Who's Certifying You?

A detailed investigation dropped this week about Delve, a Y Combinator-backed compliance platform that raised $32 million at a $300 million valuation just last July. The allegation: Delve systematically faked compliance reports for hundreds of clients. If you’re in a regulated industry, this one’s worth paying attention to.

The Rise

Delve had everything going for it. Two MIT dropout founders, both Forbes 30 Under 30 honorees, backed by Y Combinator and Insight Partners. Over 500 companies served. The pitch was compelling: AI agents that automate compliance, getting you audit-ready in days instead of months. High-profile clients like Lovable, Bland, and Wispr Flow lent credibility. CISOs (Chief Information Security Officers) from Fortune 500 companies participated in the funding round. By mid-2025, Delve looked like the future of compliance automation.

What the Investigation Found

According to the DeepDelver investigation, the reality was different. A leaked Google spreadsheet exposed hundreds of audit reports that were near-identical boilerplate. 99.8% identical text across 494 SOC 2 reports, according to a separate analysis of the leaked data.

The investigation alleges that Delve pre-generated auditor conclusions before any auditor actually reviewed evidence. Clients received pre-fabricated board meeting minutes, security simulation results, and risk assessments they could adopt with a single click. The “US-based audit firms” were reportedly offshore certification mills operating through empty US shell companies, firms in regions with documented problems around accreditation fraud, that rubber-stamped whatever Delve put in front of them.

The platform’s “AI-native” automation? According to the investigation, it amounted to pre-populated forms and manual screenshot uploads. When clients questioned the process, Delve reportedly deflected. They insisted on phone calls rather than answering in writing, name-dropped high-profile clients, and occasionally sent donuts.

The Red Flags Were There

Looking back, the warning signs were pretty clear. Delve promised SOC 2 (Service Organization Control 2) compliance in days. Their pricing started at $15,000 but reportedly dropped to $6,000 when customers pushed back, with ISO 27001 and a penetration test thrown in for free. That’s a fraction of what legitimate compliance work costs, and for good reason.

We all want an easy button for compliance. We all want the quick version. But real compliance work takes time because it’s supposed to. The auditor has to independently verify your controls. Your team has to actually implement the policies, not just click “accept” on a template. When someone offers to shortcut all of that at a price that undercuts the entire market, the question isn’t “how are they doing it so fast?” It’s “what are they skipping?”

Turns out, the answer was: almost everything.

Who Certifies You Matters

This gets to something that doesn’t get talked about enough. The certification is only as meaningful as the people doing the certifying.

SOC 2, ISO 27001, HIPAA (Health Insurance Portability and Accountability Act). These frameworks require independent auditors to verify your controls. That independence is the whole point. When the auditor isn’t actually independent, when they’re signing off on reports they didn’t write based on evidence they didn’t collect, the certification is just paper.

You’re Still Responsible

Here’s the part that’s going to get interesting as this unfolds. Just because a platform handed you a certificate doesn’t mean you’re off the hook.

HIPAA violations carry criminal liability. GDPR (General Data Protection Regulation) fines run up to 4% of global annual revenue. Having a piece of paper that says you passed an audit doesn’t change what’s actually running in your environment. If your controls aren’t real, the certificate won’t protect you when regulators come looking.

This is going to be a fascinating thing to watch, because it may truly demonstrate that no matter how many certifications you stack up, you’re still responsible for what actually is.

Sound Familiar?

Two days ago, I wrote about the FedRAMP (Federal Risk and Authorization Management Program) mess with Microsoft. Federal reviewers spent five years trying to verify how Microsoft encrypts data in transit for government systems. They never got a satisfactory answer. The product was authorized anyway, because it was already too embedded to reject.

If even federal reviewers can’t fully verify what’s happening inside a platform as large and scrutinized as Microsoft’s cloud (those people are human too), what’s being missed everywhere else?

The Delve situation is the same problem from a different angle. With Microsoft, the system was too complex to fully verify. With Delve, the verification itself was fabricated. Both end up in the same place: a gap between what the certificate says and what’s actually true.

What to Do About It

This isn’t a scare piece. The compliance model isn’t broken. But it does require more deliberate thought than most organizations give it.

1. Who certifies you matters. Not all auditors are equal. The cheapest, fastest path to a certificate should raise more questions, not fewer. Do your due diligence on the firm signing your reports, where they operate, how they verify evidence, whether they have a track record of independent auditing.

2. Verify what you can. Don’t treat the audit as the finish line. Run your own checks. Test your backups. Validate your controls independently. The audit should confirm what you already know to be true, not be the first time anyone looks.

3. Accept what you can’t verify. At some point, there will be layers you just have to trust. That’s unavoidable. But know which layers those are, and make that decision consciously, not by default.

4. Watch where the work happens. Delve reportedly offshored audit work to certification mills in regions with well-documented problems around fake accreditation and credentials. That doesn’t mean every offshore firm is bad. But the due diligence on your certifier is as important as the certification itself.

5. If it sounds too good to be true, it probably is. Compliance in days at a fraction of market price isn’t innovation. It’s a shortcut. Until the tooling genuinely catches up (and it will, eventually), there’s no substitute for the actual work.

The through-line is the same one from the Microsoft/FedRAMP piece: trust isn’t something you set and forget. It’s something you actively manage, whether that’s your cloud provider, your compliance platform, or the firm signing your audit reports.

---

Sources: DeepDelver Investigation, March 2026. Systima analysis of leaked reports. Delve Series A announcement, July 2025.