AI now writes a serious share of new code. GitHub has put Copilot's contribution past 40% in files where it's turned on. Most technical due diligence checklists were written for a world where a person typed every line, and it shows.

I do these reviews for founders before a raise, and for investors and acquirers before they wire money. An AI-built codebase can look finished and still be hollow. Here's what I actually check, and the red flags that change the price.

Why an AI codebase needs different diligence

AI-generated code tends to look clean and read well, which is exactly the trap. The problems are not in the formatting, they're in the things the model doesn't reason about. Security defaults, edge cases, what happens at scale, and whether anyone on the team actually understands what was shipped. You can't judge that by skimming the repo.

Security and data

  • Authorization, not just login. Check that the backend enforces who can see what, and that row-level access is real, not a hidden UI.
  • Secrets. Look for API keys and tokens in client code or git history. AI-built apps leak these constantly.
  • Dependencies. Outdated or sketchy packages are a common supply-chain risk. Check what's pulled in and how old it is.
  • Personal data. What's stored, where, and is it compliant if there are EU users.

Architecture and maintainability

  • Is there a real structure, or is it copy-paste with variations? AI often repeats patterns instead of abstracting them.
  • Could a new developer find their way around in a day? If not, every future change is slow and risky.
  • Are there tests, and do they mean anything? AI-generated tests that assert nothing are worse than no tests, because they look like coverage.

The team and the bus factor

This is the question most checklists miss. Does anyone actually understand the code, or did a tool write it and move on? If the founder can't explain how the core works, you're not buying a product, you're buying a maintenance problem. I talk to whoever built it and find out fast.

Cost and lock-in

  • What do model and API calls cost at real volume? A cheap demo can become an ugly monthly bill.
  • Is it locked to a no-code or app-builder platform you can't leave? That's a real risk to value.
  • Infrastructure. Will the current setup carry growth, or does it need rebuilding day one.

Red flags that change the number

  • No tests, or tests that assert nothing.
  • Secrets in the frontend or in git history.
  • No rate limiting anywhere.
  • One giant file, or the same logic copy-pasted ten times.
  • No database migrations, schema changes done by hand.
  • "It only runs on the founder's laptop."

What you get from me

A short report in plain language, ranked by risk, with a rough estimate of what it takes to fix the serious items. Not a 200-page tool dump nobody reads. If you decide to fix things, my team at Fingoweb can do the work.

Betting on a codebase someone built fast with AI? I'll review it and tell you what you're really buying, before you commit. Fixes, if you want them, run through Fingoweb.

Book a 30-minute call Other ways to reach me

FAQ

How long does a technical due diligence take?
Usually a few days to a week, depending on the size of the codebase. You get a written report ranked by risk, in plain language, not a wall of tool output.
Can you do this before a funding round or an acquisition?
Yes, that's the common case. I work with the founder, an investor, or an acquirer, and I keep it confidential.
Do you fix what you find?
I can. The review comes first, then if you want the issues fixed, my team at Fingoweb handles the work.