In March 2026, an anonymous whistleblower published what may be the most detailed exposé of compliance fraud the technology industry has ever seen. The target: Delve, a Y Combinator-backed startup valued at $300 million that promised to get companies SOC 2 certified in days using AI. The allegation: that Delve had been fabricating audit evidence, generating auditor conclusions before any auditor reviewed client data, and getting unaccredited Indian certification mills to rubber-stamp the results.
If you work in tech and care about security compliance, or if you were a Delve customer, this story matters to you.
What Actually Happened
Delve was founded in 2023 by MIT dropouts Karun Kaushik and Selin Kocalar. The pitch was compelling: use “agentic AI” to compress months of painful compliance work into a few days. By mid-2025, the company had raised $32 million in Series A funding, claimed over 1,000 customers in 50 countries, and had become one of the most talked-about names in the compliance automation space.
Then, in December 2025, an email went out to hundreds of Delve clients. It alleged that Delve had leaked a publicly accessible Google spreadsheet containing hundreds of confidential audit reports, and that those reports were fraudulent. Delve’s CEO dismissed it as “an AI-generated email with falsified claims.”
That denial turned out to be harder to sustain than expected.
In March 2026, the anonymous account Deepdelver published a detailed technical analysis of the leaked database. The findings were striking. Across 533 leaked reports covering 455 companies, the same auditor conclusion language appeared word for word, including an identical grammatical error. Auditor conclusions and test results had been generated before any client even provided their company information. The auditors signing off were not the US-based CPA firms Delve had advertised, but Indian certification mills operating through empty shell addresses.
Inc. Magazine covered the initial story in detail. Read the full article here.
Claim your free review
Free Migration For Companies Affected by Delve
Axipro is currently offering Delve-affected companies a free 30-minute compliance review plus complimentary migration to Vanta or Drata. Our certified compliance experts will tell you exactly which situation you are in, identify any real gaps, and guide your migration so your next audit is clean.
Will Affected Companies Lose Their SOC 2 Certification?
The short answer is no, not automatically.
SOC 2 reports are issued by independent CPA firms, not by compliance platforms. Delve was the evidence collection and preparation tool. The auditor signed off separately. There is no central SOC 2 registry, no revocation authority, and no body that automatically invalidates a certificate because the platform used to prepare it has been accused of fraud.
The certificate exists. It is technically still valid.
But a certificate is only as credible as the evidence behind it. If the controls it claims were in place were never actually implemented, if the board meeting minutes were identical boilerplate, if the penetration test never happened, if the device security screenshots were one-off manual uploads rather than evidence of continuous monitoring, the certificate is not a record of real compliance. It is a document waiting to be challenged.
The moment a Delve client goes to renew with a reputable auditor, that auditor will look at the evidence. They will find gaps. That renewal failure is when the certificate effectively collapses, and it almost always happens at the worst possible time. Review our SOC 2 compliance checklist to understand exactly what a legitimate audit requires.
The Three Situations Every Delve Client Is In Right Now
Not every Delve client faces the same risk. Understanding which situation you are actually in is the most important thing you can do right now.
Situation 1: Your controls are real, just poorly documented. Your underlying security practices are solid. Delve’s platform generated sloppy evidence around them, but the controls themselves exist. A gap assessment, a cleanup, and a fresh audit with a reputable firm is all you need. Manageable.
Situation 2: You have gaps between what your certificate claims and what exists. Some controls were implemented, some were not. The Delve platform made it very easy to click through pre-populated forms and never notice the difference. These gaps are fixable — but only if you find them before your next renewal, your next enterprise customer review, or your next M&A process does. For a deeper understanding of what a proper gap analysis involves, see our detailed guide to gap analysis.
Situation 3: Significant controls were never implemented. This creates real commercial, contractual, and in some cases legal exposure. It is particularly serious for companies that handle health data under HIPAA or process EU resident data under GDPR, and for any company that has won government or federal contracts on the basis of these certifications.
All three situations look identical from the outside right now. Your certificate exists. Your trust page is live. Nothing has visibly broken. The only way to know which situation you are in is to actually look
The Consequences Nobody Is Fully Reporting
Most coverage of this story has focused on Delve itself. The more important story is what happens to Delve’s clients over the next 12 months.
The enterprise customer risk. Delve’s questionnaire AI was answering vendor security questionnaires on behalf of clients, claiming controls, MDM systems, penetration tests, backup restoration simulations, that the platform demonstrably never verified. Delve clients were making specific false representations to their own enterprise customers during procurement. If any of those customers later suffers a breach and traces it back to a vendor that misrepresented its security posture, the liability chain is clear. This is one of the common pitfalls in SOC 2 that organisations rarely anticipate until it is too late.
The HIPAA exposure is more serious than reported. The Deepdelver report identifies multiple Delve clients that process protected health information for millions of US citizens. Under HIPAA, penalties for compliance violations escalate from fines to criminal charges depending on whether the violation was knowing or unknowing. The critical legal threshold here is December 2025. Companies that received the breach notification email and took no meaningful action after that point have a documented timestamp of when they were put on notice. The distinction between unknowing and knowing violation may hinge on that date.
GDPR creates cross-border exposure. Under Article 83 of the GDPR, fines can reach 4% of global annual revenue or €20 million — whichever is higher. GDPR applies to any company processing data of EU residents, regardless of where the company is incorporated. Delve claimed clients in 50+ countries. Many of those clients will have EU exposure they are currently unaware of.
The M&A trap. Compliance certifications are material facts in acquisition due diligence. If a Delve client is acquired or raises a significant funding round, any investor’s legal team doing thorough due diligence will examine the audit evidence behind the SOC 2 certificate. That examination will find the gaps.
Why Switching to Vanta or Drata Alone Will Not Fix This
The instinct for most Delve clients right now is to migrate to Vanta or Drata as quickly as possible. Both are legitimate, well-regarded platforms. Drata is trusted by names like Wispr Flow, which publicly announced its migration after the scandal broke. But software collects and organises evidence. It does not verify that the controls behind that evidence actually exist.| What compliance requires | Software platform alone | Human expert oversight |
|---|---|---|
| Verify controls are implemented | Relies on self-reporting | Independent assessment of real operations |
| Catch gaps between policy and practice | Cannot detect undeclared gaps | Structured gap assessment against actual systems |
| Continuous monitoring evidence | Tracks what you connect | Verifies what is worth connecting |
| Defensible audit documentation | Template-generated | Expert-reviewed and evidence-backed |
| Accountability if gaps are found | Platform disclaims liability | Consultant stands behind the work |
What the Right Remediation Actually Looks Like
For most companies, this is a solvable problem. Start by pulling your existing Delve audit reports and reviewing them against your actual systems. Compare what the reports claim, on MDM, penetration testing, board meetings, backup simulations, against what you can actually evidence today. Next, commission an independent gap assessment with a certified compliance expert. This is the step most companies skip when they are in a hurry to move on. It is also the step that determines whether you remediate on your own terms or get caught out by an auditor, a customer, or a regulator. Once you understand your real compliance posture, choose your new platform with clear eyes. Getting guidance before committing to a new annual contract is worth the time, see our comparison of Vanta vs Drata to understand which platform suits your organisation’s needs. If you have ongoing customer relationships where your Delve certification was a material factor, consider proactive communication. Getting ahead of potential questions is almost always better than fielding them reactively.Claim your free review
Free Migration For Companies Affected by Delve
Axipro is currently offering Delve-affected companies a free 30-minute compliance review plus complimentary migration to Vanta or Drata. Our certified compliance experts will tell you exactly which situation you are in, identify any real gaps, and guide your migration so your next audit is clean.