According to Grant Thornton's 2026 AI Impact Survey of 950 senior leaders, 78% of business executives lack strong confidence that their organization could pass an independent AI governance audit within 90 days — and the implications go beyond discomfort: companies with fully integrated AI are nearly 4 times more likely to report revenue growth than those still piloting without controls. Organizations are adopting AI. What most of them cannot do is explain how their AI makes decisions or who is accountable when something breaks.
Paul Gresham has spent 38 years working at that exact fault line — across every domain where software failures carry real consequences, and now amplified by AI. He has participated in several prestigious YOW! Conferences selecting industry leaders to speak about highly-disciplined software engineering in Hong Kong and Singapore and holds a high-consequence, critical position as Managing Director, Head of Digital Client & Marketing Platforms and Agile COE Lead at a major financial institution. Gresham ran an engineering organization of more than 450 people across 11 countries, with accountability for wealth technology platforms handling over CHF 1.5 trillion in client flows and generating north of CHF 700 million in annual revenues. Now, through Paul Gresham Advisory LLC, the focus is on extending the compliance frameworks knowledge, built inside global banking to the emerging world of AI agent infrastructure.
Software teams at major banks release hundreds of changes every month. In theory, each one travels through a long queue of manual reviews – at some institutions, up to fifteen individual approvals are required for the same check, before fresh code is allowed anywhere near production. That sequence creates a compounding problem: every additional gate slows the pipeline further, and the longer a change sits in transit, the greater the chance its specifications have drifted from what the business originally requested.
Across more than a decade at one of the largest wealth managers, globally, Gresham watched this cycle repeat from inside the technology division. Rather than accept the familiar trade-off between speed and control, he built an automated delivery controls framework, a precursor to his Continuous Compliance Control Protocol, or C3P, that replaces manual gates with embedded, machine-verified checks. C3P ties each release directly to the business request behind it, blocks any code that hasn't been tested and peer-reviewed, and generates a tamper-evident record at every stage. No retrospective paperwork, no hoping the documentation matches reality.
“The old model treats compliance as something bolted on top of engineering,” Gresham says. “C3P weaves it into the process itself – evidence gets produced automatically, as a byproduct of doing the work, not assembled weeks later by a team chasing paperwork.”
Making controls into a solvable problem, a small team of engineers spearheaded the rollout, expanding the framework across roughly 20 internal teams and around 100 separate applications. Internal audit, traditionally cautious about engineer-led initiatives, reviewed the framework independently and gave it formal endorsement. What once took months per release shrank to minutes, and the quality of compliance evidence improved in the process.
Building a faster compliance pipeline was one kind of challenge. Inheriting a platform that regulators were already scrutinizing was another.
After moving to the US, Gresham took responsibility for an AML policy-critical system that had been underperforming. Stakeholders across the business wanted new features. He told them no – all feature work stopped while the team shifted its energy to diagnosing and repairing the underlying architecture. The first investments went into test automation, continuous integration and delivery tooling, and resilience verification in live environments, capabilities the platform had entirely lacked. Client data that had lived on mainframes moved to Azure-hosted microservices, structured around CQRS to cut ties with fragile legacy layers.
Numbers, not adjectives, told the story of what followed: annual operating costs came down by roughly a quarter, about two million dollars, while the system's downtime dropped materially. Both user and engineering satisfaction increased dramatically.
"Everybody wanted features," he recalls. "I told them we'd fix what we had first. That decision was unpopular until the numbers came back."
Manual compliance already struggles to keep pace with human developers. Now, AI coding agents write code, generate tests, review pull requests, and draft requirements, multiplying the volume of changes that need traceable, verifiable records. Speed goes up. So does risk.
While applying C3P concepts to GPU-based AI agent environments, Gresham ran into a specific and largely unnoticed problem: widely used monitoring software produces inaccurate readings for key metrics on ARM-based chips and unified-memory hardware. In practical terms, the telemetry behind an organization's compliance records can be silently wrong.
His response was nv-monitor, the most popular of seven open-source tools he has published in 2026. Nv-monitor is specifically for GPU performance observability. Packaged as a single, dependency-free binary that enables accurate GPU data collection via a Prometheus end-point on both x86_64 and ARM64, it consumes roughly one-seventh to one-tenth the CPU overhead of comparable solutions. Since its release, nv-monitor has collected more than 200 stars on GitHub, and a LinkedIn post describing the project drew over 100,000 impressions – a signal that the problem resonated far beyond his own infrastructure.
“We found that standard tools were feeding inaccurate data into the very systems organizations rely on for audit records,” Gresham says. “Any regulated company running AI workloads on modern hardware needs to verify whether its telemetry is telling the truth.”
What ties these efforts together: automated compliance in banking, platform turnarounds under regulatory pressure, and chain-of-custody supporting telemetry for AI is a career-long habit of working in environments where failure is immediate and public.
Early in his career, Gresham helped build the planning and deployment software behind the UK National Lottery's physical network, roughly 10,000 terminals installed and tested across the country within a nine-month window before the first live draw was broadcast in November 1994 to an audience of more than 22 million. There was no contingency plan. If the network didn't work on launch night, the program failed in full public view.
Taking time out of banking for Wallem, he served as Group CIO at Wallem Innovative Solutions, a maritime services operation headquartered in Hong Kong, where he oversaw technology strategy for more than 1,000 corporate employees and over 8,000 operational users. At Samsung Securities, also in Hong Kong, he took charge of global IT and stabilized critical trading infrastructure under strict regulatory oversight. Each context differed: telecom, shipping, capital markets, but the underlying discipline stayed constant.
“Whether it's lottery terminals, trading infrastructure, or AI agents, the question that matters doesn't change,” he says. “What happens when this fails at three in the morning, and nobody is watching?”
Grant Thornton's survey reveals a detail that deserves more attention than the headline number: the gap between piloting AI and governing it does not grow linearly; it compounds. Among the 28 early-stage respondents, not one expressed confidence in passing an audit. For organizations with fully integrated AI, that figure jumps to 74%. Between those poles sits the vast majority: companies adding AI initiatives without building the governance infrastructure to account for them. Each ungoverned deployment makes the next one harder to control.
Gresham's advisory practice targets exactly that space. His firm works with organizations to embed verifiable, audit-ready controls into their software delivery and AI operations, bring stability to troubled platforms, and make release cadences predictable and measurable. Gresham also acts as a board advisor to TMA Solutions, a firm with some 4000 engineers globally, and recently joined transient.ai, a Series-A funded fintech startup, as a board advisor. His role at transient.ai directly ties into C3P, as he will work closely with the CTO Office and AI Lab to help shape the company’s technology strategy, AI governance framework, and enterprise architecture as it builds trusted AI solutions for complex and regulated financial markets. C3P, currently in its final draft form, is being prepared for broader publication and potential peer review through academic journals and industry conferences.
Whether the industry acts quickly enough remains uncertain, but for companies still treating compliance as something to worry about after deployment, Grant Thornton's data offers a clear warning: the clock is already running, and with every ungoverned AI initiative, the cost of catching up gets steeper.
Join our WhatsApp Channel to get the latest news, exclusives and videos on WhatsApp
_____________
Disclaimer: Analytics Insight does not provide financial advice or guidance on cryptocurrencies and stocks. Also note that the cryptocurrencies mentioned/listed on the website could potentially be risky, i.e. designed to induce you to invest financial resources that may be lost forever and not be recoverable once investments are made. This article is provided for informational purposes and does not constitute investment advice. You are responsible for conducting your own research (DYOR) before making any investments. Read more about the financial risks involved here.