Chapter 08 of 08

The Decision Framework

Build vs. buy. TCO analysis. 40 questions for any vendor. The chapter you present to the CFO.

You've assessed your maturity (Chapter 2), understood the architecture (Chapter 5), mapped the regulations (Chapter 4), and planned the rollout (Chapter 6). The remaining question: how do you get there?

Three options exist. Each has different cost, speed, and risk profiles. This chapter provides the framework to choose.

The Three Paths

DIY / FrameworkManaged PlatformHyperscaler Native
WhatBuild governance on open frameworks (LangChain, CrewAI, AutoGen)Deploy a purpose-built agent governance platformUse cloud vendor's agent tools (Agentforce, Copilot Studio, Bedrock Agents)
Time to L36-12 months1-2 weeks2-4 weeks
Time to L412-24 months4-8 weeksNot available (L3 ceiling)
Team required3-5 FTEs (ongoing)0.5-1 FTE (config + ops)1-2 FTEs
Governance depthWhatever you buildDeep (built-in pillars)Shallow (platform-level only)
Vendor lock-inFramework lock-inLow (open protocols)High (cloud ecosystem)
Standards supportManual integrationMCP + A2A + SLIM nativeVendor-specific + partial MCP
LLM flexibilityFull (you wire it)Multi-provider (6+)Vendor-preferred model
Best forUnique constraints no platform addressesSpeed + governance depthAlready deep in one cloud

Total Cost of Ownership

The TCO comparison below assumes a mid-size enterprise deploying 50 AI agents across 5 teams for the first year.

YEAR 1 TOTAL COST OF OWNERSHIP $1.5M $1.0M $500K $0 $600K-$1.5M 3-5 FTEs build 2-3 FTEs maintain + compliance gap DIY / Framework 6-12 months to value $68K-$280K 0.5-1 FTE ops Managed Platform 2-4 weeks to value $200K-$700K 1-2 FTEs + vendor markup + partial compliance Hyperscaler 4-8 weeks to value 5-10x cost difference in Year 1 Assumes 50 agents, 5 teams, mid-size enterprise. LLM API costs excluded (BYOK).
Cost CategoryDIY / FrameworkManaged PlatformHyperscaler Native
Platform license$0 (open source)$18K-$180K/yr$50-650/user/mo
Engineering (build)$300K-$600K (3-5 FTEs × 6-12mo)$0 (pre-built)$50K-$100K (integration)
Engineering (maintain)$200K-$400K/yr (2-3 FTEs)$50K-$100K/yr (0.5-1 FTE)$100K-$200K/yr (1-2 FTEs)
LLM API costsBYOK (your keys)BYOK (your keys)Vendor markup (1.2-3x)
Compliance gap$100K-$500K (audit prep)Included (governance packs)$50K-$200K (partial coverage)
Time to value6-12 months2-4 weeks4-8 weeks
Year 1 total$600K-$1.5M$68K-$280K$200K-$700K

The hidden cost of DIY

The biggest cost isn't building the platform — it's maintaining it. Every new compliance framework, every protocol update, every security patch requires engineering time. When your lead governance engineer leaves, the knowledge goes with them. The platform vendor amortizes this cost across all customers. You don't.

40 Questions for Any Agent Platform Vendor

Whether you're evaluating a managed platform, a hyperscaler's native offering, or even a DIY approach, these questions reveal the real governance depth. Vendors that can't answer most of them have a governance gap.

Identity (Questions 1-8)

  1. Does every agent have a unique, persistent identifier (not a session ID)?
  2. Are agent identities cryptographically signed (e.g., SPIFFE, X.509)?
  3. Can you verify an agent's identity without calling back to the issuer?
  4. How are agent credentials rotated? What's the TTL?
  5. Can an agent's identity be revoked instantly (seconds, not days)?
  6. Does the platform issue Verifiable Credentials for agent capabilities?
  7. How is cross-organization identity verification handled?
  8. Are agent identities visible in the admin dashboard (not just API)?

Authorization (Questions 9-16)

  1. Is authorization per-tool-call or per-application?
  2. What's the authorization model? (RBAC, ABAC, ReBAC, Zanzibar/OpenFGA)
  3. What's the default for unlisted tools — allow or deny?
  4. How many tools are covered by authorization policies?
  5. Can policies cascade from organization to individual agent?
  6. Is there a kill switch? At what levels (agent, team, org)?
  7. Does the platform support progressive enforcement (audit → warn → enforce)?
  8. How are delegation chains (agent A delegates to agent B) controlled?

Verification (Questions 17-22)

  1. Can the platform verify that agents followed policy — not just per-call, but across a full session?
  2. Are there execution certificates (cryptographic proof of compliance)?
  3. Can you write custom policies in code (not just natural language descriptions)?
  4. Does deploy-time analysis detect policy contradictions and privilege escalation?
  5. Is multi-model cross-checking available for high-stakes decisions?
  6. Can an auditor independently verify an execution certificate?

Audit (Questions 23-30)

  1. Is every tool call logged with actor, target, action, result, cost, and timestamp?
  2. Are audit logs integrity-protected (HMAC, hash chain)?
  3. Does the LLM call pass through a security pipeline (PII redaction, prompt injection, content moderation)?
  4. Is each stage of the security pipeline logged (not just the final result)?
  5. Can audit logs be exported to SIEM in real-time (JSON, CEF)?
  6. Is the audit database separable from the application database?
  7. What's the maximum audit log retention? (SOX requires 7 years)
  8. Can you reconstruct the full sequence of an agent session from the audit trail?

Data & Compliance (Questions 31-36)

  1. Is BYOK (Bring Your Own Key) mandatory or optional for LLM API keys?
  2. Can customers store data in their own infrastructure (BYOS)?
  3. Is content encryption at rest automatic or opt-in? What triggers it?
  4. Which compliance frameworks are supported as pre-built governance packs?
  5. Can compliance reports be generated automatically (PDF, not just JSON)?
  6. How many LLM providers are supported? What happens when one is deprecated?

Architecture & Lock-in (Questions 37-40)

  1. Which open protocols are supported (MCP, A2A, SLIM)?
  2. Can you export all data and configuration if you leave the platform?
  3. Is the pricing per-agent, per-user, per-call, or per-token?
  4. What happens to running agents if the platform has an outage?
VENDOR EVALUATION SCORING — 40 QUESTIONS <15 — Not a governance platform 15-24 — Significant gaps 25-34 — Good w/ gaps 35-40 Agent builder w/ logging Risk for regulated Check roadmap Enterprise-ready 1 point per "yes" with evidence · 0.5 for "partially/planned" · 0 for "no"

Risk Matrix

RISK COMPARISON BY PATH DIY Managed Hyperscaler Shadow AI HIGH LOW MEDIUM Compliance gap HIGH LOW MEDIUM Agent breach HIGH LOW MEDIUM Vendor lock-in LOW LOW HIGH Key person dep. HIGH LOW MEDIUM Reg. penalty HIGH LOW MEDIUM Innovation speed FAST FAST SLOW DIY: high risk on 5/7 dimensions. Managed platform: low on 6/7. Hyperscaler: mixed.
RiskDIYManaged PlatformHyperscaler
Shadow AI persistsHigh (slow to deploy)Low (fast deployment)Medium
Compliance gap at auditHigh (build it all)Low (pre-built packs)Medium
Data breach from agentHigh (build security)Low (Gateway pipeline)Medium
Vendor lock-inLow (your code)Low (open protocols)High
Key person dependencyHigh (custom code)Low (vendor maintains)Medium
Regulatory penaltyHigh (slow compliance)Low (governance-first)Medium
Innovation speedFast (custom)Fast (platform + custom)Slow (vendor roadmap)

The Business Case Template

Use this template when presenting to the CFO:

Problem

98% of organizations report unsanctioned AI use. Shadow AI breaches cost $4.63M on average. EU AI Act enforcement begins August 2, 2026, with penalties up to 7% of global turnover. We have [X] agents running without governance. Our maturity level is [L1/L2].

Solution

Deploy a governed agent platform that provides identity, authorization, audit, and compliance for all AI agents. Move from Level [current] to Level 4 in [4-8] weeks.

Cost

Platform: $[X]/year. Team: [0.5-1] FTE for configuration and operations. LLM costs: unchanged (BYOK). Versus DIY: $[600K-1.5M] year 1 + 3-5 FTEs ongoing.

Timeline

Phase 0 (assessment): 1-2 weeks. Phase 1 (first team): 1-2 weeks. Phase 2 (enforcement): 2-4 weeks. Total: governed AI operations in under 2 months.

Risk reduction

Eliminates shadow AI governance gap. Satisfies [GDPR/HIPAA/SOX/EU AI Act] requirements. Reduces breach risk premium ($670K per shadow AI incident). Kill switch provides instant containment.

Chapter Summary

Three paths exist for governed AI agent deployment: build (slow, expensive, full control), buy a managed platform (fast, cost-effective, deep governance), or use hyperscaler native tools (medium speed, ecosystem lock-in, shallow governance). The TCO gap is 5-10x between DIY and managed platform in year 1. The 40 vendor evaluation questions reveal real governance depth versus marketing claims. The business case centers on risk reduction, regulatory compliance, and speed to value.

What's Next

You've read the complete Agentic AI Blueprint — 8 chapters covering the shift, the maturity model, the Five Pillars, the regulatory landscape, the reference architecture, the implementation playbook, the standards landscape, and the decision framework.

Three actions from here:

  1. Take the AI Governance Assessment — 25 questions, personalized maturity report, specific recommendations for your organization.
  2. Download the full Blueprint PDF — All 8 chapters in one document. Share with your steering committee.
  3. Book a governance briefing — 30-minute call with our team. Bring your CISO. We'll map the Blueprint to your specific regulatory requirements.

The organizations deploying governed AI today will define the next decade.

The ones still writing AI policies will be writing them for competitors' AI teams.