The build-versus-buy decision has not gotten harder. It has gotten more consequential. Three shifts in the last twelve months — the $1B+ legal-tech M&A wave, EU AI Act enforcement, and the visible reality that the average large firm now runs 18-plus generative tools — have rewritten the procurement question. The right answer is no longer the one that minimises total cost of ownership. It is the one that maximises Defensibility posture across the function.
Why the 2026 procurement question is different
The M&A wave made vendor selection a viability bet
This week, Clio acquired vLex for $1 billion — the largest M&A transaction in legal-tech history. It follows Reveal's $1B acquisition of Logikcull and IPRO, Wolters Kluwer's acquisition of Brightflag, Consilio's of TrueLaw, Elevate's of Legadex, Opus 2's of Uncover, Eudia's of Out-House. The pattern is structural, not episodic. Choosing a vendor today is a bet on the vendor and on the platform that will likely acquire them inside the contract term — with the post-close price re-rating, feature deprecation, and data-migration cost that follow.
The EU AI Act made every vendor a regulatory counterparty
As of 2 August 2025 the EU AI Office is operational and GPAI obligations are binding. Article 53 requires every general-purpose AI model on the EU market to produce technical documentation, transparency reports, and training-data summaries on request. That documentation is now a procurement deliverable — the general counsel's compliance posture is the sum of the vendor postures behind it. Penalties reach €35 million or 7% of global turnover.
AI sprawl made the AI BoM the prerequisite
A large firm now runs 18 or more generative tools across legal, knowledge, marketing, and support. Most legal functions cannot enumerate them. The canonical AI BoM (AI Bill of Materials) — a current, owned, quarterly-refreshed inventory of every AI system the function depends on — is no longer a governance nice-to-have. It is the artefact every procurement decision now flows from. A function without a current AI BoM cannot answer the procurement question; it can only react to vendor pitches.
ROAI accountability replaced ROI
Generic ROI calculations conceal the legal-specific shape of AI value: efficiency gain weighted by risk exposure and capability accretion. The canonical ROAI 4-Quadrant — Value, Risk, Capability, Velocity — gives the function a more honest scorecard. Roughly 53% of organisations report AI value; only ~20% measure it. The procurement question now requires the buyer to know which quadrant each tool sits in before signature, not after.
Five canon-aligned questions for every AI contract
The legacy five-factor framework (Business Need · TCO · Speed · Integration · Control) is sound. It does not need replacement — it needs canonical reframing. Each factor maps to a binding canon construct.
1. Capability Portfolio: differentiator or commodity?
Classify the workflow against the function's Capability Portfolio. A differentiator — proprietary risk analysis, signature due diligence, sector-specific contract intelligence — produces compounding institutional advantage and should lean build. A commodity — e-billing, standard NDA review, document storage — needs to work well, not be owned. Lean buy. The portfolio test is the first filter; everything else is downstream.
2. ROAI 4-Quadrant: value, risk, capability, velocity
TCO is one variable in a four-variable scorecard. Run the candidate through each quadrant: what efficiency Value does it produce; what Risk exposure does it introduce or close; what durable Capability does it build (or rent); how quickly does it reach Velocity. Builds frequently look cheaper than they are because they capture Capability but understate Risk and delay Velocity. Buys frequently look better than they are because they show Velocity but rent Capability and concentrate Vendor-lock-in Risk.
3. Lifecycle discipline: where in the AI Lifecycle does this sit?
Map the use case to the canonical five-stage AI Lifecycle (Concept · Build · Deploy · Operate · Sunset). A Concept-stage capability with no proven internal demand is the wrong place to start a build. An Operate-stage capability under regulatory pressure is the wrong place to start a long build. Speed-to-value is not a slogan — it is a function of how mature the underlying use case is and how compressed the regulatory timeline is. Nine months to the August 2026 high-risk-systems deadline disqualifies any 18–24-month build.
4. AI BoM coherence: does this tool slot into the inventory?
Integration is the AI BoM question. Will this tool produce a clean entry in the inventory — owned, documented, integrated through approved interfaces, monitored — or will it become Shadow AI inside three months? Every tool that cannot live in the BoM at production cadence is, by definition, the wrong tool, regardless of feature parity. Demand reference customers and verified integrations; refuse vendor self-attestation; require the BoM-row before the purchase order.
5. Vendor-lock-in risk: where on the Risk Taxonomy 2026 does this sit?
Class 4 of the Risk Taxonomy 2026 — Vendor lock-in — is now an executive-level risk, not a procurement nuisance. Post-acquisition price increases of 50–300% are documented; data-portability clauses become unenforceable when the acquiring entity re-papers the MSA. The procurement test: can we exit this vendor inside ninety days with our data, models, and workflows intact? If not, the contract is not yet investable. Configuration is acceptable; deep customisation is brittle and disqualifying.
When build wins
A global tech company's legal team built a Microsoft 365–native AI advisor trained on its own regulatory knowledge base — proprietary data, durable Capability accretion, Differentiator-class use case. The result was a secure self-service tool that converted senior-lawyer time into strategic work. The canonical signal: build where the function controls unique data, where the use case is a Differentiator, and where the Capability quadrant is the deciding ROAI lens.
When buy wins
A healthcare services company inherited 125,000-plus contracts across legacy systems after a multi-entity acquisition, with renewal deadlines closing in. Time was the deciding variable. They selected a market-leading CLM, contracted a migration partner, and reached full contractual visibility in months. The canonical signal: buy where the use case is Commodity-class, where Velocity dominates the ROAI scorecard, and where the regulatory or contractual clock disqualifies a build window.
Self-assessment: which path fits this contract?
Answer five questions before the next vendor meeting. Tally yes-answers.
- Is the use case a Commodity in the Capability Portfolio?
- Does ROAI Velocity dominate the scorecard (compliance deadline · budget cycle · competitive threat inside 6 months)?
- Does the use case live at Deploy or Operate stage of the AI Lifecycle (not Concept)?
- Will the candidate produce a clean AI BoM row at production cadence?
- Does the function lack standing budget to staff a multi-year build with security, compliance, and UX talent?
Three or more yes-answers point to buy with light configuration. Two or fewer point to build — with the BoM row, the Defensibility evidence, and the lifecycle ownership defined on day one.
The shift: procurement is Defensibility
The 2026 build-versus-buy decision is no longer an isolated procurement choice. It is the most visible Defensibility decision the function makes each quarter. The Defensibility Posture Statement — the canonical board-level artefact for AI exposure — now reflects the vendor selection record directly. General counsel who treat procurement as a TCO exercise will defend a posture they did not design. General counsel who treat procurement as Defensibility will design the posture they defend.
Share this issue