The Build vs Buy Decision in AI Governance
Build vs buy is the most consequential decision in an AI governance programme, because it determines the cost structure, the timeline, the risk profile, and the future flexibility of the entire programme. The framing has evolved as the AI governance market has matured. Three years ago, there was effectively nothing to buy, so build was the only path. Today there is a mature vendor landscape, the open-source foundation has solidified around projects like AnythingLLM, and the cost-benefit calculation has shifted toward buy or hybrid for most organisations.
The decision matters because the costs and risks diverge sharply. An in-house build can run to $750k - $1.2M in initial engineering investment and $250k - $500k per year in ongoing maintenance. A vendor licence for a comparable platform runs $30k - $300k per year depending on tier and seat count. The difference funds entire programmes elsewhere in the organisation.
At the same time, the decision is not a simple binary. A growing share of organisations choose a hybrid open-source path: building on a foundation like the MIT-licensed AnythingLLM workspace with a vendor-supplied governance layer on top. This pattern captures most of the customisation benefit of building while absorbing only a fraction of the build cost - and it preserves the optionality to buy more, build more, or change vendors over time.
This page lays out an honest framework: when build wins, when buy wins, what the hybrid path looks like, the full TCO model, and a decision matrix for choosing your path. At Areebi, we have seen organisations on every point of this spectrum and built the platform to support hybrid deployment specifically because pure-build and pure-buy both leave value on the table for many customers.
When Build Wins
Build is the right choice for a minority of organisations - typically those with three characteristics simultaneously.
1. Sovereign or FedRAMP-boundary requirements
Defence, intelligence, and certain federal agencies operate under boundary requirements that make commercial SaaS impractical. Even on-prem vendor deployments may require vendor staff with security clearances that not all vendors can provide. Organisations operating inside classified boundaries often have to build, because the vendor ecosystem has not caught up with the boundary requirements.
The caveat: FedRAMP authorisation for AI governance vendors is maturing. The fully sovereign case has narrowed even in defence-adjacent contexts as vendors invest in the necessary security postures.
2. Deep customisation needs
Organisations with truly unique workflows - novel agent architectures, proprietary inference patterns, custom safety models trained on internal data - may exceed what any vendor platform can express. Pure build gives unbounded customisation. The trade-off is that the customisation rarely turns out to be as unique as initially believed; most "unique" requirements look very similar across organisations once the surface vocabulary is normalised.
The caveat: even organisations with deep customisation needs often find that the customisation is concentrated in 10 - 20% of the platform. Building only the differentiated 10 - 20% on top of a vendor or open-source foundation is usually cheaper and faster than building the whole stack.
3. Large engineering teams with multi-year horizons
Build requires a sustained team. The initial build runs 12 - 18 months with 2 - 3 dedicated engineers, plus product, security, compliance, and operations involvement. Ongoing maintenance requires 1 - 2 FTEs in perpetuity. Organisations that cannot commit to this footprint will end up with a partially complete build that is more expensive and riskier than buying.
The caveat: engineering team size is not destiny. Large engineering teams often have more impactful work to do than rebuilding AI governance plumbing. The opportunity cost of pulling 2 - 3 engineers off product work for 18 months can exceed the licence cost of a vendor platform by an order of magnitude.
When Buy Wins
Buy is the right choice for most organisations - typically those with one or more of these characteristics.
1. Mid-market footprint
Organisations in the 100 - 2,000 employee range rarely have the engineering bandwidth to sustain an 18-month build. The build cost is several multiples of a comparable vendor licence over a three-year horizon. The engineering team is better deployed on product differentiation.
2. Time-to-compliance pressure
Organisations facing imminent audit, regulatory enforcement deadlines, or customer compliance requirements need controls operating in weeks, not years. Vendor platforms ship default controls and pre-mapped evidence templates that compress time-to-first-control from months to days and time-to-audit-ready from years to weeks. The EU AI Act high-risk provisions, the Colorado AI Act deployer duties, and the DPDPA data fiduciary obligations all benefit from compressed delivery timelines.
3. Regulated industries needing audit trails fast
Healthcare under HIPAA, financial services under SOX and GLBA, education under FERPA, and retail under PCI DSS 4 all need audit-grade evidence packages mapped to specific control requirements. Building the evidence pipeline from scratch is a 12 - 24 month engineering project; buying it is a configuration exercise.
4. Limited regulatory tracking capacity
Frameworks evolve. NIST AI RMF added the 600-1 Generative AI Profile in 2024. The EU AI Act introduced phased commencement obligations through 2025 - 2027. India notified the DPDPA Rules in January 2025. State AI laws ship multiple times per year in the United States. Vendors maintain framework coverage as part of the platform; in-house builds require ongoing tracking and update work that often gets deprioritised against product features.
5. Risk-averse boards
Boards and audit committees often prefer recognised vendor platforms over in-house builds because vendor due diligence, SOC 2 certification, and external attestation provide an evidence layer that an in-house build cannot replicate. The buy decision is often easier to defend in board reporting than the build decision.
The Hybrid Open-Source Path
The hybrid open-source path is the answer for many organisations that find pure build too expensive and pure buy too constraining. The pattern is to build on a publicly auditable open-source foundation with a vendor-supplied governance layer on top, then customise only the differentiated portions in-house.
The pattern
- Foundation: An MIT-licensed AI workspace project that handles multi-model chat, RAG, document indexing, and tenant isolation. Areebi extends the MIT-licensed AnythingLLM workspace as its foundation, which is publicly auditable on GitHub.
- Governance layer: A vendor-supplied control plane that adds policy engine, AI DLP, audit-grade logging, compliance evidence, incident replay, and integration with identity systems. The governance layer is the part where the vendor's value concentrates.
- Customisation: In-house engineering on top of the foundation and governance layer for differentiated workflows - custom agent architectures, sector-specific connectors, internal-model integration.
Why it works
- Lower TCO than pure build. The foundation is free and battle-tested. The governance layer is a vendor commodity at $25/user/month rather than a multi-million-dollar engineering investment. Customisation is concentrated on the 10 - 20% that is genuinely differentiated.
- More flexibility than pure buy. The foundation is open source, so the workspace plumbing can be audited, modified, and extended. The governance layer integrates with the foundation rather than locking customers into a proprietary surface.
- Better vendor risk profile. If the governance vendor changes pricing, roadmap, or business continuity, the foundation remains in place. Customers can migrate the governance layer to a different vendor or build it in-house from a position of having the foundation already running.
- Audit defensibility. Security teams can inspect the foundation source on GitHub. The governance layer's evidence pipeline produces compliance-mapped output that the in-house code does not need to replicate.
The hybrid pattern is increasingly the default for organisations that have outgrown a pure-SaaS approach but cannot justify the engineering investment of a pure build. It is also the architecture Areebi is built to serve.
The Full TCO Model
The TCO comparison is the most decisive input to the build vs buy decision. The numbers below assume a representative mid-market organisation: 200 users, regulated industry, mature engineering function. Adjust upward or downward based on your specifics, but the relative shape of the comparison holds.
Build TCO over three years
| Cost category | Year 1 | Year 2 | Year 3 | 3-year total |
|---|---|---|---|---|
| Engineering (2 - 3 FTE at $250k loaded) | $500k - 750k | $500k - 750k | $500k - 750k | $1.5M - 2.25M |
| Product, security, compliance, operations (0.5 - 1 FTE allocated) | $125k - 250k | $125k - 250k | $125k - 250k | $375k - 750k |
| Infrastructure and tooling (model hosting, observability, secrets, etc.) | $50k - 150k | $50k - 150k | $50k - 150k | $150k - 450k |
| External audit and attestation (SOC 2, framework audits) | $0 - 50k | $50k - 100k | $50k - 100k | $100k - 250k |
| Framework tracking (training, legal, content) | $25k - 75k | $25k - 75k | $25k - 75k | $75k - 225k |
| Total | $700k - 1.275M | $750k - 1.325M | $750k - 1.325M | $2.2M - 3.925M |
The lower end of the build TCO is the optimistic case: a small team, modest infrastructure, single-framework focus. The upper end is the realistic case for a regulated industry with multi-framework obligations. The midpoint - roughly $3M over three years - is what most build projects actually cost when honestly accounted.
Buy TCO over three years
| Cost category | Year 1 | Year 2 | Year 3 | 3-year total |
|---|---|---|---|---|
| Platform licence (200 users at $25/user/month) | $60k | $60k | $60k | $180k |
| Integration engineering (0.25 - 0.5 FTE Year 1, less after) | $75k - 125k | $25k - 50k | $25k - 50k | $125k - 225k |
| Infrastructure (incremental hosting if on-prem) | $10k - 50k | $10k - 50k | $10k - 50k | $30k - 150k |
| External audit and attestation | $0 - 50k | $50k - 100k | $50k - 100k | $100k - 250k |
| Total | $145k - 285k | $145k - 260k | $145k - 260k | $435k - 805k |
The buy TCO is roughly $620k at the midpoint - about one-fifth of the midpoint build TCO. The difference funds a substantial portion of an entirely separate compliance initiative.
Hybrid TCO over three years
| Cost category | Year 1 | Year 2 | Year 3 | 3-year total |
|---|---|---|---|---|
| Governance platform licence (200 users at $25/user/month) | $60k | $60k | $60k | $180k |
| Customisation engineering (0.5 - 1 FTE) | $125k - 250k | $125k - 250k | $125k - 250k | $375k - 750k |
| Infrastructure (on-prem foundation hosting) | $30k - 100k | $30k - 100k | $30k - 100k | $90k - 300k |
| External audit and attestation | $0 - 50k | $50k - 100k | $50k - 100k | $100k - 250k |
| Total | $215k - 460k | $265k - 510k | $265k - 510k | $745k - 1.48M |
The hybrid TCO sits between buy and build - roughly $1.1M at the midpoint. The premium over pure buy ($500k over three years) buys deep customisation that pure buy cannot deliver; the discount versus pure build ($1.9M saved at the midpoint) reflects the foundation and governance commoditisation.
The Decision Framework
Use this framework to choose your path. Score each row honestly; the dominant column is the recommended path. Ties point to hybrid.
| Decision factor | Build | Buy | Hybrid |
|---|---|---|---|
| Organisation size | Large enterprise (5,000+) with deep engineering | Mid-market (100 - 2,000) or smaller | Mid-large with engineering capacity |
| Deployment requirements | FedRAMP boundary, classified, sovereign | Cloud SaaS acceptable | On-prem with vendor support |
| Time-to-compliance pressure | None - 18+ month horizon acceptable | Imminent - weeks to months | Moderate - 3 - 6 months acceptable |
| Compliance framework count | One narrow framework | Multiple major frameworks | Multiple frameworks with one customisation focus |
| Customisation needs | Deep, unique workflows across the stack | Standard governance patterns | Standard governance with 10 - 20% custom |
| Engineering availability | 2 - 3 dedicated FTEs for 18 months and ongoing | Minimal integration work only | 0.5 - 1 FTE ongoing |
| Board risk tolerance | Willing to defend in-house build | Prefers recognised vendor | Balanced |
| Vendor risk appetite | Cannot tolerate vendor dependency | Comfortable with vendor lock-in | Wants vendor flexibility, multi-vendor optionality |
| 3-year TCO budget | $2M - 4M available | $400k - 800k available | $700k - 1.5M available |
Most organisations that complete this framework end up in the buy or hybrid columns. Pure build is the right path only when the build column is dominant on more than half the rows.
Not sure where you land? Take the free AI governance assessment, or request a demo to see how Areebi supports the buy and hybrid paths.
Frequently Asked Questions
Is it cheaper to build or buy AI governance?
For most organisations, buy is materially cheaper. A representative mid-market organisation (200 users, regulated industry) faces build TCO of $2.2M - 3.9M over three years versus buy TCO of $435k - 805k - a 4 - 5x difference at the midpoint. The hybrid open-source path sits between at $745k - 1.48M, capturing most of the customisation benefit at a fraction of the build cost. Pure build is cheaper only in narrow scenarios with deep customisation needs and large engineering teams.
When does building AI governance in-house make sense?
Build makes sense when three conditions hold simultaneously: sovereign or FedRAMP-boundary requirements that vendors cannot satisfy, genuinely unique workflows that exceed any vendor platform's expressiveness, and a large engineering team with multi-year horizons that can sustain a 12 - 18 month build plus ongoing maintenance. Most organisations meet at most one of these conditions, in which case hybrid or pure buy is the better path.
What is the hybrid open-source path?
The hybrid open-source path uses a publicly auditable open-source foundation (such as the MIT-licensed AnythingLLM workspace) with a vendor-supplied governance layer on top, with in-house customisation concentrated on the differentiated 10 - 20% of workflows. The pattern captures most of the customisation benefit of pure build, the time-to-compliance benefit of pure buy, and a stronger vendor risk profile because the foundation remains in place if the governance vendor changes.
How long does it take to build an AI governance platform in-house?
Realistic timelines for a mature in-house AI governance platform are 12 - 18 months for the initial build, 6 - 12 additional months to reach audit-ready evidence pipelines for major frameworks, and ongoing maintenance in perpetuity. Vendor platforms ship default controls in days and pre-mapped evidence templates in weeks. The time-to-compliance difference is often the single biggest factor in the build vs buy decision, especially for organisations facing imminent audit or regulatory deadlines.
What about vendor lock-in?
Vendor lock-in is a legitimate concern with pure buy. The hybrid open-source path mitigates lock-in because the open-source foundation remains in place if the governance vendor is replaced. The governance layer interfaces (policy, DLP, audit) are standardised enough that migration between vendors is feasible. Pure build avoids vendor lock-in entirely but creates internal lock-in: the build team becomes a single point of failure for the platform's continuity. The right framing is risk diversification rather than zero lock-in.
How do I evaluate AI governance vendors?
Evaluate on: deployment flexibility (cloud, on-prem, air-gapped, hybrid), compliance framework coverage (EU AI Act, NIST AI RMF, ISO/IEC 42001, sector-specific frameworks), governance depth (policy engine, AI DLP, audit-grade logging, incident replay, model registry, decision authority controls), open foundations (whether the workspace plumbing is publicly auditable), and total cost (licence plus integration plus run cost over a 3-year horizon). The Areebi comparison hub provides side-by-side evaluations against major competitors.
Related Resources
- Areebi Platform
- Policy Engine
- AI DLP
- Pricing
- AI Governance Assessment
- AI Governance
- AI Control Plane
- AI Compliance
- EU AI Act Compliance
- NIST AI RMF Compliance
- ISO/IEC 42001 Compliance
- Colorado AI Act Compliance
- India AI Compliance
- HIPAA Compliance
- FedRAMP AI
- DIY Open Source Comparison
- Manual AI Governance Comparison
- Best AI Governance Tools 2026
- Request a Demo
Ready to see Areebi in action?
Get a personalized demo and see how Areebi compares for your specific requirements.