github enforce separate approval

Why does CI/CD stop short of compliance?

Why does CI/CD stop short of compliance?

If your delivery pipeline produces working software but you still spend weeks assembling audit evidence, the pipeline isn’t finished.

If you work in software, you have heard of CI and CD. Continuous integration means every change a developer commits is automatically built and tested against the rest of the codebase, all the time, so problems surface immediately rather than at the end of a sprint. Continuous delivery means the artifacts that come out of CI can be deployed to customers, on demand, with confidence — no late-night panic, no last-minute “let’s ship it on Friday and pray.”

This is now standard practice. Every serious engineering organization, regulated or not, runs some version of CI/CD. The technology is mature, the patterns are well-understood, and the benefits are obvious: faster feedback, fewer integration disasters, more reliable releases.

Here is the question regulated organizations should be asking but rarely are:

If your pipeline produces tested code continuously, and deployable software continuously, why does it not produce audit evidence continuously?

That is the gap CI/CD/CC closes. The third C — continuous compliance — extends the same engineering discipline to the body of evidence that proves the software did what it was meant to do.

What “delivery” doesn’t cover

Continuous delivery is about getting working software into customers’ hands. That is enormously valuable, but it is not the whole job in a regulated setting. In financial services, healthcare, and other tightly governed industries, you also have to prove — to internal audit, to regulators, to your own board — that every change was authorized, reviewed, tested, and deployed by the right people, in the right order, with verifiable provenance.

Today, in most organizations, that proof is assembled retrospectively. A team gets a notice that the audit is in six weeks. People drop what they were doing and start gathering screenshots, exporting logs, hunting down approvers, reconstructing the chain of custody from whatever fragments remain. The evidence is real. The reconstruction is expensive, demoralizing, and unreliable.

The reason this happens is not laziness, and it is not a tooling deficit. It is that the pipeline was never designed to produce the evidence as a first-class output. The pipeline produces working software. The evidence is somebody else’s job.

And the “somebody else” is, almost without exception, not an engineer. We cannot reasonably expect auditors to be top software engineers any more than we can expect them to be top financial analysts. Auditors are experts in controls. That is the discipline they bring. What they need is evidence that the experts performed the process those experts agreed would ensure quality. They are not trying to second-guess the engineering decisions. They are trying to verify the controls were followed. That is a different job, with different evidence requirements — and the design of CC has to take it seriously.

What CC actually means

Continuous compliance, as I define it, comes down to four things.

1. Every artifact in the pipeline is linked to the business decision that authorized it. From the original change request, to the requirement, to the code, to the review, to the build, to the test, to the deployment. The links are recorded as the work happens — not reconstructed later.

2. Every link is verifiable. Cryptographically where possible (commit hashes, signed artifacts, immutable audit logs), procedurally where it has to be (named approvers, role-segregated workflows). At any point in the chain, you can prove who did what, when, and on what authority.

3. The systems that record this are operated by people who do not write the application code. This is the principle of control-plane separation. A team cannot self-certify its own pipeline; the evidence has to be produced by infrastructure the team does not control. This is the organizational analogue of cryptographic tamper-evidence.

4. The evidence is produced as a release-time artifact, automatically. Every release ships with an “evidence pack” — a compact, queryable record of the entire chain. Not assembled. Generated.

When all four are in place, the pipeline produces its own audit evidence as it runs. Where they’re missing, you tend to find the same symptom — six weeks of audit-prep scramble nobody planned for.

What this looks like in practice

What does CI/CD/CC look like when you actually wire it up? Briefly: at every stage of the pipeline, the system records its own provenance. Source control enforces named-reviewer gates before code can merge. Build artifacts carry cryptographic digests of the reviewed source. Deployment is gated on test passage and explicit, role-segregated approval. A four-actor pattern — Coder, Reviewer, Platform Engineer, SRE — keeps no single person able to break the chain.

The point is not that any of this is exotic. It isn’t. It’s achievable today with off-the-shelf platform tools — the same source control, container, and orchestration systems most engineering organizations already run. The work is in the discipline of designing the pipeline this way from the start, not in adopting any specific new technology. More on what this looks like in practice in future posts.

Why this matters now

Three things have happened simultaneously that make CI/CD/CC urgent rather than aspirational.

First, deployment frequency in regulated industries has genuinely accelerated. Financial institutions, hospital systems, and infrastructure operators are now shipping production changes at rates that were unthinkable five years ago. Traditional retrospective compliance, already strained, is becoming non-functional at the pace of modern delivery.

Second, AI agents are increasingly part of the pipeline. They are writing code, reviewing pull requests, generating tests, drafting requirements. Every property of the chain of custody that mattered for human-led work matters more for AI-led work — because the volume is higher, the variation is wider, and the human ability to spot anomalies in real time is correspondingly lower. Without CC, AI accelerates everything in the pipeline, including everything that goes wrong with it.

Third — and this is the change that completes the picture — AI now allows us to automate work that, two years ago, only humans could do. Spot-checking requirements documents, test plans, and audit artifacts used to be a deeply manual chore. Even the most disciplined organizations could only afford to sample roughly 1% of their output for human review. With modern AI, we can review 80–90% of that material with high accuracy and surface anomalies in the remainder. The expensive expert can be deployed on the exceptions, not on finding a needle-in-a-haystack by re-reading the 80% that turns out to be fine. This changes the economics of compliance entirely. For the first time, the controls themselves can scale with the delivery.

The reframe

CI made building software predictable. CD made shipping software safe. CC makes governing software auditable in real time, by design, as a continuous output rather than a quarterly fire drill.

Three Cs. One pipeline. The case for it has been quietly building for a decade. The arrival of AI in the delivery loop has just made it impossible to keep ignoring.

The next post in this series sits with the question of what a continuous-compliance audit conversation actually looks like in practice.

Paul Gresham is the creator of C3P (Continuous Compliance Control Protocol) and founder of Paul Gresham Advisory LLC. He has spent thirty-five years building and governing software in regulated industries, with senior technology leadership roles at global financial institutions. He writes about continuous compliance, software engineering controls, and AI governance.

If You Have Any Questions,
Get in Touch

Let's Work Together
Scroll to Top