AI Development Due Diligence

Answers to the questions procurement, risk, and compliance teams ask about AI-assisted development. We've designed our approach to satisfy enterprise due diligence requirements.

IP & OwnershipVendor ControlSecurityCompliance ToolingKnowledge TransferCode QualityTimeline Claims

Intellectual Property & Ownership

Core Commitment

You own 100% of the code we deliver. We contractually guarantee clean IP ownership with no encumbrances.

AI Training Data Protection

  • Your code is never used to train AI models
  • Prompts and outputs are not retained by AI providers
  • We use enterprise AI agreements with data protection clauses
  • Business logic remains confidential

License Compliance

  • Automated dependency scanning for GPL/copyleft
  • Software Bill of Materials (SBOM) provided
  • License audit on all third-party dependencies
  • No viral license contamination risk

Model Selection & Vendor Control

AI Models We Use

  • Primary: Anthropic Claude (via enterprise agreement)
  • Alternative: Azure OpenAI (for Azure-native clients)
  • On-premise option: Local models available for sensitive environments

Model selection can be tailored to your security and compliance requirements.

Avoiding Vendor Lock-in

  • AI is used during development, not embedded in production (unless required)
  • Models can be swapped without code refactoring
  • No proprietary AI frameworks in delivered code
  • Standard languages and patterns throughout

Post-Project Independence

At project completion, you can build, test, and deploy the system without any AI tooling dependency.

Build

Standard build tools (npm, dotnet, maven, etc.) with no AI dependencies

Test

Conventional test frameworks with full coverage documentation

Deploy

Standard CI/CD pipelines on your infrastructure

Security Controls for AI-Generated Code

Automated Security Scanning

  • SAST: Static analysis on every commit
  • DAST: Dynamic testing in staging environments
  • Dependency scanning: Known vulnerability detection
  • Secret detection: Prevents credential leaks

Preventing AI-Introduced Vulnerabilities

  • Pre-commit hooks block hard-coded secrets
  • Security-focused code review checklist
  • AI prohibited from auth/security-critical code
  • Mandatory human review for all security changes

AI-Prohibited Areas

The following areas require human-only development with enhanced review:

Authentication & authorisationCryptographic operationsFinancial calculationsRegulatory rule enginesAudit loggingData encryption

Security & Compliance Tooling

We integrate industry-standard tools into our CI/CD pipelines that create automated checkpoints for safety and compliance—without slowing down AI-accelerated development.

License Compliance Scanning

Automated scanning of all dependencies (direct + transitive) to detect GPL/AGPL/copyleft licenses and block forbidden licenses in PRs.

Snyk Open Source

License policies, vulnerability scanning, GitHub/GitLab PR checks. Supports npm, pip, Poetry, Docker.

FOSSA

Purpose-built for license compliance. Excellent reports for legal/compliance teams. Deep CI integration.

Mend (WhiteSource)

Enterprise-grade transitive scanning. Policy enforcement. Widely recognised by procurement teams.

Static Application Security Testing (SAST)

Analyse source code for security vulnerabilities before deployment. Runs on every commit.

SonarQube / SonarCloud

Code quality and security analysis. Quality gates block vulnerable code from merging.

Semgrep

Lightweight, fast static analysis. Custom rules for organisation-specific patterns.

CodeQL (GitHub)

Semantic code analysis. Native GitHub integration. Excellent for finding complex vulnerabilities.

Dynamic Testing & Penetration Testing

Test running applications for vulnerabilities. Automated scanning plus periodic manual assessments.

OWASP ZAP

Open-source DAST. Automated scanning in CI/CD. OWASP Top 10 coverage.

Burp Suite

Industry-standard web security testing. Manual and automated testing capabilities.

Periodic Pen Tests

Third-party penetration testing for critical releases. Reports provided to stakeholders.

Secret Detection & Dependency Scanning

Prevent credential leaks and catch vulnerable dependencies before they reach production.

GitLeaks

Pre-commit secret detection. Blocks API keys, passwords, tokens.

TruffleHog

Deep git history scanning. Finds secrets in commit history.

Dependabot

Automated dependency updates. Security alerts for vulnerable packages.

Renovate

Automated dependency management. Configurable update policies.

Container & Infrastructure Security

Scan container images and infrastructure-as-code for misconfigurations and vulnerabilities.

Trivy

Container image scanning. Finds OS and application vulnerabilities.

Grype

Fast vulnerability scanner for container images and filesystems.

Checkov

Infrastructure-as-code scanning. Terraform, CloudFormation, Kubernetes.

tfsec

Terraform-specific security scanner. Catches misconfigurations early.

Automated Checkpoints, Not Bottlenecks

These tools integrate into CI/CD pipelines and run automatically on every commit and PR. They create safety checkpoints that catch issues early—without requiring manual intervention or slowing down AI-accelerated development velocity.

Maintainability & Knowledge Transfer

Documentation Deliverables

  • Architecture Decision Records: Why key choices were made
  • System documentation: How components interact
  • API documentation: Auto-generated and maintained
  • Runbooks: Operational procedures
  • AI decision log: Where AI assisted and what was reviewed

Handover Process

  • Code walkthrough sessions: Recorded for future reference
  • Pair programming: With your team during transition
  • Environment setup guides: Step-by-step developer onboarding
  • Support period: Included post-handover support

Preventing Over-Abstraction

AI can generate overly complex code. We actively prevent this:

Simplicity Reviews

Code reviewed for unnecessary abstraction

Boring Technology

Standard patterns over clever solutions

Readability First

Code your team can understand and maintain

Code Quality & Human Accountability

Human Review Standards

  • 100% of AI-generated code reviewed by humans
  • Named senior engineer signs off every PR
  • Architectural consistency enforced
  • Logic duplication actively prevented

Definition of "Done"

  • All acceptance criteria met
  • Tests written and passing
  • Security scan passed
  • Senior engineer approval

Accountability for AI-Generated Defects

If AI-generated code causes a defect:

  • 1.The human reviewer who approved the code is accountable
  • 2.Root cause analysis includes review of AI interaction logs
  • 3.Process improvements implemented to prevent recurrence
  • 4.Defect resolution follows standard SLA commitments

Testing Strategy for AI-Assisted Code

AI-Generated Tests

  • AI assists with test generation from specifications
  • Tests reviewed to ensure independent validation
  • Human verification that tests aren't just re-implementing code
  • Edge cases and negative tests explicitly required

Coverage & Quality

  • Minimum 80% code coverage for business logic
  • Regular manual testing by humans
  • Regression suite run on every deployment
  • Post-refactor test validation mandatory

AI-Assisted Timeline Claims

Where AI Accelerates Delivery

  • CRUD operations and data entry screens
  • API integrations with documented endpoints
  • Test generation from specifications
  • Documentation and code comments
  • Boilerplate and scaffolding
  • Code refactoring and modernisation

Where AI Provides Limited Benefit

  • Novel algorithm design
  • Complex business rule implementation
  • Security-critical components
  • Undocumented legacy system integration
  • Stakeholder alignment and discovery
  • Performance optimisation

Timeline Assumptions & Risks

Our estimates assume:

  • • Clear requirements and acceptance criteria
  • • Timely stakeholder availability for decisions
  • • Documented APIs for integrations
  • • Stable scope (change requests handled separately)

Risks that could impact timelines:

  • • Undocumented legacy system complexity
  • • Scope changes during delivery
  • • Third-party API instability
  • • Extended stakeholder review cycles

Ongoing Maintenance & Support

Warranty Period

Included defect resolution for agreed period post-delivery. Bug fixes at no additional cost.

Retainer Options

Ongoing development capacity for continuous improvement, new features, and maintenance.

Emergency Support

Priority response for critical issues. SLA-backed support agreements available.

Governance & Risk Control Back to AI Development Overview

Need detailed due diligence documentation?

We provide comprehensive responses to RFP questionnaires and can arrange calls with our technical team.

Get in Touch