Will Anyone Learn from Delve?

Delve, a Y Combinator-backed compliance startup valued at $300 million, is collapsing under allegations that it sold fabricated audit reports to over a thousand customers. Near-identical boilerplate documents. Rubber-stamped certifications routed through shell entities. Evidence of board meetings and security tests that never happened. The whistleblower case is detailed and damning. Insight Partners quietly scrubbed its investment thesis. YC parted ways with the company. The founders went from Forbes 30 Under 30 to crisis mode in three weeks.

The mechanics of the alleged fraud are not complicated. Delve promised AI-powered compliance (SOC 2, HIPAA, ISO 27001, GDPR) at a fraction of the cost and time. What it apparently delivered were pre-filled templates and certification mills. The product looked like automation. It functioned like theater.

This is the part where we're supposed to express shock. But Delve is a pattern, not an anomaly. They’re actually a scapegoat.

The investors who poured $32 million into the company never bothered to read the compliance output or understand how the product was actually working to remove the risk of harm to consumers. The due diligence that was supposed to catch exactly this kind of gap did not catch it. That's the real indictment. Not one rogue startup, but the entire chain of actors who had every opportunity to verify and chose not to.

And frankly, this pattern is not uncommon. Plenty of companies buy security tools to pass SOC 2 or satisfy insurance requirements, then never actually use them on an ongoing basis. The tool gets purchased. The certificate gets issued. The software sits there. Nobody checks whether the controls are running. Nobody checks whether the posture described in the report bears any resemblance to operational reality six months later. This is not a scandal, just a background hum of how corporate compliance fails in practice.

I think most people want to do good. And most of corporate America consists of honest execs and intrinsic-value investors who want to play fair. Companies that produce real value for their stakeholders. Companies that want their compliance posture to actually mean something, not just look like something. A better AI ecosystem could feed into that. It could strengthen trust instead of hollowing it out. It could produce real risk intelligence instead of more grifters.

What unsettles me most is that these same norms (certification as checkbox, compliance as appearance) have already been baked into the AI systems we all use every day. The patterns are already inside the product.

Think about the coding agent asking you to paste your API keys directly into the chat. That's a security practice no human engineer would accept from a colleague. But when the AI does it, people comply without thinking. That LLM was trained on a world where security hygiene is performed on paper and ignored in practice. The norms that produced Delve are reproducing themselves at machine speed.

This is why I keep coming back to legal alignment red teaming. Red teaming, borrowed from cybersecurity, means probing a system from the adversary's perspective — finding what's actually broken before someone else does. Legal alignment red teaming applies that logic to corporate legal exposure. Regulatory risk. Contractual liability. Enforcement vulnerability. Litigation surface. The question isn't "are you certified?" The question is "where are you actually exposed, and what would a plaintiff, a regulator, or a whistleblower find if they looked?"

The frontier is larger than any single company's exposure. We need AI that can hold AI accountable for hurting us. Systems that audit other systems. Intelligence that interrogates the gap between what a product claims and what it actually does. The legal system already has this function. Adversarial testing is what litigation is. The question is whether we can build technology that runs that function continuously, at scale, before the harm compounds.

That's the work I spend my days on. Delve is yet another warning. The companies that treat it as someone else's problem will eventually become someone else's case study.