There's a pattern regulated industries know well. A new capability emerges. Teams spin up point solutions. Each one solves a discrete problem. Before long, you're managing fifteen tools that were never designed to work together and spending more engineering time on integration than on the outcomes you were trying to achieve.
That's what happened with DevOps toolchains. And it's exactly what's starting to happen with agentic AI.
The build trap
When AI coding tools started delivering real productivity gains, the natural instinct for many organizations was to go deeper. A code assistant here. An internal AI gateway there. A few open-source models, some custom orchestration, and suddenly you're calling it a platform.
There's a reason this happens. Technology teams are wired to build, and that instinct isn't wrong. Building is how engineers learn, how teams develop expertise, and how genuinely novel problems get solved. The same DIY energy that shaped the early DevOps era produced some remarkable tools and practices. But that same divergent experimentation rarely serves the broader organization. Organizations don't want some people to be AI-enabled. They want everyone to be AI-enabled, consistently, in a way that's governable and scalable. That's the tension at the center of every build vs. buy conversation right now.
Before going further, it's worth naming what you're actually deciding. Most build vs. buy conversations quietly compare two very different things:
- Build: Assemble open models + cloud AI services + custom orchestration + custom governance + the underlying infrastructure (compute, storage, databases, networking) required to run it all. You are the platform vendor.
- Buy: Adopt a platform that already unifies models, tools, orchestration, and governance across the SDLC. You are the platform consumer.
That distinction matters enormously in a regulated environment. Building an internal agentic AI platform in banking or insurance is a multi-year platform engineering commitment with regulatory surface area most organizations underestimate:
- Model lifecycle management: Selection, tuning, drift monitoring, deprecation. Ongoing, always on.
- Security hardening: Agents that touch code and infrastructure trigger obligations well beyond a standard SaaS integration: prompt injection defenses, sandboxing, SIEM and DLP integration, red-team testing.
- Regulatory documentation: Under frameworks like DORA and the EU AI Act, an internal AI system is a regulated system. You define the risk classification, maintain the documentation, and produce the audit evidence, meaning recurring obligations for the life of the system.
- Platform integration: Agents must be embedded in your SDLC to deliver meaningful value. Every touchpoint is a mini-product that requires maintenance across IDE versions, tooling changes, and org restructures.
And then there's the cost that rarely makes it into initial analyses: every engineer building the platform is an engineer not modernizing a legacy pipeline, remediating security debt, or accelerating a critical delivery program.
Agentic AI is following the DevOps playbook — for better and worse
Let’s think back to the DevOps era. Teams didn't set out to build fragmented toolchains, they made rational, incremental decisions. A better CI tool here. A preferred SCM there. A security scanner bolted on. A separate secrets manager. A different deployment orchestrator.
Each decision made sense in isolation. Collectively, they created sprawl: integration burden, inconsistent governance, duplicated effort, and no single view of what was happening across the SDLC.
The industry spent the better part of a decade consolidating around platforms precisely because that sprawl was expensive and hard to audit, two things regulated organizations can't afford. Agentic AI is following the same arc, faster. The organizations that recognize this early enough to make a platform decision, rather than a series of point decisions, will compress years of catch-up into months.
A framework for the decision
Rather than a generic build vs. buy debate, anchor on three questions:
- Is your requirement truly unique? Build is defensible when you have workflows no vendor supports, deployment patterns no platform can meet, and genuine appetite to fund platform engineering as an enduring capability. Modern platforms, however, increasingly meet regulated organizations where they are and support cloud-hosted, self-managed, and dedicated single-tenant deployments to narrow the gap between platform convenience and enterprise control requirements. If your goals are faster code review, pipeline migration, security triage, or test automation, you're in territory where platforms are already delivering for your peers.
- How much regulatory surface area can you realistically own? Building makes you the system owner under ICT risk frameworks, the AI provider under emerging AI regulations, and the entity accountable for model behavior, documentation, and monitoring. Buying doesn't eliminate regulatory responsibility, but it offloads platform-level obligations to a vendor whose business depends on getting them right, freeing your compliance cycles for how AI is used, not how it's built.
- What's your time horizon? If your board expects demonstrable AI value across multiple teams within 12–24 months, a multi-year internal build is misaligned with those expectations from day one.
The numbers reflect this. For example, for a regulated organization of roughly 200 developers, an internal build on a cloud AI foundation typically runs ≈$1.4M in year one — engineering labor, infrastructure, integration, security, compliance — with 6–12 months before anything is production-ready and 2–3 dedicated FTEs required just to keep it stable. Time to first real use case: 12–18 months, conservatively.
An agentic AI platform like GitLab Duo Agent Platform runs ≈$410K–$460K for the same population with initial deployment in days and early productivity gains of 15–25% (sample from previous implementations) once agents are embedded in everyday workflows. Time to first use case: weeks, not years. That's not a marginal difference. It's the difference between showing your board AI ROI this fiscal year or explaining why you're still building infrastructure.
Analysis courtesy of Sumedh Jigjinni and GitLab's Business Value Services team.
“But we need to customize”
This is the most common objection for regulated industries. The goal isn't to take customization off the table. It's to right-size where customization happens.
The best agentic AI platforms support a layered model that serves every level of the organization. Most users don't need to build anything: they access agents created by others through a shared catalog, getting immediate value within a governed environment. Power users can tailor agents to their specific context by adjusting system prompts and parameters, without writing a line of code. Teams with genuinely differentiated use cases can develop custom agent flows and publish them to the catalog, turning internal work into organizational capability. And experts can still integrate external models, domain-specific tools, and proprietary data sources through a governed interface, rather than as a parallel shadow platform.
This is what intelligent orchestration actually looks like: not uniformity, but coherence. Everyone operates within the same governance layer, with flexibility that scales to need.
The lesson from DevOps consolidation wasn't "don't use tools." It was "don't let tools use you." Agentic AI deserves the same discipline.
Next steps
Research Report: The Intelligent Software Development Era
A global survey of 3,000+ DevSecOps practitioners reveals the skills, tools, and strategies that can make or break a team’s ability to deliver more secure software faster with AI in 2026 and beyond.
Frequently asked questions
Key takeaways
- In regulated industries, building agentic AI in-house is a multi-year platform engineering commitment. The regulatory, security, and integration obligations tend to be far greater than initial analyses suggest.
- Agentic AI is following the same fragmentation arc as DevOps toolchains. Organizations that make a platform decision early, rather than a series of point decisions, can compress years of catch-up into months.
- For a team of roughly 200 developers, an internal AI build costs an estimated $1.4M in year one with 12–18 months to first use case. A purpose-built platform runs roughly $410K–$460K with deployment in days.