Delve: when compliance "in a few clicks" turns out to be hot air
A 300-million-dollar startup accused of fabricating compliance certifications. Hundreds of companies potentially exposed. And a lesson the cybersecurity world stubbornly refuses to learn.

A 300-million-dollar startup accused of fabricating security certifications. Hundreds of companies potentially exposed. And a lesson the cybersecurity world stubbornly refuses to learn.
You are the founder of a B2B startup. Your enterprise prospects ask you for a SOC 2 Type II before they sign. An ISO 27001. Maybe a HIPAA if you touch healthcare. The classic process? Months of work, tens of thousands of euros, and enough documentation to make an archivist cry.
And then someone tells you about Delve. Backed by Y Combinator. 32 million dollars raised in Series A. Valued at 300 million. More than 1 700 clients claimed across 50 countries. The pitch: connect your tools, let the "agentic" AI do the work, get your certification in a few days.
Too good to be true? Apparently, yes.
What set the fire
On 18 March 2026, a pseudonymous account, DeepDelver, published a devastating article on Substack titled "Fake Compliance as a Service." This was not a rant on a forum. It was a structured investigation, with screenshots, archived documents and an entire evidence file hosted on Mega.nz.
The author presents themselves as a former client. Not a competitor, not a journalist. A client who paid for the service and who, along with other companies in the same situation, decided to dig.
Their conclusion is unequivocal: Delve does not do automated compliance. Delve does automated compliance theater.
The accusations, point by point
DeepDelver's article is long, detailed and methodical. Here is the essence.
Reports generated before the client had even provided their data. The audit conclusions, the test procedures and the final reports were reportedly produced by Delve itself, before any independent review. Which, in the world of auditing, is called a total inversion of the process. When it is the audited platform that writes the auditor's report, you are no longer doing compliance. You are doing comedy.
Near-identical templates from one client to the next. Of 494 SOC 2 reports examined, 493 were reportedly practically identical, same wording, same grammatical mistakes. Absurd test values like "g," "sdf" or "Render" were reportedly still lying around in supposedly finalized reports. This is a long way from the revolutionary AI promised in the pitches.
Fabricated evidence. Minutes of board meetings that reportedly never took place. Employee training that was never delivered. Pre-filled vulnerability scans. The client had a choice: accept the templates as they were, or do the work manually, which cancelled out the entire point of the platform.
Two audit firms for everyone. Nearly all clients were reportedly steered toward Accorp (for SOC 2) and Gradient (for ISO 27001), described as two linked entities operating mainly out of India, with a nominal presence in the United States. The role of these firms? To stamp reports already written by Delve.
Misleading Trust Center pages. The public portals displaying the security status of Delve's client companies reportedly listed controls as "live monitored" that had never been implemented. In plain terms: a security storefront with nothing behind it.
The cherry on top: security flaws as a bonus
As if the accusations of fictitious compliance were not enough, the affair took on an additional dimension. An X user named James Zhou claimed he had been able to access sensitive Delve information: employee background checks, stock vesting schedules. The founder of Dvuln, Jamieson O'Reilly, then detailed what he described as "several gaping holes in Delve's external attack surface."
The irony is almost too perfect. A company that sells compliance in IT security and that reportedly has security holes of its own in its own infrastructure. You cannot make this up.

Delve's response: "These are just templates"
On 20 March, Delve published a blog post titled "Response to Misleading Claims." The defense rests on three arguments: Delve does not issue compliance reports, it is an automation platform. The auditors are independent and accredited. And the templates are "starting points" that the client is supposed to customize.
CEO Karun Kaushik sent an email to clients calling the accusations "falsified" and suggesting that the article might be AI-generated.
DeepDelver's rebuttal, relayed by TechCrunch, was not long in coming: they say they were "stunned by the laziness and the nerve" of the response, noting that Delve calls "templates" what are in reality pre-filled evidence, and shifts the responsibility onto the clients who adopted them as they were. The startup claims it does not "issue" the reports, which is easy to argue if you define issuing as applying the final stamp. But when you generate the auditor's conclusions, the test procedures and the final report before any independent review, you are both the implementer and the examiner. And that is the exact inversion of what compliance is supposed to guarantee.
The most serious allegations went unaddressed: the ties with the Indian firms, the actual absence of AI (Delve talks about "automations" in its response, not AI), and the Trust Center pages displaying controls that were never implemented.
One telling detail: when DeepDelver and other clients started asking questions, Delve reportedly sent them boxes of donuts. The gesture would have been touching had it not been so laughable against the scale of the problem.
The signals that don't lie
Since the investigation was published, Delve has disabled the "Book a demo" button on its site. Insight Partners, the fund that led the Series A, deleted its promotional post about the investment (the original is still visible via the Wayback Machine). And when TechCrunch tried to reach Delve through its media contact email, the message bounced back.
When your investor erases their own tracks, it is usually not because everything is fine.
Why this affair should worry you
This is not just a story about an American startup that took shortcuts. The implications are concrete and serious.
For companies using Delve that handle health data, false HIPAA compliance can lead to criminal prosecution. Not fines. Criminal prosecution. For those operating in Europe, a GDPR compliance that is only for show exposes you to fines of up to 4 % of annual worldwide revenue. And for everyone else, it is commercial credibility that is at stake. When an enterprise client discovers that your SOC 2 certificate was "generated" rather than audited, the contract usually does not survive the conversation.

The structural analysis: what this affair really says
Beyond the Delve case, this affair illustrates a systemic problem that I keep pointing to in my work: compliance is a process, not a product.
You cannot "buy" conformity the way you buy a SaaS subscription. Conformity demands a deep understanding of your business context, your data flows, your real risks. It requires controls that are tailored, tested and maintained over time. And it rests on an independent audit, the word "independent" being the key to the whole structure.
When a platform promises to automate all of that "in a few days thanks to AI," you have to ask the uncomfortable question: what is actually being automated, compliance or the appearance of compliance?
It is exactly the same pattern we see everywhere in the ecosystem: the pressure to "scale fast" pushes people to optimize the display rather than the substance. You are not protecting users' data. You are protecting the ability to sign contracts.
This is what I call, in Être en cybersécurité, "performative compliance": organizations that tick boxes to satisfy an audit, without ever embedding security into their operational culture. Delve merely industrialized that problem.
What to do if you are affected
If your company used Delve to obtain a certification, the path forward is straightforward.
Check your audit reports immediately. Compare them with those of other Delve clients if possible. If the structure, the wording and even the mistakes are identical, you have your answer. Have an independent audit carried out by a firm with no ties to Delve, Accorp or Gradient. Yes, it is going to be expensive. But that is the price of reality versus the price of illusion. Be transparent with your clients and partners: if you presented a Delve certificate as proof of conformity, it is better to get ahead of it than to wait for a prospect or a regulator to ask the question. And review your Trust Center pages. If they display controls you never implemented, remove them immediately.
The last word
Regulatory compliance is a pain. It is slow. It is expensive. And that is exactly why it has value. Because it represents a real, verifiable commitment to protecting the data of the people who trust you.
When someone promises to make that process fast, easy and cheap, the question is not "is this innovative?" The question is: what was cut to get there?
Delve wanted to disrupt compliance. So far, it has mostly demonstrated why compliance is not disrupted as easily as a meal delivery service.
The investigation continues. DeepDelver has promised a part 2. Regulatory investigations could follow. In the meantime, the message is clear: a nice certificate is worth nothing if all that sits behind it is hot air. And donuts.
Christophe Mazzola, christophemazzola.fr Author of "Être en cybersécurité". Politely paranoid, always.
Sources
- DeepDelver, 18 March 2026, "Delve: Fake Compliance as a Service, Part I" (Substack)
- TechCrunch, 22 March 2026, "Delve accused of misleading customers with 'fake compliance'"
- TechCrunch, 24 March 2026, "Insight Partners scrubs investment post about Delve amid allegations"
- Inc., 23 March 2026, "The Delve Scandal: A Y Combinator Darling Just Got Hit With a Bombshell Fraud Accusation"
- Delve, 20 March 2026, "Response to Misleading Claims"
Questions fréquentes
What is Delve and what is it accused of?
Delve is an automated compliance startup backed by Y Combinator, valued at 300 million dollars. It is accused by a former client, DeepDelver, of fabricating security certifications: reports generated before the data was even provided, identical templates from one client to the next, and pre-filled evidence.
Why is this described as an "inversion" of the audit process?
Because the audit conclusions, the test procedures and the final reports were reportedly written by Delve itself before any independent review. The audited platform becomes both the implementer and the examiner, the exact opposite of what compliance is supposed to guarantee.
What are the risks for a company that used Delve?
False HIPAA compliance can lead to criminal prosecution, a GDPR compliance that is only for show exposes you to fines of up to 4 % of annual worldwide revenue, and the discovery of a certificate that was "generated" rather than audited destroys your commercial credibility in front of enterprise clients.
What should I do if my company used Delve?
Check and compare your audit reports, have an independent audit carried out by a firm with no ties to Delve, Accorp or Gradient, be transparent with your clients and partners, and remove from your Trust Center pages any control that was never implemented.
What is the deeper lesson to draw from the Delve affair?
That compliance is a process, not a product. Conformity requires controls that are tailored, tested and maintained, and above all an independent audit. A promise to automate everything "in a few days thanks to AI" should make you ask the question: what was cut to get there?
Sources & méthodologie
- DeepDelver, 18 March 2026, 'Delve: Fake Compliance as a Service, Part I' (Substack)
- TechCrunch, 22 March 2026, 'Delve accused of misleading customers with fake compliance'
- TechCrunch, 24 March 2026, 'Insight Partners scrubs investment post about Delve amid allegations'
- Inc., 23 March 2026, 'The Delve Scandal: A Y Combinator Darling Just Got Hit With a Bombshell Fraud Accusation'
- Delve, 20 March 2026, 'Response to Misleading Claims'

Être en cybersécurité
Une feuille de route cyber en clair, pour tout le monde, pas seulement les experts.
