Buy, build or govern: The CIO decision model AI just broke

Bramley Maetsa, IT digital and innovation enablement lead at Sasol.

---

For two decades, CIOs had a comfortable default: buy unless there was a compelling reason to build.

That default made sense. Custom software was expensive, slow and risky. SaaS won because it gave enterprises speed, scale and a lower apparent cost of ownership. Unless the capability was truly strategic, the sensible answer was usually to buy.

AI has broken that default.

The danger is not that CIOs will suddenly build too much software. The deeper danger is that they will keep using a SaaS-era decision model in an AI-era technology economy.

Building is no longer automatically the expensive, slow option. A small team using AI coding tools can now prototype and ship in days what once took months and a much larger engineering function. But that does not mean every organisation should rush to build. It means the old buy-versus-build frame is now too narrow for the decisions CIOs have to make.

The CIO's new framework is no longer buy versus build. It is buy, build or govern.

Buy is for scale. Build is for advantage. Govern is for systems where accountability matters more than speed.

The traditional buy-versus-build model rested on three assumptions. First, building was so costly that it should be treated as the exception. Second, SaaS vendors could deliver economies of scale that most enterprises could not match internally. Third, the software interface itself was where much of the value lived.

All three assumptions are now under strain.

AI has lowered the cost of building many classes of software. SaaS vendors are also under pressure as AI agents begin to erode the human-seat pricing model that sustained much of the industry. And the interface is becoming less important as software is increasingly navigated by agents acting on behalf of users.

AI can produce something that feels functional but solves the wrong business problem, in the wrong workflow, for the wrong users.

That does not make SaaS obsolete. It makes the CIO decision more demanding.

CIOs are no longer choosing only between procurement and development. They are choosing between commodity capability, differentiated software and governed systems of accountability.

The most useful framework now has three answers. Buy applies where the capability is generic, mature and not a source of differentiation. In some cases, the answer may not even be to buy another tool. It may be to automate the workflow safely through an agent. Agent-led automation therefore sits inside the commodity category: buy it, subscribe to it or automate it away if the risk is low and the workflow is standard. 

Build applies where the organisation owns data, domain knowledge or process intelligence that a vendor cannot easily replicate. AI has made this much more viable than it was even two years ago, especially for targeted internal tools, decision workflows and domain-specific applications.

Govern applies where the issue is not primarily cost or speed, but trust. Regulated systems, safety-critical operations, audit-heavy processes and high-risk workflows need control architectures that can be trusted at scale.

This is the category CIOs are most likely to underweight.

Govern is not the boring compliance bucket. It is the category for systems that must be explainable under audit, defensible under incident, recoverable under stress and safe under scale.

In these cases, the key question is not whether to build or buy. It is whether the organisation can prove how the system works, who is accountable for its decisions, what evidence it leaves behind and how failure will be contained.

AI-assisted development creates another problem: it makes it easy to create software that looks convincing before anyone has properly tested whether it solves the right problem.

That shifts the constraint from engineering capacity to executive judgement.

When anyone can generate an application from a prompt, the real risk is no longer only code quality. It is product quality. AI can produce something that feels functional but solves the wrong business problem, in the wrong workflow, for the wrong users.

The AI era lowers the cost of creating software, but raises the cost of weak judgement.

That is why the most important capability in the AI era is not speed. It is discernment.

The CIO's job is becoming less about approving technology and more about deciding where technology is even worth creating in the first place.

The practical test is simple to state, even if it is harder to apply.

If the workflow is generic, buy it or automate it. If the process is differentiated by proprietary data or domain logic, build it. If the system is regulated, safety-critical, audit-sensitive or operationally material, govern it before scaling it.

That leads to different answers across the portfolio.

Reporting and dashboards are increasingly candidates for agent-led automation. Thin CRM workflows may remain bought. Deeper customer systems that depend on proprietary data or unique service logic may justify building. Proprietary analytics platforms are often worth building because the organisation's data and decision patterns are the moat.

Regulatory workflows, operational control systems and high-impact decision engines should be treated as governed capabilities, not just software purchases.

This matters because many CIOs are still asking the wrong question. They are asking which SaaS tools can be replaced.

They should be asking which assumptions about technology decision-making are no longer valid.

The SaaS era gave IT leaders a comfortable default: buy unless there was a compelling reason not to. The AI era removes that default.

Some capabilities should move from buy to agent-led automation. Some should move from buy to build. And some should be explicitly moved into a governed category where accountability, compliance, resilience and operational trust matter more than speed or cost.

That is not a simpler framework. It is a more honest one.

The winners will not be the organisations that build the most software, buy the most SaaS or deploy the most agents. They will be the ones that know where scale is enough, where differentiation is worth building and where governance is non-negotiable.

That is the CIO's new test.

If your technology strategy cannot separate buy, build and govern, it is not yet an AI-era strategy. It is a SaaS-era strategy with AI tools attached.