Market Summary
Markets are visibly concentrated in a handful of AI-exposed mega caps. Today, the combined weight of Nvidia, Microsoft, Apple, Amazon, Meta, Alphabet and Tesla was roughly a third of the index (~34.3%) of the S&P 500 based on live index weights.
On the Nasdaq-100, the “Magnificent 7” went from a 20-30% representation in 2020 to around 45–50% of the index in 2025, underscoring how much AI expectations drive benchmark performance.
Meanwhile, the capital intensity behind AI is growing exponentially. Bloomberg Intelligence projected around $200bn in Big Tech capital investment for 2025 driven by generative-AI demand, while recent press coverage combined hyperscaler and model-builder AI infrastructure outlays nearer $320bn, with multi-year commitments stretching into the trillions (for example, OpenAI’s computing deals topping $1tn over the next decade). These numbers are mostly corporate capex and private financing and illustrate the scale of the build-out that contributes to the future of AI.
This week, while arguing that AI is profoundly important, even Sam Altman said we’re likely in a “bubbly” phase, adding that bubbles form when “smart people get over-excited about a kernel of truth”.
Not all AI tools will be worth the investment
Hype obscures the spread in product quality, operational maturity, and safety posture. In some ways, the recent evolution in the AI tech space does not lessen the impact of the views expressed by sceptics like Gary Marcus who warned that simply scaling models can hit diminishing returns and that parts of the sector show classic bubble dynamics. Daron Acemoglu suggests that, absent careful task redesign and proper strategic review, near-term productivity gains may be modest.
A ‘new era’ of pragmatic due-diligence
Operational due diligence for AI software providers must look fundamentally different from “business-as-usual” tech assessments: a shift that exposes a major gap in real expertise. In conventional diligence, you might probe system architecture, balance sheets, SLAs, operational maturity, security, software licensing, service continuity, and integration risk. But with AI systems, especially when it comes to generative or large model–based ones, you must dig into model lifecycle, data provenance, safety controls, drift and adversarial resilience, and model‐change governance. That means verifying that vendors maintain rigorous versioning, controlled fine-tuning pipelines, rollback mechanisms, explainability, thorough bias/robustness testing, and continuous monitoring of model performance and unintended behaviours including hallucinations.
Because these dimensions blend machine learning research, security, ethics, governance and operations, very few truly qualified experts exist who can assess all those areas in unison. Even traditional “AI experts” often specialize in model architecture or data but lack operational security or governance experience in regulated environments. Though not a new publication, even in 2023 Jonas Schuett argued that frontier AI teams require internal audit functions precisely because assessing control adequacy in novel model risk is inherently challenging. The reality remains that many “due diligence” reviews stop at surface checkboxes, without deep technical scrutiny which leaves companies exposed to latent AI risks.
What’s the current standard?
- EU AI Act: Now law, with phased obligations (2025–27). High-risk systems require conformity assessment and ongoing quality management, potentially via independent notified bodies, with harmonised standards acting as the technical rulebook. In practice, this creates a de facto certification regime, especially for high-risk use cases in finance (e.g., credit scoring, fraud systems).
- ‘Familiar’ standards:
• NIST AI RMF (risk governance and controls)
• ISO/IEC 42001 (certifiable AI management systems)
• ISO/IEC 23894 (AI risk management guidance)
- Safety institute evaluations: The UK and US AI (Safety/Security) Institutes have begun pre-deployment evaluations for frontier models. While not a blanket certification, their methods are shaping what “good” looks like.
Will formal model governance emerge as a new standard for vetting AI vendors?
Already, we’re seeing the emergence of specialist labs, both public and private, running domain-specific model evaluations that go far beyond generic benchmarks. These include assessments of fraud-detection robustness, market-manipulation safeguards, and increasingly, hallucination propensity: a model’s likelihood of producing fabricated or unsubstantiated outputs presented as fact. In regulated contexts, such behaviour is not a technical quirk, it is a governance and compliance issue.
In practice, these model-governance assessments are becoming the natural complement not replacement to legal conformity requirements under frameworks such as the EU AI Act or FCA operational-resilience rules. For larger financial-services institutions embedding AI into everyday operations, especially in areas such as customer communication, credit assessment, or surveillance analytics, evaluations tuned to the firm’s risk profile may soon become standard. The Bank of England and FCA’s AI Discussion Paper (DP5/22) flagged the need for firms to evidence “appropriate oversight of AI model risk,” explicitly linking model reliability to operational resilience outcomes.
From a supervisory perspective, the risk of hallucination materially increases exposure in areas like consumer advice, regulatory reporting, and anti-financial-crime detection. A model that generates false positives or misleading narratives can directly lead to regulatory breaches, customer detriment, or erroneous disclosures. Without a clearly evidenced governance framework covering model testing, the regulator would still regard the firm as ultimately accountable for the system’s outputs, regardless of vendor assurances.
In this environment, formal model-governance certification could become the new due-diligence baseline for AI vendors serving regulated markets. Such certification would not only validate security and data integrity but also attest to controls that limit hallucination risk, bias, and drift. Over time, these attestations may be as central to vendor onboarding as ISO 27001 or SOC 2 reports are today, marking the next phase in how regulators and firms jointly define trustworthy AI operations.
Conclusion
Our ethos at Elira Solutions is about strategic rethinking and thorough due diligence which means evaluating both technical fitness and regulatory and operational fitness of tech solutions.
Ultimately, though not all AI tech is worth the hype, there are continued and intriguing propositions for regulatory, legal and operational use case of tools. The firms that will thrive will be the ones that are able to extract themselves from just plugging in tech and hoping for marginal efficiencies, but actually those that reimagine strategy and select vendors who can prove governance and safety, and anchor adoption in standards and audits.