Allegations against a fast-growing compliance automation startup are sparking questions that go beyond a single company. For organizations that lean on automated platforms to support security and regulatory compliance, the situation is a reminder of how important independent, transparent and verifiable operational evidence is in information security.
The Allegations Against Delve: What We Know
On March 18, 2026, an anonymous whistleblower known as “DeepDelver” published a detailed account accusing Delve, a Y Combinator–backed compliance automation startup, of misleading customers about their compliance status. The post alleged that Delve produced fabricated evidence tied to board meetings, tests and internal processes, ultimately convincing “hundreds of customers” they were compliant when that may not have been the case.
Delve responded by calling the claims “misleading” and asserting that the whistleblower’s post contained inaccurate information. The facts continue to unfold, but the situation has already prompted broader reflection on the role and limits of automated compliance platforms.
Why the Delve Allegations Matter for Automated Compliance
The Delve situation is not only about a specific vendor; it reflects structural risks in the growing market for AI-driven compliance tools.
Organizations face increasing pressure to demonstrate compliance with frameworks like SOC 2, ISO 27001 and Microsoft SSPA to satisfy partners. Automation platforms can help streamline evidence and reduce administration burden, but when automation is treated as a replacement for underlying controls or independent oversight, the integrity of the entire assurance process can erode.
Reporting on the Delve situation highlights three recurring issues:
- Automation output does not equal actual compliance
Automated platforms can generate organized evidence, but whistleblower claims suggest some documents do not reflect real activity, such as fabricated or pre-filled records. Because frameworks like SOC 2 require proof of actual operational controls, system-generated artifacts cannot always stand in for the underlying work those standards require.
- Independence concerns around auditor selection
Reporting on the allegations indicate customers were guided toward a small group of accommodating audit firms, raising concerns about whether those firms could actually apply proper scrutiny. Auditor independence is important for credible assurance, and any influence from compliance platforms risks weakening that objectivity.
- Certification without verification
Some allegations suggest audit conclusions were drafted before independent testing occurred, undermining the fundamental purpose of assurance. Whether for SOC 2 or any other framework, the value of an attestation depends on actual evidence being reviewed, not on prewritten findings.
Selecting a Firm to Minimize Your IT and Compliance Risk
When choosing an auditor for your SOC report or ISO 27001 certification, it helps to look for a few practical signals that the work will be grounded, independent and evidence driven.
Look for firms that test real operational activity.
A credible firm should base its conclusions on what your organization actually does. Firms that rely heavily on prefilled materials do not provide you with a meaningful report. Boulay’s SOC reporting approach is based on evaluating actual internal controls in line with AICPA standards.
Confirm that the auditor is truly independent.
Compliance software platforms should not be deciding who your auditor will be. Independence is what gives attestation its value. Boulay operates as an independent CPA firm and is not financially dependent on any compliance solution for lead generation. This enables us to perform SOC 2 and ISO 27001 audits in an unbiased manner.
Ask how findings are formed.
A trustworthy firm will not draft conclusions in advance or rely on prewritten language. Instead, the conclusions are formed only after testing controls and reviewing evidence. Boulay follows AICPA standards that require independent testing before issuing a SOC report, which ensures conclusions are tied to the evidence reviewed.
Moving Forward
The Delve situation is a reminder that while compliance automation can simplify workflows, it cannot replace independent assurance, verified evidence or real control operation. As organizations face growing expectations around SOC 2 reporting, ISO 27001 certification and broader IT risk management, ensure that your auditor will use objectivity and thorough testing.
Boulay’s Risk Advisory team is here to help organizations strengthen their compliance posture with clarity and confidence. If you are interested in our services or want to learn how we can support your security and compliance goals, contact us today.