PE Portfolio AI Strategy: One Decision Across 12 Companies
Twelve portfolio companies don't need twelve AI strategies, they need one fund-level strategy that fits inside diligence and survives the next exit. The shape of that one decision matters more than which model wins.
The portfolio AI question is the value-creation question When a middle-market PE op partner calls us about AI, the brief usually arrives in the same shape: "The IC wants us to have an AI position across the portfolio by the end of the quarter. Help us figure out what that means." Underneath the brief is a specific anxiety: twelve portfolio companies, twelve different CIOs of uneven caliber, and a pending board request to articulate the fund's view on AI without committing to twelve simultaneous transformation projects. The instinct most ops teams arrive with is portfolio-by-portfolio. Run a heatmap. Score each portco 1–5. Recommend a roadmap per company. Hand each CIO a deck. This is what most consultancies will sell, because it scales billable hours linearly. It is the wrong shape of work. The portfolio AI question is not an innovation question. It is an operating-leverage question applied across a hold period. The fund is not buying AI for the sake of AI; the fund is buying compounded EBITDA on exit. AI shows up in the value-creation plan in three places, and only three: as a margin lever (cost-to-serve compression on shared functions), as a multiple lever (a credible AI narrative the next buyer will pay for), and as a risk lever (a defensible posture the next diligence partner will not flag). Every fund-level AI decision worth making sits inside those three. That framing forces the work upward, not outward. The fund makes one decision about vendor posture, data handling, governance scaffolding, and exit-readiness. Each portco inherits that decision and only deviates where its specific workload demands it. The op partner runs the inheritance, not the implementation. The CIO at each portco runs the implementation against an inherited spec they did not have to invent. The diligence partner on the way out reads one fund-level memo and twelve portco-level confirmations, not twelve independent stories. We have run this exercise across roughly forty portfolio companies in the last twenty-four months, mostly in healthcare services, regulated B2B SaaS, professional services, and managed services. Funds that decide once at the fund level spend roughly a quarter of the consulting dollars and produce roughly four times the consistency of funds that delegate the question to each portco's CIO. The CIO at portco eight is not in a position to do original AI policy work; she is in a position to adopt a clean policy someone else wrote, fit it to two specific workloads, and get back to the operating plan. This guide is for the op partner running that fund-level decision. It is the reference for what the fund decides, what the portcos inherit, and what the next exit diligence partner is going to ask. Why per-portco AI strategies fail at exit The fund will exit each portco eventually. Most middle-market holds are three to six years. AI decisions made in 2026 land in a 2029–2032 diligence room. The buy-side diligence partner, strategic acquirer, larger PE platform, IPO underwriter, is going to ask about AI with the same specificity diligence partners ask about cybersecurity today. We know this because we are already reading those diligence requests, and they are getting more detailed every quarter. The exit diligence question is not "do you use AI." Every portfolio company will use AI by 2029. The exit diligence question is "show us your AI vendor stack, your data-handling posture, your IP-leak exposure, your training-data terms across every vendor in the chain, and your audit log on the workflows that touched customer data." A portco that built its AI program ad hoc over three years cannot answer that in a week. When each portco is left to its own AI strategy, the diligence room produces twelve different stories. Portco one settled on Microsoft Copilot and then bolted on three vertical SaaS tools whose contracts nobody read. Portco two wrote a custom RAG pipeline on a stack of vendors the engineering team chose on a Tuesday. Portco three never ratified a policy and the operations director quietly deployed ChatGPT Team to forty employees on a personal credit card. Portco four did the work properly but the documentation is in a Notion page nobody updated since post-close integration. Portco five looks clean but the marketing team has been pasting customer lists into Gemini for nine months. Twelve different stacks. Twelve different stories. The diligence partner reads them and the questions multiply. Each gap becomes a price-chip. Each unresolved data-processing chain becomes an indemnification ask. Each ungoverned tool becomes a rep-and-warranty exclusion. We have watched a single AI-related diligence finding reduce purchase price by two to three percent on multiple 2025 transactions; in one case the finding sat on the list for forty-five days and the seller ate the holdback. The cost of the inconsistency is not theoretical, it is line items on the closing balance sheet. A fund that decided once at the fund level produces a different diligence package. The op partner hands over one document, the fund's AI governance policy, with the vendor approval matrix and the data classification baseline, and twelve portco confirmations showing how each implemented against it. Where a portco deviated (regulated workload, pre-existing vendor commitment, founder-led customization), the deviation is documented with rationale. The diligence partner reads the policy once, reads the deviation memos in fifteen minutes, and the conversation moves to the operating plan. The argument for fund-level AI strategy is not "it would be nice if your portcos were consistent." The argument is that exit diligence is becoming AI-specific, and a portfolio that did not anticipate that converts the next round of exits into avoidable purchase-price reductions. The fund-level decision is the cheapest form of value-creation work in the portfolio: it compounds across every exit and is paid for once. The fund-level AI governance one-pager The fund-level decision should fit on one page. Anything longer becomes a document the portco CIOs do not read; anything shorter does not actually answer the questions they need to inherit. The one-pager is the contract between the fund and the portfolio companies on what AI looks like across the hold. Every portfolio company gets to inherit five elements from the fund-level policy. The op partner ratifies these once. Each portco signs a confirmation that they have adopted them, with portco-specific deviations documented in a one-page addendum. Element 1: Vendor approval matrix. The fund pre-approves a short list of AI vendors that any portco may use without further fund-level review. The list typically has four to seven vendors covering: a general-purpose model provider (or two), a productivity layer (Microsoft Copilot or Google), a customer-support layer, and an internal-knowledge layer. Anything off the list requires a single-page exception memo to the fund's op partner. The matrix is updated quarterly. Most exceptions get absorbed into the next quarterly update; the few that don't, stay one-off. Element 2: Data classification baseline. The fund sets the floor on what data may go into which vendor tier. We typically use four tiers: Public (no restriction), Confidential (vendors with executed data-processing agreement and training-data exclusion), Sensitive (Confidential plus US data residency and audit log retention), and Regulated (Sensitive plus workload-specific addendum, HIPAA BAA, GLBA addendum where relevant, or 42 CFR Part 2 where relevant). The baseline forces every AI workflow into one of four cells before deployment. Most ungoverned-AI breaches we read post-mortem started with the data-classification step being skipped. Element 3: BAA / DPA template. The fund maintains a template Data Processing Agreement (and, for healthcare-services portcos, a template Business Associate Agreement) that the portco's procurement team can hand to any vendor. The template encodes the fund's non-negotiables: no training on inputs, US data residency, breach notification within 48 hours, sub-processor flow-down, audit rights. When a vendor pushes back, the pushback escalates to the op partner, not to twelve different portco GCs renegotiating in parallel. Element 4: Audit trail expectation. The fund states the floor for AI audit logging: which workflows must log inputs and outputs, which retention duration, where the logs live. Calibrated by tier, Public-tier workflows do not need prompt-level logging; Sensitive and Regulated workflows do. The expectation is a compliance specification the portco engineering teams design against, not a technical specification. Element 5: Reporting cadence. The op partner gets a quarterly one-page AI report from each portco: workflows in production, vendors in use, exceptions outstanding, incidents (if any). The lightest touch that actually surfaces drift. Most ops teams that try to govern AI without a cadence find out about the off-policy deployment when the diligence partner finds it. One page. Five elements. The op partner ratifies it; the IC sees it on a single slide; the portco CIOs adopt it; the diligence partner reads it. Everything else, model selection, vendor onboarding, workflow design, ROI measurement, happens against this scaffolding. Vendor consolidation across the portfolio The vendor question is where most fund-level AI strategies either compound value or quietly leak it. Twelve portfolio companies, left to their own procurement, will accumulate roughly thirty to fifty distinct AI vendor relationships across a four-year hold. Each relationship has a separate DPA, a separate price, a separate sub-processor list, and a separate failure mode at exit diligence. The economic argument first. AI vendor pricing in the enterprise tier is volume-sensitive in a way that office productivity SaaS never was. A fund that aggregates twelve portcos into a single negotiation with one model provider regularly captures a thirty to fifty percent discount versus what each portco could negotiate independently. The negotiation works because the model provider's enterprise sales motion is hungry for committed multi-year volume, and twelve portcos under one fund umbrella is exactly the deal shape they want. The risk argument is the diligence argument restated. Thirty vendors at exit means thirty DPA chains to audit, thirty sub-processor lists to walk, thirty different sets of training-data terms to reconcile. Five vendors at exit means five chains, well documented, easy to rep and warrant. The risk delta translates into purchase-price delta, predictably. The fund-level vendor decision typically resolves into three categories. Category 1: Universal vendors, same answer for every portco. General-purpose model access (one or two providers, with the second as a redundancy and pricing leverage), the productivity layer (Microsoft Copilot or Google Workspace AI, depending on which suite the portfolio standardized on), and the meeting-recording layer (one tool, fund-wide). These three categories alone usually account for sixty to seventy percent of AI spend across the portfolio, and consolidating them captures most of the negotiating leverage. Every portco uses these. No exceptions, except where a regulated workload disqualifies the default, in which case the regulated portco gets a sanctioned alternative (typically a cloud-native deployment of the same model family on AWS Bedrock or Azure AI Foundry under that cloud's BAA / DPA). Category 2: Vertical vendors, same answer within an industry cluster. The fund typically has multiple portcos in a sector (three healthcare-services, four B2B SaaS, two managed-services). Within each cluster, the AI vendor questions converge: the healthcare cluster needs HIPAA-aware AI scribes or note-generation tools, the B2B SaaS cluster needs customer-support AI and a sales-enablement layer, the managed-services cluster needs ticketing-AI and knowledge-base AI. The fund picks one vendor per category per cluster. Three clusters, four to five categories per cluster, fifteen to twenty additional vendor relationships, but consolidated within their cluster, not scattered. Category 3: Workload-specific vendors, portco-by-portco, with fund veto. A small number of AI deployments are genuinely workload-specific: a manufacturing portco's vision-AI on the factory floor, a healthcare portco's EHR-integrated documentation tool, a logistics portco's route-optimization model. These do not consolidate. The fund's role is veto, confirm the vendor passes the data-classification, BAA / DPA, and audit-log baselines, not selection. The portco CIO picks; the fund signs off in a one-page memo. The category exists, and the policy must leave room for it; otherwise the fund-level discipline collapses the first time a portco needs something the matrix did not anticipate. When to override at portco even within Category 1 or 2: pre-existing multi-year contracts (absorb into the next renewal rather than break a paid-up deal), regulated workloads where the universal vendor cannot satisfy the addendum, and founder-led customization where the relationship cost of overriding exceeds the consolidation benefit. These overrides should be the exception. We have seen funds where every portco was an "exception"; the policy was not a policy at that point, and the diligence package showed it. The vendor consolidation work is not glamorous. It does not produce a deck the IC will applaud. It does produce somewhere between two and seven percent of operating-plan margin across the portfolio, year after year, with compounding effect at exit. The diligence-to-exit AI continuity test Every fund-level decision should be tested against the question: when the diligence partner shows up in 2028 or 2029 and asks the AI questions, does the answer hold? Most fund-level AI policies fail this test not because the policy is wrong, but because the policy was not designed against the test in the first place. The continuity test is a five-question filter we run at the end of every fund-level engagement. If a policy passes all five, it survives exit. If it fails any one, the failure point becomes the diligence finding. Question 1: Can you produce, on demand, a list of every AI vendor in use across the portfolio? The buy-side diligence partner will ask on day three. The list must include the vendor, the portco using it, the workload, the data classification of inputs, the contractual terms (training-data exclusion, residency, retention), and the renewal date. A fund that has the reporting cadence from section three running for two years produces this in an afternoon. A fund that does not spends two weeks chasing CIOs and produces a list that is incomplete on the day it is delivered. Question 2: Can you produce, for any AI workflow that touched customer data, the audit log of inputs and outputs over the last twelve months? This separates orgs that took the audit-log expectation seriously from orgs that wrote it into the policy and never enforced it. The buy-side technical-diligence team will pick one or two high-value workflows. If the answer is "we have request counts and latency metrics," the answer is wrong. If the answer is "here is the immutable, access-controlled, twelve-month log of every prompt and completion on this workflow," the answer is right. We see roughly a 30/70 split across the funds we have reviewed; most are on the wrong side. Question 3: Are the DPAs current, scope-correct, and sub-processor-mapped for every vendor on the list from Question 1? Currency means the agreement is not expired or auto-renewed under terms the portco did not re-review. Scope-correct means the agreement actually covers the services in use, we regularly find DPAs that cover the model API but not the orchestration layer the same vendor sells. Sub-processor-mapped means every downstream entity that touches the data is enumerated and the flow-down clauses are intact. A portfolio that ran the fund-level template through procurement passes spot-checks; one that left contract work to portco-level outside counsel rarely passes the first one. Question 4: Where are the policy exceptions, and is each exception documented with rationale and review date? The diligence partner does not penalize a fund for having exceptions to its own policy, every realistic AI policy has them. The diligence partner penalizes a fund where the exceptions are undocumented, have no review date, or look like the policy was never enforced. The exception register is the artifact that distinguishes a policy from a binder. Question 5: What is the incident history? Every AI program of any meaningful size will have at least one incident in a three-year hold. A vendor will have a breach. A model output will leak something it should not. An employee will paste data into a tool they should not have used. The incident history, what happened, when, how it was discovered, how it was resolved, what changed afterward, is the evidence the program is alive. A portfolio with zero incidents over three years either is not actually using AI at scale or is not detecting incidents. Both readings are bad. A portfolio with three to seven well-documented incidents and clean remediation reads as a portfolio operating its AI program properly. The five-question test is not exhaustive, we expect three or four additional questions to become standard by 2027, but the five above are the ones already showing up in current diligence requests. Run them against your portfolio's current state quarterly. The questions you cannot yet answer cleanly are the ones on which the policy work compounds. Reporting AI ROI to the LP base The LP base is going to ask about AI in the next quarterly letter, if they have not already. The op partner needs a posture on what to surface and what not to. The temptation in every fund's first AI letter is to overpromise, because overpromising is what the IC and the LPs have been hearing from every other fund. The temptation should be resisted. The next round of LP questions, two and three quarters from now, will be the questions that ask the fund to substantiate the first-letter claims; funds that overpromised in letter one are forced to either restate or quietly change the metric in letter four. There are two metrics worth reporting and one that is not. Metric 1 (worth reporting): cost-to-serve compression on shared functions. AI's most defensible value contribution in middle-market portfolios is on shared services, finance, IT, customer support, sales ops, marketing ops. The unit economics are measurable: cost per ticket, cost per invoice processed, cost per pipeline-touch, cost per content-asset produced. Report the percentage compression on the unit cost over a defined baseline, by portco, with a portfolio-aggregate. The number is honest, defensible, and traceable to the operating plan. We have seen middle-market portcos compress customer-support cost-per-ticket by twenty to thirty-five percent in the first eighteen months of disciplined AI deployment. That is a number the LP letter can defend. Metric 2 (worth reporting): exit-readiness posture. Less quantitative, but increasingly expected. A short paragraph stating that the fund has a ratified AI governance policy, all portcos have adopted it with documented exceptions, the vendor stack is consolidated, and audit-log and DPA expectations are in production. The implicit message LPs read: this fund will not surface a surprise AI-related diligence finding two weeks before close. We have heard this directly from LPs in the last six months, they are starting to prefer funds whose AI posture is articulable over funds whose AI letter reads like a vendor brochure. Metric not worth reporting: "productivity gains" or "hours saved." Every consultancy will tell you to report this. We tell op partners to refuse. The numbers are unfalsifiable, the methodology is always wobbly, and the LP base has been hearing the same percentages from every fund for two years. The metric does not survive the obvious LP question: "where did those saved hours go?" If the answer is "into more output," the right metric is the output. If the answer is "into headcount reduction," the right metric is the headcount line. The vague metric makes the fund's AI letter look like every other fund's AI letter. The LP report should be one paragraph plus a small table per quarter. Not a deck. The LP base does not want the op partner's view of AI strategy; the LP base wants portfolio numbers and assurance that the AI question will not become a problem on exit. The shorter the AI section of the LP letter, the more credibility it carries, provided the substance is there. Where the Diagnostic Fits When a PE fund engages Securem Advisory on the Diagnostic for Adopt-AI-Safely at the fund level, we run a 90-day fund-wide AI Diagnostic. The structure is below; we publish it because most of the structure can be approximated internally if the fund has the bandwidth, and because the Diagnostic is a fixed-scope, fixed-price written engagement, not a retainer, and we would rather op partners enter it knowing the shape than enter it on hope. Days 1–15: Portfolio inventory. Structured intake with the op partner and each portco's CIO (sixty minutes per portco). We document every AI workflow in production, every vendor in use, every contract in flight, every pending deployment. Each workload is mapped against the four-tier data classification. Output: portfolio-wide AI inventory. Days 16–35: Vendor and contract audit. We pull every executed DPA across the portfolio. We score each on scope, residency, training-data exclusion, sub-processor flow-down, breach SLA, audit rights. We identify consolidation candidates by category and estimate the negotiating leverage. Output: vendor consolidation roadmap and DPA gap register. Days 36–55: Fund-level policy ratification. We draft the one-page fund-level AI governance policy and harmonize it against existing fund-level policies (cybersecurity, data privacy, vendor management). The policy aligns to NIST AI RMF on governance posture where applicable. Output: ratified one-page policy. Days 56–75: Portco adoption and deviation memos. Each portco's CIO confirms adoption and documents any deviations with rationale and review date. We facilitate the deviation conversation; the op partner adjudicates exceptions. Output: twelve confirmation memos and a fund-level exception register. Days 76–90: Exit-readiness test and report. We run the five-question continuity test against the ratified posture, identify remediation work where any question fails, and deliver a 30–50 page written report, fund-level memo, per-portco confirmation summaries, exception register, exit-readiness assessment. The op partner can hand it to the IC, the LPs, the next diligence partner, or the next portco CIO who joins the portfolio. Three actions an op partner can take this month, regardless of whether they engage us on the Diagnostic: 1. Run the portfolio AI inventory in one week. Email every portco CIO with a one-page intake: workflows in production, vendors in use, contracts in flight, pending deployments. Aggregate the answers. Most ops teams discover the answer is incomplete by definition, that is the first finding. 2. Pre-approve a short universal vendor list. Pick the model provider, the productivity layer, and the meeting-recording layer at the fund level this quarter. Negotiate one consolidated agreement. Communicate the matrix to every portco CIO with a thirty-day adoption window. The negotiation alone usually pays for the work twice over in year one. 3. Adopt the PE Portfolio AI Policy Template as a one-page draft and circulate to portco CIOs for comment. Not for adoption yet, for comment. The comments tell the op partner where the deviations will fall, which is the input the fund-level policy needs before ratification. Most op partners end the comment cycle with a meaningfully better policy and a portfolio that already understands what is coming. Three actions, ninety days, no engagement required. If the inventory or the consolidation negotiation or the policy ratification surfaces gaps the fund cannot close internally, or if the next exit is twelve to eighteen months out and the AI posture needs to be defensible by then, that is where the Diagnostic fits. Fixed scope, fixed price, written report you keep regardless. We also retain a small number of funds on a productized vCISO retainer through Counsel where the AI governance work needs ongoing oversight across multiple portcos; Counsel is the right shape only after the Diagnostic has produced the artifact, never before. The PE Portfolio AI Policy Template paired with this guide is the one-page draft we issue at the start of every fund-level engagement: vendor approval matrix, four-tier data classification, DPA non-negotiables, reporting cadence. Copy it, adapt it, ratify it. The fund that decides once at the fund level produces a portfolio that compounds the decision across every exit. The fund that delegates the question to twelve portco CIOs is, in our experience, the fund that revisits this conversation the next time the IC asks for a deck.