When to Buy a Tool, When to Build One, and When to Do Neither

The most expensive mistake a small business can make with AI is building custom tooling for something a $20/month subscription already solves. The second most expensive mistake is upgrading to enterprise tier before establishing that the consumer tier is actually creating a data risk.

There's a framework for getting this right. It's not complicated. It's three tiers. You need to understand which tier solves your actual problem.

A note on data security:
The risks covered in this article are real and they are happening in companies like yours right now. The single most effective first step is a written AI Acceptable Use Policy that tells your employees exactly what they can and cannot put into AI tools — before something goes wrong. If you don't have one, that's the place to start.

Tier 1: Consumer Subscription

This is ChatGPT ($20/month per user), Claude Pro ($20/month), Microsoft Copilot Pro ($20/month), or Perplexity ($20/month). These tools cost between $0 and $20 per user per month. They require zero IT infrastructure. An employee can sign up with their email and start using it immediately. No approval process. No integration. No custom configuration.

These tools handle the vast majority of tasks small businesses actually need AI for: drafting communications, summarizing documents, answering questions, organizing information, brainstorming approaches to problems, and learning how to do things.

A warehouse supervisor uses ChatGPT to help structure a safety incident report. An AR clerk uses Claude to draft a follow-up email to a client. A quality technician uses Perplexity to research a specification question. A plant manager uses ChatGPT to brainstorm talking points for a team meeting. All of these are real tasks. All of them run on tier-one tools.

The trade-off is data privacy. Consumer tools assume that the data you type into them is training data. It may be anonymized. It may be deleted quickly. But the tool doesn't have a binding zero-data-retention agreement. If you're typing in public financial information, client names, supplier contracts, or anything confidential, you're accepting the risk that it might be retained and used for model training.

For the vast majority of small businesses, that's an acceptable trade-off. You use tier-one tools for work that doesn't involve sensitive data. You establish that boundary in your policy. That's your answer.

This is the right answer for roughly 90% of small manufacturing companies under 75 employees. Don't overthink it. Buy a subscription, set a policy, move forward.

Tier 2: Business and Enterprise Subscription

These are ChatGPT Business ($30/month per user), Claude Pro with business features ($20/month per user), or enterprise agreements with zero-data-retention clauses ($X/month depending on negotiation). These tools add data privacy protections. They come with team management features. Most importantly, they include a binding commitment from the vendor that your data will not be used for model training.

The cost difference is material but not prohibitive: tier-one is $20/month, tier-two is $30-50+/month per user or occasionally a flat team rate of $500-1,000 per month depending on size.

You move to tier-two when you've established that tier-one is creating a documented data risk. Specifically: you have employees using tier-one tools with client financial data, supplier contracts, or information covered by an NDA. You've identified this through your Risk Audit Card. You've run the math and concluded that the risk of data retention is material enough to justify the upgrade.

You don't move to tier-two because you're nervous. You move because you've documented that tier-one use with sensitive data is happening and that it violates your policy or client agreements.

The second most common mistake is preemptively upgrading to tier-two for an entire company because you're worried. In most cases, tier-one is fine. You just need the boundary in your policy. Tier-two makes sense only when you've proven to yourself that tier-one is actually creating exposure.

Tier 3: Custom API Integration

This is building something. You take an AI API—GPT-4 API, Claude API, whatever—and you integrate it into your existing systems. You build a custom chatbot that answers questions about your processes. You build an automation that summarizes your work orders. You build a system that flags anomalies in your quality data. This is custom software development.

The cost is significant: $10,000 and up to build something useful, plus ongoing maintenance. The time to market is weeks or months, not days. The risk of it breaking when the underlying API changes is real. The knowledge to maintain it lives in one or two people's heads.

You build tier-three when you have a specific, recurring workflow that no off-the-shelf tool handles well, and when you have either internal development resources or a budget to hire external development. You build it when the ROI is clear: this custom solution will save us X hours per week, reduce our error rate by Y%, or unlock Z capability we can't get any other way.

Most small manufacturers do not build tier-three. The vast majority solve their problems with tier-one or tier-two. Building a custom solution for something a $20/month subscription already handles is money spent without return.

The Decision Tree

Do you have an immediate need that tier-one tools don't solve? No? Buy tier-one. Done.

Do you use tier-one tools with sensitive data regularly? Yes? Document it through your Risk Audit Card. Confirm it violates your policy or client agreements. Upgrade to tier-two. That's the answer.

Is there a specific, recurring workflow that tier-one and tier-two don't solve, and is the ROI clear? Yes? You have a development conversation with a consultant or internal staff. That's tier-three.

No? Don't build.

The Framework Is in the Kit

The Buy vs. Build Matrix in the AI Training Kit walks through this decision tree. It's two pages. It lists what each tier costs, what protections each one offers, what the real use cases are, and when you actually need to move from one tier to the next. It prevents the mistake of building custom solutions for problems that tier-one already solves. It prevents the waste of upgrading to tier-two prematurely.

It's in the kit because this decision happens over and over at small businesses, and most of the time it gets made wrong.

$997, one-time. Permanent license. The framework is there. The decision becomes straightforward instead of confused.