AI: buy off-the-shelf or build your own? A decision rubric

Not every AI problem should be built — and not every one can be bought off the shelf. “Buy” when the need is commodity, the data is low-sensitivity and the integration is shallow. “Build” when AI is your advantage, the data is sensitive or regulated, the integration is deep, and control over quality and compliance has to be yours. Most often the answer is a mix: buy the commodity layer, build the differentiating one.

The market pushes extremes: “just take a SaaS” or “build it all yourself”. Both can be expensive for the wrong reason. The question isn’t “build or buy” in general — it’s “for this specific case”.

Five questions that settle it

• Is it your advantage? If AI is part of what sets you apart — your product, the process that wins — build it, because a ready tool is available to your competitors too. If it’s commodity (transcription, OCR, translation), buy.
• How sensitive is the data? Personal, medical, confidential, or EU-residency data → build in your own account, where the data stays with you. Low-sensitivity data → buy.
• How deep is the integration? If AI has to reach into ERP, CRM, DMS, your processes and edge cases — build. If it’s an island (a standalone tool) — buy.
• Do you need control over quality and roadmap? Your own evaluations, your own guardrails, your own change schedule → build. If a vendor’s model change can’t be allowed to surprise you — build. If it can — buy, but know it.
• Cost over time and lock-in. A ready tool is cheaper at the start; at scale and with deep integration it can flip. Cost it over 24 months, not the first.

It is not a binary decision

The best architectures are hybrid: buy commodity (the model, transcription, basic chat), build what is differentiating and sensitive (RAG on your data, integrations, governance). You move the line where your advantage and your risk begin — not where the vendor’s price list ends.

”Buy” does not mean “offload the risk”

Even when you buy a ready tool, under the AI Act you are usually the “deployer” — responsible for how you use it, what data you feed it, and whether you supervise its output (roles and risk classification). The vendor does not take over your compliance obligation. Buying moves the work, not the responsibility.

In short

Build when AI is your advantage, the data is sensitive or regulated, the integration is deep, and control over quality has to be yours. Buy commodity. Most often do both — hybrid. And remember: buying still leaves you responsible for compliance.

What next

How a cheap chatbot differs from a production system — and what drives the price — is in a separate post on cost. If you want to settle build vs buy for your concrete cases, start with an audit — it maps what to buy and what to build, with priorities and cost estimates.