AI in M&A Reading List: 14 Annotated Reports for Deal Teams

McKinsey Global Institute · Annual · Free

The most widely-cited dataset on enterprise AI adoption — essential for benchmarking

McKinsey's annual State of AI survey is the most widely-cited dataset on enterprise AI adoption. It tracks which functions are using AI, how investments are changing year-over-year, where organizations report value versus where they're still experimenting, and how the gap between AI leaders and laggards is evolving. The 2024 and 2025 editions captured the inflection point of generative AI adoption in enterprise functions including legal, finance, and due diligence.

What it's useful for: Benchmarking. If a target claims to have advanced AI capabilities, the McKinsey data tells you what "advanced" looks like across comparables. If a target has no AI capabilities, the adoption curve data tells you how far behind market expectations they are.

Where it falls short: Survey-based, so it captures what companies say they're doing rather than what they can demonstrate. Use as benchmark context, not as a primary reference.

Read at mckinsey.com →

Boston Consulting Group · 2024 · Free

AI use cases across the deal lifecycle — efficiency metrics and competitive landscape

BCG's research on AI applications specifically in M&A is among the most directly applicable research from the major consulting firms. It covers AI use cases across the deal lifecycle — target screening, diligence document processing, valuation modeling, integration planning — and provides case examples from corporate and PE clients. The analysis of where AI is generating measurable efficiency gains versus where it remains primarily aspiration is useful calibration.

What it's useful for: Understanding the competitive landscape of AI tools in M&A processes. Useful for advising deal teams that are evaluating whether to incorporate AI-assisted diligence tools versus continuing with traditional approaches. The efficiency metrics — time to complete document review, finding coverage rates — are directly relevant to the speed vs depth argument.

Where it falls short: BCG has a consulting services interest in AI adoption. Claims should be validated against vendor-neutral research.

Read at bcg.com →

Deloitte · Multiple editions · Free

Operational IT diligence methodology — scope definition, risk categorization, and financial quantification

Deloitte publishes a series of practitioner-focused guides on IT due diligence methodology — covering diligence scope definition, IRL design, risk categorization, and post-close integration planning. These are less aspirational than most consulting research and more operational: they reflect what Deloitte's M&A technology advisory practice actually does with clients. The technology risk categorization frameworks are a useful reference for designing diligence scope.

What it's useful for: Scope definition and risk categorization. Useful for teams designing an IT diligence workplan or arguing for expanded diligence coverage with a skeptical deal team. The financial quantification approaches for technology risk — how to convert technical findings into deal model inputs — are particularly practical.

Where it falls short: Reflects traditional consulting methodology, which can be slow and expensive to execute. The AI augmentation of this methodology is not yet well-reflected in their published guides.

Read at deloitte.com →

Ernst & Young · 2024 · Free

Credibility and accuracy benchmarks for AI diligence tools from audit-grade methodology

EY's 2024 research on AI in due diligence covers their experience deploying AI tools in transaction advisory contexts — document analysis, compliance screening, financial data extraction, and report generation. The research includes data on time savings, coverage improvement, and accuracy comparisons between AI-assisted and traditional review. EY's position as both an audit firm and transaction advisor gives their perspective a specific credibility on compliance and accuracy dimensions.

What it's useful for: Credibility and accuracy benchmarks. EY's data on AI finding accuracy — false positive rates, coverage gaps, confidence calibration — is more methodologically rigorous than most vendor claims. Useful for evaluating AI diligence tool claims against an independent baseline.

Where it falls short: EY is also selling advisory services. The research reflects tools they've built or licensed, not a vendor-neutral evaluation.

Read at ey.com →

Bain & Company · Annual · Free

The comprehensive benchmark for PE market conditions, deal multiples, and tech risk in portfolios

Bain's annual PE report is the most comprehensive published benchmark of private equity market conditions, fund performance, and deal dynamics. The technology sector coverage — valuations, deal multiples, value creation approaches — provides the context that informs how technology diligence should be calibrated to market conditions. Recent editions have included dedicated sections on technology risk in PE portfolios and how post-acquisition cybersecurity failures have affected returns.

What it's useful for: Market context for technology sector deals. The deal multiple benchmarks, valuation trend data, and value creation analysis provide the background against which specific deal diligence findings should be interpreted. Particularly useful for technology company deals in PE contexts.

Read at bain.com →

PricewaterhouseCoopers · Annual · Free

Deal volume, sector concentration, and technology M&A evolution — annual market context

PwC's annual M&A trends report covers deal volume, sector concentration, strategic rationale patterns, and integration challenges across global M&A activity. The technology sector editions track how technology M&A is evolving — from traditional software acquisitions to AI capability acquisitions to digital infrastructure deals. PwC's coverage of valuation methodology for technology assets has become more rigorous as technology deals have grown as a share of overall volume.

What it's useful for: Deal market context and sector trend data. The deal rationale analysis — what acquirers say they're buying versus what they actually integrate successfully — is useful for stress-testing deal theses during diligence.

Read at pwc.com →

IBM Security / Ponemon Institute · Annual · Free

The primary source for pricing cybersecurity risk in deal models

IBM's annual data breach cost report — produced with the Ponemon Institute — is the most widely cited source of breach cost benchmarks in security risk assessment. The 2024 edition reported a global average breach cost of $4.88 million, with significant variation by industry, breach type, and security posture maturity. The breakdown by attack vector, detection time, and containment cost provides the inputs for financial risk quantification in diligence contexts.

What it's useful for: Pricing cybersecurity risk in deal models. This is the primary quantitative source for converting cybersecurity findings into financial estimates — "this target's security posture is consistent with companies that experience X category of breaches, which cost $Y on average." Referenced directly in our PE cybersecurity case study.

Read at ibm.com →

Open Web Application Security Project · Updated regularly · Free

The authoritative standard for web application security risk classification — used by auditors and compliance frameworks

The OWASP Top 10 is the authoritative standard for web application security risk classification — used by security auditors, penetration testers, and compliance frameworks (including SOC 2 and ISO 27001 readiness assessments). It categorizes the most critical web application security vulnerabilities with technical descriptions, business impact analysis, and remediation guidance. The list is updated based on actual breach data across thousands of organizations.

What it's useful for: Diligence checklist design and finding classification. When reviewing penetration test reports or security assessment documentation in a VDR, the OWASP Top 10 provides the standard against which to assess what was tested, what was found, and what remediation has occurred. Referenced in our hidden technical debt post.

Read at owasp.org →

European Commission · 2024 · Free

World's first comprehensive AI regulation — risk tiers, compliance timelines, and post-close cost estimation

The EU AI Act — entered into force in August 2024 — is the world's first comprehensive AI regulation, establishing risk tiers for AI systems and compliance requirements for companies operating in or selling to the EU market. For deal teams diligencing European targets or companies that sell into Europe, understanding the Act's risk classification (minimal, limited, high, unacceptable risk) and compliance timelines is directly relevant to post-close cost estimation.

What it's useful for: Regulatory exposure assessment for AI company acquisitions. If a target's product incorporates AI in a "high-risk" category under the Act (employment screening, credit assessment, biometric identification), compliance costs and implementation timelines become deal model inputs. See our AI company diligence case study.

Practical summaries from law firms (Linklaters, Clifford Chance) are often more accessible than the legislation itself.

Read at European Commission AI Policy →

U.S. National Institute of Standards and Technology · 2023 · Free

Baseline for AI governance maturity assessment — gap analysis identifies post-close compliance investment

NIST's AI RMF provides a voluntary framework for managing AI-related risks in organizations — including risk identification, governance, measurement, and mitigation categories. Released in 2023 and widely adopted as a baseline for AI governance in corporate and regulated environments, it's increasingly referenced in vendor contracts, enterprise AI procurement, and regulatory guidance in the US context.

What it's useful for: AI governance assessment in diligence. When reviewing a target's AI governance documentation, the NIST AI RMF provides the standard against which to evaluate maturity — what an organization should have in place at each stage of AI system development and deployment. Gap analysis against this framework identifies post-close compliance investment requirements.

Read at nist.gov →

Linux Foundation · Free

The authoritative reference for open-source license risk in software acquisitions — GPL, MIT, Apache

The Linux Foundation publishes comprehensive guidance on open-source license compliance — covering GPL, MIT, Apache, and other license families, their compatibility, their obligations, and the compliance processes organizations should have in place. This is the authoritative reference for understanding open-source license risk in software products, which is directly relevant to technology diligence in software acquisitions.

What it's useful for: Software licensing diligence. GPL license violations — using GPL-licensed components in proprietary products without complying with copyleft obligations — can require disclosure of proprietary source code or injunctions against distribution. The Linux Foundation's materials explain the relevant compliance requirements clearly and provide the framework for assessing a target's open-source compliance posture. Referenced in our hidden technical debt post.

Read at linuxfoundation.org →

Linux Foundation · ISO Standard · Free

ISO/IEC standard for Software Bills of Materials — software supply chain diligence

SPDX is the ISO/IEC standard format for Software Bills of Materials (SBOMs) — machine-readable inventory of all components, dependencies, and licenses in a software product. Understanding SPDX is relevant to diligence because it's increasingly required by enterprise customers, government procurement, and regulatory frameworks as proof of software supply chain transparency. A target's ability (or inability) to produce an SPDX-compliant SBOM tells you a lot about their software development maturity.

What it's useful for: Software supply chain diligence. The IRL item "provide a Software Bill of Materials for all production systems" is becoming standard practice. Understanding what a credible SBOM looks like — and what it means when a target can't produce one — is part of contemporary IT diligence practice.

Context on SBOM requirements in government procurement at cisa.gov/sbom.

Read at spdx.dev →

Open source community project · Free

Practical EOL reference for 300+ software products — cross-reference infrastructure inventories instantly

endoflife.date is a community-maintained reference database tracking end-of-life and end-of-support dates for over 300 software products — operating systems, programming language runtimes, databases, web frameworks, and infrastructure components. The data is updated continuously and covers the dates after which vendors no longer release security patches.

What it's useful for: This is a practical tool, not research. During diligence, when reviewing infrastructure inventories and deployment documentation, cross-referencing component versions against endoflife.date immediately identifies which production systems are running on unsupported software. Referenced in our hidden technical debt framework under Red Flag #1.

Visit endoflife.date →