Technical Due Diligence and Build vs Buy

How to evaluate platforms, vendors, and build decisions—including AI vendors—and when to recommend buy vs build.

Engineering leaders constantly face build-vs-buy and vendor decisions. Getting them wrong costs time, money, and optionality. This resource outlines how to evaluate options and when to recommend buy vs build—including for AI vendors and APIs.

How to evaluate platforms and vendors

Security and compliance. Does the vendor meet your security bar (e.g. SOC 2, GDPR)? How do they handle data, credentials, and incidents? For AI: where does data go, and what are the terms for training and retention?

Lock-in and portability. How hard is it to replace the vendor or migrate off? What’s the exit path and cost?

TCO. Include licensing, integration, operational cost, and the cost of switching later. “Cheap” often hides lock-in and migration cost.

Team fit. Can your team operate and extend the system? Is the tech stack and support model a match for your skills and roadmap?

Including AI vendors and APIs

For AI APIs and platforms, add:

  • Data and IP. What data is sent, who can use it, and whether it’s used for training. Prefer vendors with clear, contractually binding terms.
  • Reliability and rate limits. What are SLAs and rate limits? How do they affect your product under load?
  • Model lifecycle. How often do models change, and how do you handle breaking changes? Can you pin versions or control rollout?

Evaluate AI vendors with the same rigor as any critical platform: security, lock-in, TCO, and team fit.

When to recommend buy vs build

Buy (or use a platform) when:

  • The problem is well understood and solved by others (e.g. auth, payments, standard CRUD).
  • Your differentiator is elsewhere; this is table stakes.
  • The vendor’s roadmap and support align with your needs and you can accept the lock-in and cost.

Build when:

  • The capability is core to your product or gives you durable advantage.
  • No vendor fits your constraints (scale, compliance, domain).
  • The build cost and risk are lower than the long-term cost and risk of the wrong vendor.

Hybrid. Often you buy the base (e.g. cloud, DB, AI API) and build the orchestration, product logic, and safety layers. Be explicit about what you own vs what you delegate.

← Resources · AI and engineering strategy · Engineering metrics