The Hidden Project

Governance is what you write. Proof is what survives the room.

Grant Thornton's 2026 AI Impact Survey asked executives a question that sounds procedural and is actually existential: if an independent auditor showed up and asked you to prove your AI governance works, could you pass within 90 days?

78% said they lack strong confidence they could.

Sit with the shape of that number. These are not organizations without AI governance. Most of them have the policy. They have the responsible AI principles with the logo in the corner, the steering committee with the recurring invite, the slide that says "human in the loop." What they told Grant Thornton, in effect, is that none of it would survive contact with someone whose job is to check.

That gap between having governance and being able to demonstrate it has a name, and it is the hidden thing this issue is about.

Governance is what you write. Proof is what survives the room.

The same survey holds the other half of the paradox. Organizations that have fully integrated AI into how they operate are roughly four times more likely to report AI-driven revenue growth than everyone else. So the data describes two very different kinds of company. One has documents about AI. The other has evidence. The documents company is nervous about audits. The evidence company is growing.

What mortgage taught me about proof

I learned the difference between governance and proof in an industry that settled this question decades before AI made it urgent.

When I came back to tech in 2019, I joined DocMagic as a Senior Solutions Engineer in regulated mortgage fintech, working with enterprise lenders like Chase, Bank of America, and Wells Fargo. Mortgage has a property most industries never have to think about: the paperwork is not documentation of the asset. The paperwork is the asset. A promissory note is worth hundreds of thousands of dollars precisely because of what can be proven about it. Who signed, when, in what order, and whether anything changed since.

My job was driving eClosing adoption, moving lenders from paper closings to digital ones. The technology was never the hard part. Digital signatures had been legally valid since 2000, and the demos worked. The hard part was that a digital note is only worth its face value if the evidence around it holds up years later, in a foreclosure courtroom, in front of a judge, examined by a lawyer whose entire strategy is finding one gap in the chain of custody.

So that became the actual sale. Not the workflow, not the speed, not the signing experience at the closing table. The audit trail. Every signature event logged and timestamped. Every document tamper-sealed. The ability to produce, on demand, the complete evidentiary record of one specific loan from three years ago, in minutes rather than weeks.

The lenders who adopted, and we reached 85% eClosing adoption across enterprise clients, did not adopt because we argued well. They adopted when their compliance teams tried to break the evidence and could not. Nobody bought the policy. They bought the proof.

Enterprise AI is standing exactly where mortgage stood then. The policies exist. The technology works. And the deciding question is shifting from "do you have governance?" to the one auditors have always asked: "can someone produce the artifact?"

The four rooms

Every enterprise AI program eventually has to survive four rooms. Not metaphorical rooms. Actual meetings, with actual people who can stop you.

The strategy review. Someone senior asks what the AI program produced last quarter, in revenue or cost, and whether each active initiative has a measurement target that decides if it scales or stops. Activity reports do not survive this room. Numbers do.

The boardroom. Someone asks what exactly the board approved, whether AI risk is part of ongoing oversight or was a one-time blessing attached to the investment, and which single named executive is accountable for AI outcomes across the organization. "It's a shared responsibility" is a sentence that has never once survived this room.

The audit. A customer's security team, a regulator, or an acquirer's diligence team asks how your AI made a specific decision last Tuesday. Not in general. That decision, that day, with the decision logs, data lineage, and model change history to back it up.

The incident call. The model is wrong in production, a customer is affected, and it is 6:40 on a Friday evening. Someone has to know who gets the call, and the response playbook has to have been rehearsed, not just written.

Those four rooms map to four domains: strategy and measurement, board and governance, evidence and audit trail, and operations and incident readiness. I turned them into a twelve-question self-assessment you can take in about three minutes. It runs entirely in your browser and stores nothing. One scoring rule matters more than the rest: "not sure" counts as no, because in an audit, it is.

The score lands you in one of four tiers. Audit-ready is the small minority that could face an independent review with confidence. Proof gaps means the program is real but the evidence is thinner than the activity; you would survive a friendly review and struggle in a hostile one. Activity without evidence means AI is genuinely happening at your organization, but very little of it could be explained, measured, or defended under scrutiny. That is where Grant Thornton's 78% live. And Exposed means the honest answer to an audit request, right now, is silence.

Proof is not the tax. It is the engine.

The instinct is to file all of this under compliance: a tax you pay after the real work, a checkbox exercise for the lawyers. The Grant Thornton data argues the opposite, and it is the most interesting thing in the survey.

The organizations roughly four times more likely to report AI-driven revenue growth are the ones that fully integrated AI into operations. You cannot fully integrate what you cannot measure, assign, and defend. Look at what the artifacts actually are. A measurement target that decides scale-or-stop is simultaneously audit evidence and portfolio management. A named accountable executive is simultaneously a governance answer and the reason decisions take days instead of quarters. Decision logs are simultaneously an evidence trail and the debugging data your engineers wish they had. The audit discipline and the growth discipline are the same discipline wearing different badges.

Proof is also becoming a sales asset. Nearly every enterprise deal now routes through a security review, and AI usage questions have moved to the front of the questionnaire. The vendor who can produce evidence in days closes while the vendor assembling a war room is still drafting the response. I watched this exact dynamic play out in mortgage: proof discipline started as a defensive requirement and quietly became the price of entry, and then a differentiator, because it is the one thing a competitor cannot fake on short notice.

What this means on Monday morning

Start by taking the assessment yourself, honestly. Twelve questions, three minutes, and the score is the diagnosis.

Then do the thing that actually generates information: have each member of your leadership team take it separately and compare scores. The number matters less than the divergence. If your CIO scores the evidence domain at 3 and your CISO scores it at 1, that argument is the most valuable meeting on your calendar this quarter. One of the twelve questions asks whether the people who run your operations agree with the people who built the AI that the workforce is ready for it. In my experience, those two groups often do not even agree on what was deployed.

Close the weakest domain first, and resist the urge to close it with more writing. Every domain closes with artifacts, not documents. A tested incident playbook, not a written one. A decision log someone actually produced on demand, not a logging policy. A measurement target with a kill threshold attached, not a benefits narrative.

And watch the quiet question at the end of the twelve: when an AI pilot ends, is there a defined path to production with named owners and dates? Pilots without exit criteria are how a program accumulates activity without evidence, one proof of concept at a time, each one approved, none of them defensible.

This is also exactly the gap the AI Strategy + Proof offers exist to close. The 90-Day Proof Sprint moves one use case from pilot to defensible production with the evidence pack an auditor, acquirer, or enterprise customer would accept. The Board Answer Kit turns the six questions your board should be asking into gap-scored answers with named owners. The Kill List triages every active initiative into scale, fix, or kill, with the measurement targets that decide. Bring your assessment score to a working session and leave with the order of operations.


For those who made it this far, three questions worth carrying into your next leadership meeting:

  1. Which of our AI initiatives would we kill today if we measured them honestly?
  2. If a customer audits us next quarter, who produces the artifacts, and what do they actually send?
  3. Who gets the call when the model is wrong, and have we ever rehearsed it?