Many AI projects don’t work out because it isn’t clear what is and isn’t in scope at different stages of the product journey. Essentials overlooked, redundant features added. This leads to a project that’s kinda there but not quite ready for user adoption. A POC doesn’t need SOC 2 compliance. An MVP doesn’t need multi-region failover. With the framework below you’ll make sure to get your project over the finish line. This framework maps exactly what to build at each stage—from proof of concept to 1M+ users—so you stop overengineering and start shipping.
The Five Stages of Product Maturity
Software products evolve through five distinct stages, each with different goals and requirements:
| Stage | Users | Goal | Core Question |
|---|---|---|---|
| POC | 0-10 | Validate hypothesis | ”Does this even work?” |
| MVP | 10-100 | First real users | ”Can people use this?“ |
| 10k | 100-10,000 | Product-market fit | ”Do people want this?“ |
| 100k | 10,000-100,000 | Scale & reliability | ”Can this handle growth?“ |
| 1M+ | 100,000+ | Enterprise-grade | ”Is this bulletproof?” |
The mistake founders make: building 100k-stage features during POC. That 99.99% uptime SLA? Skip it until you have 100k users who need it.
What to Build at Each Stage
The tables below break down exactly what you should build at each stage across every major product dimension.
Design & User Experience
Your POC can look like a spreadsheet—users care about whether the core idea works, not whether it’s pretty. At MVP, invest just enough in visual design to not embarrass yourself when sharing with early adopters. The real UX investment comes at 10k users, when you have enough usage data to know what needs refinement.
| Aspect | POC | MVP | 10k | 100k | 1M+ |
|---|---|---|---|---|---|
| UI/UX Design | Wireframes, basic layout | Cohesive visual design | Refined UX, user testing | A/B testing, analytics-driven | Continuous optimization, design ops |
| Design System | None, inline styles OK | Basic component library | Documented design system | Versioned design tokens | Multi-brand theming support |
| Design Assets | Stock images, basic icons | Custom icons, brand colors | Illustrations, custom imagery | Motion design, micro-interactions | Full asset management pipeline |
| Accessibility | None | Basic ARIA labels | WCAG 2.1 AA | WCAG 2.1 AAA critical paths | Full accessibility audits |
| Responsive Design | Desktop only OK | Mobile-friendly | Mobile-first | Device-specific optimizations | Native app parity |
Premature design systems waste engineering weeks at a stage when shipping speed determines survival. Build the design system after you’ve built the same component three times, not before.
Core Features & Business Logic
The hardest discipline in early-stage product development is saying no to features that would be nice to have. Your POC should nail exactly one thing—the core value proposition. Everything else is a distraction that delays learning whether your idea has legs.
| Aspect | POC | MVP | 10k | 100k | 1M+ |
|---|---|---|---|---|---|
| Core Features | Happy path only | Core features complete | Edge cases handled | Feature parity across platforms | Full feature set |
| User Management | Hardcoded users | Basic profiles | User settings, preferences | Team/organization support | Enterprise user management |
| Notifications | Console logs | Email only | Email + in-app | Push, SMS, webhooks | Notification preferences, digests |
| Search | None or basic filter | Simple text search | Full-text search | Faceted search, filters | AI-powered search, personalization |
| File Storage | Local filesystem | Cloud storage (S3) | CDN for assets | Multi-region replication | Enterprise file management |
| Content Management | Hardcoded content | Admin CRUD | Versioning, drafts | Scheduled publishing | Localization, A/B content |
| Multi-language (i18n) | None | None | Basic translation | Full i18n | RTL support, locale-specific UX |
Data & Storage
Database migrations are painful but rarely fatal—you can always switch later. The real mistake isn’t choosing the wrong database; it’s over-engineering data architecture before you know your access patterns. SQLite is production-ready for more use cases than engineers admit.
| Aspect | POC | MVP | 10k | 100k | 1M+ |
|---|---|---|---|---|---|
| Database Architecture | SQLite / single instance | Single managed DB | Read replicas | Sharding strategy | Multi-region active-active |
| Data Modeling | Denormalized, whatever works | Basic normalization | Proper indexes, relations | Optimized for read patterns | Event sourcing where needed |
| Caching | None | Browser caching | Redis for hot data | Multi-layer caching | Distributed cache, cache invalidation |
| Data Backup | Manual snapshots | Automated daily | Point-in-time recovery | Cross-region backups | Real-time replication |
| Data Migration | Drop and recreate | Manual migrations | Versioned migrations | Zero-downtime migrations | Automated rollback |
| Data Retention | Keep everything | Basic cleanup | Retention policies | Archival strategy | Legal hold, tiered storage |
Most startups that fail due to “scaling issues” failed due to product-market fit. Worry about sharding after you have the 10k users who would benefit from it.
Authentication & Authorization
Auth is where founders waste the most time in early stages. You don’t need SSO at POC. You don’t need MFA at MVP. A hardcoded user list or magic links will get you to 100 users faster than implementing OAuth flows you’ll rewrite anyway.
| Aspect | POC | MVP | 10k | 100k | 1M+ |
|---|---|---|---|---|---|
| Authentication | None / hardcoded | Email/password, OAuth | MFA optional | MFA required for sensitive | SSO, SAML, enterprise IdP |
| Authorization | None | Basic roles (admin/user) | RBAC | Fine-grained permissions | ABAC, policy engine |
| Session Management | Long-lived tokens | JWT with expiry | Refresh tokens | Session revocation | Device management |
| API Authentication | None / API key | API keys per user | Scoped API keys | OAuth2 for third-parties | API key rotation, audit |
Enterprise SSO is a feature you add when enterprises are willing to pay for it—not a day sooner.
Security
Security theater burns runway without reducing risk. Implementing SOC 2 controls at the POC stage means you’re spending money on compliance before you have revenue to justify it. Focus on the basics—HTTPS, input validation, not storing passwords in plaintext—and escalate as your threat profile grows with your user base.
| Aspect | POC | MVP | 10k | 100k | 1M+ |
|---|---|---|---|---|---|
| Security Practices | HTTPS only | Input validation, CSRF | Security headers, CSP | Regular security reviews | Pen testing, bug bounty |
| Secrets Management | .env files | Environment variables | Secret manager (Vault) | Rotation policies | Hardware security modules |
| Data Encryption | TLS in transit | At-rest encryption | Field-level encryption | Customer-managed keys | End-to-end encryption |
| Vulnerability Management | None | Dependabot | Regular updates | CVE monitoring | 24h SLA on critical vulns |
Payments & Billing
Stripe Checkout exists so you don’t have to build billing infrastructure. Use it. The time you’d spend building custom payment flows is time not spent on your actual product. Custom billing only makes sense when you’re losing meaningful revenue to Stripe’s fees—typically around 100k+ users.
| Aspect | POC | MVP | 10k | 100k | 1M+ |
|---|---|---|---|---|---|
| Payment Processing | None / manual | Stripe Checkout | Embedded payments | Multiple providers | PCI compliance |
| Subscription Management | None | Basic plans | Plan changes, trials | Usage-based billing | Enterprise contracts |
| Invoicing | None | Stripe invoices | Custom invoices | Tax automation | Revenue recognition |
| Billing Portal | None | Stripe portal | Custom portal | Self-service everything | Billing admin tools |
AI & Machine Learning
AI products have a unique failure mode: spending months on model infrastructure before validating that users want the output. At POC, call the API directly. Worry about prompt versioning and model registries after you’ve proven the AI solves a problem users will pay for.
| Aspect | POC | MVP | 10k | 100k | 1M+ |
|---|---|---|---|---|---|
| AI Short-running (Inference) | Direct API calls | Basic error handling | Rate limiting, retries | Load balancing, fallbacks | Multi-provider, self-hosted |
| AI Long-running (Batch/Training) | Manual scripts | Background jobs | Job queues | Distributed processing | ML pipeline orchestration |
| AI Evaluation | Manual testing | Basic metrics | A/B testing | Automated eval suites | Continuous evaluation |
| AI Cost Management | Ignore it | Monitor spend | Budget alerts | Cost optimization | Chargeback per customer |
| AI Safety & Guardrails | None | Basic content filtering | Input/output validation | Moderation pipeline | Full content policy |
| Model Management | Latest version | Pinned versions | Version tracking | Model registry | Canary deployments |
The biggest AI cost isn’t API calls—it’s engineering time spent optimizing inference costs before you have inference volume to justify it.
Background Processing
Synchronous code is fine until it isn’t. At POC, if a job takes 30 seconds, let the user wait 30 seconds. You’ll learn more about what needs to be fast from user complaints than from premature optimization. Background job infrastructure is a 10k-stage problem.
| Aspect | POC | MVP | 10k | 100k | 1M+ |
|---|---|---|---|---|---|
| Short-running Jobs | Synchronous | Async with timeouts | Queue-based | Priority queues | SLA-based scheduling |
| Long-running Jobs | Manual execution | Background workers | Job persistence | Checkpointing | Distributed execution |
| Job Queues | None | Simple queue (Redis) | Dead letter queues | Multi-queue routing | Exactly-once processing |
| Scheduled Tasks | Cron on server | Managed scheduler | Retry logic | Distributed locks | Multi-region scheduling |
| Job Monitoring | Logs only | Basic dashboard | Job metrics | SLA monitoring | Anomaly detection |
Quality Control & Testing
Zero test coverage at POC is correct. Your code is changing so fast that tests would need daily rewrites. At MVP, cover the critical paths—signup, core feature, payment. Comprehensive test suites make sense once the architecture stabilizes around 10k users.
| Aspect | POC | MVP | 10k | 100k | 1M+ |
|---|---|---|---|---|---|
| Unit Testing | None | Critical paths only | 60%+ coverage | 80%+ coverage | Mutation testing |
| Integration Testing | None | Happy paths | API contract tests | Full integration suite | Consumer-driven contracts |
| E2E Testing | Manual only | Critical flows | Smoke tests in CI | Full regression suite | Visual regression |
| Performance Testing | None | None | Basic load tests | Regular load testing | Chaos engineering |
| Security Testing | None | None | OWASP basics | Regular pen tests | Continuous security scanning |
| Manual QA | Developer testing | Ad-hoc QA | QA checklist | Dedicated QA | QA automation team |
| Code Review | None | Author review | PR reviews | Required approvals | CODEOWNERS |
The best test is a paying user clicking through your product. Automated tests verify behavior; users verify value.
Compliance & Legal
Compliance is a tax on success. You pay it when you have success worth taxing. A POC needs a privacy policy because it’s a legal requirement, but SOC 2 certification at POC stage is like buying a warehouse before you have inventory.
| Aspect | POC | MVP | 10k | 100k | 1M+ |
|---|---|---|---|---|---|
| Privacy (GDPR/CCPA) | None | Privacy policy, cookie consent | Data export, deletion | Privacy by design | DPO, privacy automation |
| Audit Logging | None | None | Security events | All state changes | Immutable audit trail |
| Terms & Policies | None | Basic ToS, privacy | Acceptable use policy | SLAs | Enterprise legal review |
| Industry Compliance | None | None | Self-assessment | SOC 2 Type I | SOC 2 Type II, ISO 27001 |
| Data Residency | Ignore | Single region | Region selection | Regional isolation | Full data sovereignty |
Enterprise compliance requirements are a signal that you’ve made it—treat them as a milestone, not a prerequisite.
Infrastructure
“We need Kubernetes” is how you know a startup has lost focus. At POC, deploy to Vercel or Railway. At MVP, a single cloud provider is fine. Multi-region only matters when you have users in multiple regions who care about latency—and most products never reach that point.
| Aspect | POC | MVP | 10k | 100k | 1M+ |
|---|---|---|---|---|---|
| Hosting | Local / free tier | Single cloud provider | Managed services | Multi-AZ | Multi-region |
| CDN | None | Static assets | Full CDN | Edge computing | Custom edge logic |
| Load Balancing | None | Cloud LB | Health checks | Traffic management | Global load balancing |
| Auto-scaling | None | None | Basic scaling rules | Predictive scaling | Cost-optimized scaling |
| Infrastructure as Code | Manual setup | Basic scripts | Terraform/Pulumi | Full IaC | GitOps, drift detection |
| Network Security | Default VPC | Security groups | Private subnets | Network policies | Zero-trust network |
Deployment
Manual deploys are fine at POC. The ceremony of CI/CD pipelines adds friction when you’re deploying 10 times a day to test ideas. Invest in deployment infrastructure when deploys become risky—typically around MVP when you have real users who would notice breakage.
| Aspect | POC | MVP | 10k | 100k | 1M+ |
|---|---|---|---|---|---|
| CI Pipeline | None / local | Basic CI (lint, build) | Tests in CI | Parallel test suites | Merge queues |
| CD Pipeline | Manual deploy | Auto-deploy to staging | Auto-deploy to prod | Blue-green / canary | Progressive rollouts |
| Feature Flags | None | Hardcoded flags | Flag service (LaunchDarkly) | Per-user targeting | Experimentation platform |
| Environment Management | One environment | Dev + prod | Dev + staging + prod | Per-PR environments | Full environment parity |
| Rollback Strategy | Redeploy previous | One-click rollback | Automated rollback | Instant rollback | Multi-service rollback |
| Release Management | Push to main | Version tags | Changelog | Release notes | Release coordination |
Observability
You can’t optimize what you can’t measure, but you can measure too much. At POC, console.log is your observability stack. At MVP, add structured logging so you can debug production issues. Full APM and distributed tracing solve problems you don’t have until 100k+ users.
| Aspect | POC | MVP | 10k | 100k | 1M+ |
|---|---|---|---|---|---|
| Logging | Console.log | Structured logs | Centralized logging | Log analysis | Log-based alerting |
| Monitoring | None | Basic uptime | APM basics | Full APM | Custom metrics |
| Alerting | None | Email on down | PagerDuty integration | Alert routing | Alert correlation |
| Tracing | None | None | Basic traces | Distributed tracing | Trace-based testing |
| Error Tracking | Console errors | Sentry/Bugsnag | Error grouping | Error budgets | Predictive errors |
| User Analytics | None | Basic analytics (Plausible) | Event tracking | Funnel analysis | Data warehouse |
Alert fatigue kills on-call engineers. Start with fewer alerts that matter rather than comprehensive alerts that get ignored.
Developer Experience
The best developer experience investment at early stages is a fast local dev loop. If engineers wait 5 minutes for builds, they’re not iterating fast enough. Docker compose and dev containers are 10k-stage solutions to 10k-stage problems.
| Aspect | POC | MVP | 10k | 100k | 1M+ |
|---|---|---|---|---|---|
| Local Dev Setup | README instructions | One command setup | Docker compose | Dev containers | Cloud dev environments |
| Documentation | Code comments | README | API docs | Full docs site | Interactive docs |
| Code Standards | Personal preference | Linter config | Style guide | Architecture decision records | Tech radar |
| Developer Onboarding | Pair programming | Setup guide | Onboarding checklist | Onboarding program | Self-service onboarding |
| Internal Tools | None | Admin panel | Custom dashboards | Internal tool platform | Self-service tooling |
| API Documentation | None | OpenAPI spec | Interactive docs | SDK generation | API versioning strategy |
Reliability & Performance
99.99% uptime means 52 minutes of downtime per year. Unless your product is life-critical infrastructure, users will tolerate more downtime than you think—especially if you communicate outages well. Target 99% at MVP and increase as you scale.
| Aspect | POC | MVP | 10k | 100k | 1M+ |
|---|---|---|---|---|---|
| Uptime Target | Best effort | 99% | 99.5% | 99.9% | 99.99% |
| Disaster Recovery | None | Manual recovery | Documented runbooks | Automated DR | Regular DR drills |
| Rate Limiting | None | Basic limits | Per-user limits | Adaptive rate limiting | DDoS protection |
| Performance Optimization | None | Obvious fixes | Core Web Vitals | P99 optimization | Continuous profiling |
| Graceful Degradation | Crash and burn | Basic error pages | Feature degradation | Circuit breakers | Full resilience patterns |
| Incident Response | Ad-hoc | Incident channel | On-call rotation | Incident commander | Blameless postmortems |
| SLAs/SLOs | None | Informal expectations | Internal SLOs | Published SLAs | SLA automation |
Every nine you add to your uptime target doubles the engineering investment required to maintain it.
APIs & Integrations
Build an API when someone asks for one. Public APIs at MVP are premature—you’re committing to an interface before you understand your own product. Internal APIs that evolve with your product are different from public APIs that external developers depend on.
| Aspect | POC | MVP | 10k | 100k | 1M+ |
|---|---|---|---|---|---|
| API Design | Whatever works | RESTful basics | Consistent conventions | API versioning | GraphQL/gRPC where needed |
| Third-party Integrations | Direct API calls | Abstraction layer | Retry logic | Circuit breakers | Integration monitoring |
| Webhooks (Outgoing) | None | Basic webhooks | Retry logic | Webhook management UI | At-least-once delivery |
| Webhooks (Incoming) | None | Signature validation | Idempotency | Event deduplication | Event replay |
| Public API | None | None | Read-only API | Full public API | Developer portal |
| SDKs & Libraries | None | None | None | Official SDKs | SDK versioning |
Platform Support
“Mobile app” is not a launch requirement. Responsive web gets you to 10k users on every platform. Native apps make sense when web limitations block specific features users need—push notifications, camera access, offline mode. That’s typically a 100k+ problem.
| Aspect | POC | MVP | 10k | 100k | 1M+ |
|---|---|---|---|---|---|
| Web App | Basic web | PWA-ready | Offline support | Native-like UX | Full PWA |
| Mobile App | None | Responsive web | React Native / Flutter | Native apps | Platform-specific features |
| Desktop App | None | None | Electron if needed | Native if justified | Auto-update |
| Browser Support | Chrome only | Modern browsers | Safari, Firefox, Edge | Extended support | Legacy browser fallbacks |
Customer Success
At POC, customer support is you responding to DMs. That’s correct. The founder should be in direct contact with every early user—that’s how you learn what to build. Formalized support processes come later when you physically can’t respond to every message yourself.
| Aspect | POC | MVP | 10k | 100k | 1M+ |
|---|---|---|---|---|---|
| Customer Support | Founder DMs | Email support | Help desk | Live chat | Tiered support |
| Self-service Help | None | FAQ | Knowledge base | AI chatbot | Community forums |
| Customer Feedback | Direct conversations | Feedback form | In-app feedback | NPS surveys | Voice of customer program |
| Status Page | None | None | Basic status page | Incident updates | RCA publishing |
The moment you stop talking to users directly is the moment you start building the wrong things.
The Decision Framework
When deciding whether to build something, ask these five questions in order:
- Does it help you learn? If no, skip it.
- Does it help users? If no, skip it.
- Can you do it manually for now? If yes, skip automating.
- Would failure kill the company? If no, skip redundancy.
- Did anyone ask for it? If no, skip it.
Most features fail question #5. Build what users request, not what you imagine they might want.
Frequently Asked Questions
What’s the difference between POC and MVP?
A POC (proof of concept) validates that your core idea is technically feasible—often with hardcoded data and no real users. An MVP (minimum viable product) is the smallest version that real users can use and pay for. POC answers “can we build this?” while MVP answers “will people use this?”
When should I add authentication to my product?
Add basic authentication (email/password or OAuth) at the MVP stage when you have real users who need accounts. Skip it entirely during POC—hardcoded users are fine for testing your core hypothesis. Wait until 100k+ users before implementing enterprise features like SSO or SAML.
How do I know when to move from MVP to 10k stage?
Move to 10k stage when you have consistent user growth, low churn, and users requesting features beyond core functionality. Typically this happens around 100-500 active users.
Should I build for mobile from day one?
Build desktop-only at POC stage. Add mobile-friendly responsive layouts at MVP. Go mobile-first at 10k stage when analytics show significant mobile traffic. Native mobile apps only make sense at 100k+ users when the web experience can’t match native capabilities.
When does SOC 2 compliance become necessary?
SOC 2 Type I is typically needed at 100k+ users when you start selling to enterprises that require it. Before that, self-assessments and basic security practices are sufficient. SOC 2 Type II and ISO 27001 become relevant at 1M+ users with enterprise contracts.
Key Takeaways
- POC = 2 weeks max. If it takes longer, you’re overbuilding.
- MVP = real users, minimal features. Stripe Checkout over custom billing.
- 10k = product-market fit. Build what users request.
- 100k = reliability. Now you need SLAs and redundancy.
- 1M+ = enterprise. SOC 2, multi-region, the whole stack.
Stop building features for users you don’t have. Match your infrastructure to your stage.
SFAI Team