This piece first appeared on THE RISK REALIST.
200+ SOC 2 reports landed in a vendor's security questionnaire response last several months. Clean. Professional. Stamped by a CPA firm. Every control marked compliant. No deficiencies.
The problem?
The audit, the board meeting, testing of the controls, and more never happened.
The evidence was generated automagically by a platform. There are many platforms like it, but one was recently highlighted. The 2-3 primary auditors were illegedly an offshore certification mill operating through a US shell company. And hundreds of companies just like it are now nervous, sitting with the exact same attestation, and consequently, false sense of attestation confidence.
This story isn’t hypothetical. You might have seen it first in the “DeepDelver” Substack article titled “Delve - Fake Compliance as a Service - Part I” or in a syndicated headline. The TL;DR: in the anonymous Substack post, the author (illegedly a former customer working with a team of other customers) accused compliance startup Delve of falsely convincing customers they were compliant with privacy and security regulations, potentially exposing thecustomers to criminal liability and fines. Here, I don’t want to over-focus on Delve itself; I won’t waste time recapping the illegedlly leak.
I’m here to talk about what it reveals about a broader industry pattern, risks of other instances, about who gets hurt, who holds accountability, and about what actually needs to change.
Delve didn’t invent the playbook. They just ran it fastest and got caught.
Here’s the business model that created this situation:
Companies need compliance certifications to close enterprise deals. The process is painful, slow, and expensive. Many tech focuse start-ups don’t have a great attention span for repeatable controls that get in the way of scrum cycles. A wave of GRC automation platforms emerged to solve that. They promise AI-driven evidence collection, automated control mapping, and audit-ready reports in a fraction of the time.
The market rewarded speed. Undiscerning buyers rewarded speed. Auditors, apparently, rubber-stamped speed, turning a blind eye to what was actually happening rather than honoring the credibility of their profession.
Nobody rewarded substance. And it is hard to do so if you don’t have the money or time for substance, which is a challenge plaguing many startups and fast-growing SaaS companies.
When the incentive structure rewards getting a certificate faster and cheaper, and when the certificate itself is the deliverable rather than the security posture behind it, you’ve built a system that naturally selects for speed over reality.
Delve is the most visible and first example to get called on it. But the conditions that allowed Delve to operate are more pervasive across the industry. The compliance automation space has a structural conflict of interest baked into its core: the platform that helps you become compliant has a financial incentive for you to appear compliant as fast as possible. Every additional month of work is friction on the sale and net revenue to close out the engagement.
That tension doesn’t disappear with better intentions. It requires structural guardrails that most of the market hasn’t demanded yet.
Let’s walk through every party in this ecosystem and be honest about the risks, and more importantly, the responsibilities and changes that need to emerge.
1. Corporations (The Supply Chain Risk Overseers)
The risk: You didn’t use Delve or a similarly concerning provider...but your vendor did. And that’s exactly the problem.
When you reviewed that SOC 2 report or accepted their completed security questionnaire, you made a business decision: this vendor has an acceptable security program. If that report was generated by a platform that pre-populated evidence, rubber-stamped policies, and produced a certificate with no real controls behind it, you made that decision on fiction. You were mislead.
So the question arises: how can companies discern the high quality SOC2 auditors and credible automation platforms from the ones that have chosen to cut corners?
The real challenge with third party risk management as a practice is that many companies have hundreds, if not thousands, of third-party providers. If you are going to invoke your audit clause and pop open the hood, your internal audit group can maybe handle 5-10 vendor audits per year, tops! And if a critical vendor experiences a breach, a regulatory audit, or a contract dispute, your due diligence record is now exhibit A.
SOC 2 and ISO 27001 reports carry weight because they imply a real audit process. When that process is compromised, the assurance evaporates. The compliance certificate doesn’t protect you. A potentially fabricated one makes your exposure worse.
What Supply Chain Risk Teams Should Do
The ultimate credibility buck stops with you, not your vendor. You relied on that report to make a risk decision. Own that — and make sure the assurance you’re accepting is actually worth something.
The Risks
Many of the companies affected by the Delve situation are SaaS businesses that process sensitive data. This includes those with protected health information for millions of US citizens. They pursued compliance in good faith to unlock enterprise deals. What they got was a liability.
If your SOC 2 or HIPAA certification is later found invalid, the enterprise contracts that required it become legally complicated. Worse, if you suffered an incident during the period your controls weren’t what the report claimed, your insurance coverage could be challenged. And if you’re processing PHI, HIPAA enforcement doesn’t accept “the platform told us we were compliant” as a defense.
There’s also a market trust problem. Every fake certificate in circulation makes the real ones slightly less trustworthy. That’s bad for the entire vendor ecosystem as well as the AICPA (the American Institute of Certified Public Accountants), which will hopefully launch broader investigations and conduct their own diligence to protect what’s left of the SOC 2 credibility.
What SaaS Companies Should Do
The Risks
The Delve situation is a reputational crisis for the entire compliance automation category. Every legitimate vendor in this space is now operating in a market where buyers have reason to be skeptical, as they should be. Program leaders should be pushing for helpful and meaningful automations while stopping short of anything being sold as ‘automagic.’
The risk isn’t just reputational. If regulators or standard-setting bodies respond to this scandal with new requirements around auditor independence from platform vendors, the compliance automation business model shifts significantly. Platforms that built revenue on bundled audit relationships may find that model foreclosed.
There’s also a competitive risk for the honest players: when the market doesn’t distinguish between real automation and fake/deceptive automation, pricing and positioning get distorted. Bad actors drag down the whole category.
What Compliance Automation Firms Should Do
The Risks
The auditor’s signature is the entire basis of trust in the SOC 2 framework. When an auditor rubber-stamps a report they didn’t write, evaluating evidence they didn’t independently verify, they haven’t just cut corners. They’vecommitted fraud against every party that relied on that attestation.
The DeepDelver investigation details a network of audit firms seemingly operating as US shells for offshore certification mills which signed reports effectively pre-written by Delve. Under AICPA’s AT-C Section 205, independence isn’t optional. It’s the structural requirement that gives the report any meaning at all.
The individual and firm-level consequences for auditors who participated are serious: license revocation, AICPA disciplinary action, civil liability from affected parties, and potential criminal exposure depending on jurisdiction. The broader risk: if this pattern is as widespread as the reporting suggests, the SOC 2 framework itself faces a credibility crisis the AICPA will have to address head-on.
What Auditors Should Do
The Risks
The AICPA owns the SOC 2 framework. To me, that means when the framework is exploited at scale, the AICPA has a governance problem, whether or not they created it.
The current standards assume auditor independence as a given. They were not designed for a world where a well-funded SaaS company can systematically insert itself into the audit process, generate pre-drafted conclusions, and outsource the signature to a low-cost certification shop operating behind a US address.
If the AICPA doesn’t respond visibly and substantively to this situation, they risk the erosion of SOC 2’s credibility as a meaningful standard. Enterprise security teams will start requiring supplemental validation. Regulators may step in with mandatory frameworks that supplant voluntary ones. The market for SOC 2 attestation could fracture — meaningful reports from reputable firms, and paper from the mills.
What the AICPA Should Do
The standards have to keep pace with the business models that operate around them. That’s not bureaucratic overhead, it’s the work that keeps the framework legitimate.
The Risks
Venture capital and growth equity investors don’t fund companies to commit fraud. But they do fund companies to grow fast. And in compliance tech, those two things can get dangerously close.
Delve raised $3.3M in seed funding backed by Y Combinator, General Catalyst, and Funder’s Club before closing a $32M Series A led by Insight Partners at a $300M valuation in July 2025. The pitch was compelling: a profitable, fast-growing AI startup helping companies eliminate compliance busywork. What wasn’t visible from the cap table: whether the compliance outcomes being sold were real.
The structural problem is this: investor incentives in high-growth SaaS almost always optimize for speed to revenue, customer logo accumulation, and ARR growth. In most markets, that’s fine. In compliance, where the product’s entire value proposition rests on the integrity of the outcome, that optimization pressure can quietly become the business model.
When Insight Partners scrubbed their investment thesis article from their website within days of the allegations surfacing, it was a signal that someone understood the exposure. It wasn’t absolution.
What Investors in Compliance, GRC, and Security Tech Should Do
Audit the “audit” (or product output/results) before you write the check. Due diligence in compliance tech needs to go beyond ARR growth and customer logos. Commission an independent technical review of a sample of customer compliance outputs before leading a significant round. If the product claims to achieve SOC 2 in days with minimal client effort, someone should verify those certifications would survive regulatory scrutiny; not just a demo environment.
Separate growth metrics from outcome metrics. Customer count and revenue growth confirm the sales motion is working. They don’t confirm the product is working. In regulated domains, investors should require outcome-based KPIs as part of portfolio monitoring: audit pass rates, findings from independent validators, renewal data tied to actual compliance events rather than certificate generation. If a portfolio company can’t answer those questions, that’s material.
Use board seats to install domain-credentialed oversight. A compliance SaaS company with no independent compliance expertise at the board level is a governance gap. Investors who take board seats in regulated-domain software companies should push for advisors or directors with real domain credentials, not just GTM and financial operators. The board is the last structural check before the market finds out the hard way.
Here’s the thing about third-party risk management that the Delve story illustrates perfectly:
When organizations use a vendor’s SOC 2 report as a substitute for actual due diligence, they’re outsourcing their judgment to a framework. And as it turns out, sometimes they’re outsourcing that judgment to a platform that fabricated the evidence behind the framework.A compliance certificate is not a risk assessment. It never was.
The organizations that got hurt here are the ones who treated the certificate as the endpoint. The right model treats it as one data point in a broader picture: What does this vendor actually do with my data? What controls are operationally verified versus just documented? What happens if those controls fail?
That’s not a reason to stop using compliance certifications. It’s a reason to use them correctly: as a floor, not a ceiling.
Third-party risk management that actually works asks harder questions than “do they have a SOC 2?” It asks: who audited it, when, and under what circumstances? What’s the scope? What exceptions or qualifications exist? Have we verified any of these controls independently for our highest-risk vendors?
Most organizations don’t do that work. Delve’s customers didn’t need Delve to cut corners for this to be a problem — the corners were already being cut by the buyers who never looked past the certificate. That’s an uncomfortable truth we need to face collectively.
The compliance automation category was built on a real problem: compliance is painful, expensive, and often disconnected from actual security outcomes. That’s true. The solution to that problem is not fake evidence and rubber-stamp auditors. But it’s also not a return to manual spreadsheets and $500-an-hour consultants billing months of prep work.
The solution is a higher standard from buyers who ask harder questions, from auditors who enforce independence even when it’s inconvenient, from platforms that compete on the quality of the security programs they help build rather than the speed of the certificates they help generate, and from the AICPA, which has a governance responsibility it can’t defer.
The Delve situation will play out in the press, in regulatory actions, and probably in courts. That’s appropriate. But the structural conditions that created it won’t be resolved by holding one company accountable. They’ll only change when every party in the ecosystem has skin in the game.
Compliance as theater has always been the path of least resistance. The question is whether this moment creates enough friction to make substance more attractive.
I think it can. But only if the right people decide to demand it.
Need some support asking and answering your tough GRC questions? Book a scoping call with me to get started.