vector database content, and tool-call logs. These are the artefacts most default MSAs exclude.
Three more clauses to push for: model substitution rights (90-plus days’ notice before any model version change); novation rights (a procedural lever at the moment of acquisition rather than an automatic rollover); SLA survival clause (18-month minimum post-merger protection).
💡 Novation is the legal transfer of a contract with the explicit consent of all parties — distinct from contract assignment, where the contract transfers automatically without requiring the customer’s consent.
For context on what Aleph Alpha customers received, the Cohere–Aleph Alpha worked example covers the deal mechanics in detail. The three consolidation patterns this checklist addresses explains how different acquisition types change which clauses to prioritise.
How do you evaluate a vendor’s sovereign AI compliance claims?
Data residency is not data sovereignty. This is the most common misunderstanding in this space, and it is worth getting right before you sign anything.
A vendor can host data in an EU data centre while remaining subject to US CLOUD Act jurisdiction regardless of where the data physically resides.
💡 The CLOUD Act permits the US government to compel American companies to produce data stored anywhere in the world — making a US-parent-owned vendor subject to US jurisdiction even with EU data centre operations.
Azure OpenAI Service offers EU data centre options but remains subject to Microsoft’s US parent jurisdiction. Verify legal jurisdiction, not just data centre geography.
EU AI Act audit requirements take full effect in August 2026. Ask vendors to produce — on request — technical documentation of model capabilities, risk assessment records, and data residency audit trails. Inability to produce a current EU AI Act technical file is a red flag, not a paperwork gap.
Sub-processor scope is wider than standard GDPR compliance teams typically track. In AI contracts it includes vector database providers, MCP server operators, fine-tuning infrastructure, and third-party embedding pipeline components. Demand a published sub-processor list and a 72-hour notification commitment for any change.
The Trust vs. Lock-in Framework (Kai Waehner, 2026) is a useful starting point. Trusted and Flexible: Cohere (post-merger), Anthropic, Mistral. Trusted but Captured: Google/Vertex AI, SAP. Risky but Flexible: OpenAI. Risky and Captured: Azure OpenAI, AWS-native stacks. Layer the acquisition risk dimension on top of this and you have a workable triage tool.
EU AI Act audit requirements and sovereign AI certification are covered in detail in the sovereign AI policy article, including DORA and NIS2 requirements.
Why is agentic AI lock-in a distinct risk category beyond general vendor lock-in?
Switching a foundation model API is a re-engineering project measured in weeks. Agentic AI lock-in is a different problem entirely.
It compounds across three additional layers that make a model switch look easy:
- Orchestration framework — Workflows built on a vendor-proprietary orchestration layer cannot swap the underlying model without rebuilding the agent. It is not a refactor. It is a rebuild.
- Runtime environment — Managed runtimes like AWS AgentCore bind infrastructure to agent behaviour. Migrating is closer to a platform migration than a model swap.
- Developer workflow — Agent memory stores, tool registries, MCP server configurations, and CI/CD pipeline integrations accumulate over time and are not standardised across vendors.
The OpenClaw case illustrates how orchestration standard capture works. Peter Steinberger released the OpenClaw open-source agent framework in late 2025; within 60 days it was among the fastest-growing projects on GitHub. He joined OpenAI in February 2026 to lead next-generation personal agents, while OpenClaw moved to a foundation with OpenAI as sponsor. An “open source” assurance is not enough when framework governance has moved to a closed entity.
The mitigation: Model Context Protocol (MCP). Anthropic donated MCP to the Agentic AI Foundation — a directed fund under the Linux Foundation, co-founded with Block and OpenAI — in December 2025. MCP standardises how agents connect to external tools and data sources, creating a vendor-neutral integration layer that survives a model switch. Over 97 million monthly SDK downloads and 10,000 active servers give it the adoption that makes it durable.
Start agentic lock-in assessment at the beginning of the vendor relationship, not at renewal.
Acquihire, full merger, and platform roll-up patterns covers how talent-only acquihires produce the fastest orchestration layer disruption.
How do you build an ongoing AI vendor risk monitoring process?
Vendor acquisition risk is not a one-time exercise. The consolidation wave is ongoing. Quarterly signal tracking is the minimum — and here is what to track.
Quarterly signals to monitor: secondary market shares trading at a discount to the last primary round; down rounds or bridge extensions (often a sign Series N negotiations have stalled); senior engineer and product leadership departures (LinkedIn activity leads acquisition announcements by 3 to 6 months); roadmap milestones that slip without explanation; customer churn signals on G2 and Gartner Peer Insights.
Maintain a vendor risk register updated at minimum quarterly. Record: current capital structure and financing maturity date, last known ARR and revenue concentration, key contractual protections in place, and the consolidation pattern most likely to affect each vendor.
Trigger events for an immediate review — do not wait for the quarterly cycle. Any strategic investor entry (hyperscaler, platform vendor, hardware supplier), CEO or CPO departure, or public “strategic partnership” announcement implying equity transfer warrants an immediate look.
Pre-renewal review window: build in 90 days minimum before each contract renewal date. Most enterprise AI contracts have 30-day renewal notice periods. Ninety days gives you 60 days of actual negotiating time before the decision point. That is the difference between having options and not having them.
Financial health indicators that signal acquisition risk form the underlying signal set covered in the companion survival calculus article.
What does the Cohere–Aleph Alpha merger reveal when scored against this checklist?
The April 2026 Cohere–Aleph Alpha merger — anchored by Schwarz Group’s €600 million structured financing, creating a combined entity valued at approximately $20 billion — is the most relevant recent data point for enterprise buyers relying on either vendor. Here is how it scores.
Capital structure — Positive, partial. Schwarz Group’s European alignment is a better stability signal than a typical VC-driven exit-pressure round. Convertible instrument details are not publicly disclosed, which is the caveat.
Contract portability — Best practice demonstrated; adoption gap remains. Aleph Alpha’s “controlled in Europe” clauses — German federal agencies, Baden-Württemberg, Bavaria — gave those customers contractual protection the merger terms had to honour. Enterprise customers without equivalent clauses had weaker standing. That is the gap.
Data export rights — Partial. Customers migrating to PhariaAI retained access to their deployment environments. No public disclosure covers the timeline or tooling for customers who chose to exit.
Roadmap continuity — Positive. The joint entity committed to Command-Pharia 1 — integrated into Cohere’s roadmap — targeted for Q4 2026. A named milestone with a public date is more credible than generic commitments.
Agentic lock-in — Neutral to positive. Customers using Aleph Alpha’s model-agnostic PhariaAI governance layer had the least lock-in to unwind. Risk concentrates for customers with orchestration workflows tightly coupled to Aleph Alpha-specific tooling.
The acquihire comparison is instructive. A talent-only acquihire of either company would have produced product wind-down in 60 to 180 days, no contract portability, data export windows measured in weeks. Microsoft/Inflection (2024) and Amazon/Adept (June 2024) are the relevant negative benchmarks — talent relocated, enterprise customers received limited continuity commitments. The Cohere full merger is better on every dimension.
The lesson is straightforward: negotiate data export terms before an announcement, when you still have leverage. After an announcement, you are negotiating against a timeline the acquirer controls.
For a complete overview of the AI startup consolidation wave — the macro forces, the deal patterns, the policy landscape, and the survival calculus that makes this checklist necessary — see the full series overview.
The questions below cover the most common points of confusion when approaching AI vendor due diligence for the first time.
Frequently Asked Questions
What is the single most important contract clause to add for AI vendor stability?
A change-of-control clause that goes beyond notification. You need a termination-for-convenience right triggered by a change-of-control event, with preserved pricing and a defined data export window of at least 90 days. Notification-only is the default in most AI vendor MSAs — it tells you an acquisition happened but gives you no options. Also cover indirect acquisitions, where the acquirer buys a parent holding company rather than the vendor entity directly.
What does “contract portability” actually mean in a vendor acquisition scenario?
All material MSA terms — pricing, SLAs, data handling, sovereignty commitments — automatically bind the acquiring entity without renegotiation. Without it, an acquirer can treat the assumed contract as subject to its own standard terms at renewal. The Aleph Alpha “controlled in Europe” clause is the concrete example: European legal control over data survives the ownership transfer.
Is it possible to negotiate data export rights with major AI vendors?
Yes. Leverage depends on contract size — seven-figure annual contracts can push for broad rights; mid-market contracts have less leverage. Scope is the key negotiation point: broad data export should cover embeddings, fine-tuned weights, conversation traces, agent memory, and vector indices — not just raw uploaded files. Minimum: a 90-day export window with documented tooling, activated by any change-of-control event.
What is the difference between data residency and data sovereignty?
Data residency is where data is physically stored. Data sovereignty is the legal jurisdiction governing access and compelled disclosure. A US-parent-owned vendor with EU data centres is still subject to CLOUD Act requests. Verify legal jurisdiction, not just data centre geography.
How often should I review my AI vendor risk portfolio?
Quarterly for signal tracking — secondary market activity, leadership departures, roadmap delays, funding news. A full contract review at minimum 90 days before each renewal date. Immediate review when a strategic investor takes an equity position or a CEO/CPO departs.
What is an acquihire and why is it the worst-case scenario for enterprise customers?
An acquihire is an acquisition motivated primarily by acquiring the engineering team. The acquirer has little interest in continuing the product; wind-down typically follows within 60 to 180 days. Enterprise customers face simultaneous risks: product discontinuation before contract expiry, data export windows measured in weeks, and no roadmap continuity. Microsoft/Inflection (2024), Google/Windsurf (July 2025), and Amazon/Adept (June 2024) are recent examples.
Should I be worried that my AI vendor will get acquired?
If your vendor is an independent AI startup with under $200 million ARR, raised its last round more than 18 months ago, or has a strategic investor at board level, acquisition probability is elevated. The practical step: conduct the contract clause audit now, before an announcement, when you still have negotiating leverage.
What happens to my contract if my AI vendor is bought by a competitor?
Without explicit portability provisions, the acquirer may migrate your contract to its own terms. A change-of-control clause with termination-for-convenience gives you the option to exit. If the acquirer holds a competing product, a portability clause with a fixed term — 24 months post-acquisition — is the practical protection.
What are novation rights and why do they matter in an AI acquisition?
Novation is the legal transfer of a contract with the explicit consent of all parties — distinct from contract assignment, where it transfers automatically. A novation-consent clause gives you the ability to negotiate the terms of the transfer, or refuse and trigger termination-for-convenience instead. Think of it as a merge request that requires your approval before the branch is merged into the acquirer’s codebase.
How do I evaluate an AI vendor’s financial stability before signing?
Request ACV concentration data: what percentage of ARR comes from the top three accounts? Above 40% signals structural vulnerability. Ask about financing maturity — repayment obligations in the next 24 months? Check secondary market price signals: shares at a material discount to the last primary round valuation mean institutional investors are pricing in downside scenarios.
What is the EU AI Act’s relevance to enterprise AI procurement?
The EU AI Act creates compliance obligations for enterprise buyers, not just vendors. If you deploy a general-purpose AI system in an EU context, you are responsible for ensuring it meets audit documentation and transparency requirements. Verify that your vendor can produce, on request, a current technical file, a risk assessment, and a data residency audit trail. The Act’s extraterritorial reach applies to non-EU companies deploying AI that affects EU users.
What is agentic AI lock-in and how is it different from standard API lock-in?
API lock-in is dependency on a specific model’s API format and response schema — addressable by a re-engineering project measured in weeks. Agentic AI lock-in compounds across the orchestration framework, runtime environment, and developer workflow. Switching a model API is a refactor; switching an agentic AI stack is a platform migration measured in months.
