A compliance startup that sells the promise of regulatory safety just got accused of selling nothing but the promise.
The Summary
- An anonymous Substack post accuses Delve of falsely convincing hundreds of customers they were compliant with privacy and security regulations
- If true, this is automated trust-washing at scale, the exact failure mode everyone warned about when compliance tech met AI
- The accusation surfaces a core tension: who validates the validators when compliance becomes software?
The Signal
Delve is a compliance startup that automates the tedious work of proving your company meets privacy and security regulations. Except, according to an anonymous whistleblower on Substack, it may have been automating something closer to theater. The post claims Delve "falsely" convinced "hundreds of customers" they were compliant when they weren't.
This isn't a bug in the code. It's a bug in the business model. Compliance software promises to replace expensive auditors and consultants with automated checks and documentation. But compliance isn't a binary pass/fail. It's interpretive, context-dependent, and constantly shifting as regulations evolve. When you automate that process, you're either building something incredibly sophisticated or you're building a checkbox generator that gives people false confidence.
The anonymous nature of the accusation makes verification hard, but the allegation itself is structurally predictable. Compliance is one of those domains where the customer often can't tell good work from bad until a regulator shows up. That information asymmetry is why traditional compliance relied on reputation and credentials. Software eats that moat by making the work faster and cheaper, but it also makes it easier to cut corners invisibly.
If the Substack claims hold up, this becomes a case study in what happens when you automate expertise without actually encoding the expertise. You get speed and scale, but you lose the judgment that made the expertise valuable in the first place.
The Implication
For anyone buying compliance software: ask to see the actual reports your vendor generates, then run them past someone who knows the regulations. If your compliance tool can't explain its reasoning in terms a human auditor would recognize, you're not buying compliance. You're buying liability with a UI. For builders in this space, this is your warning shot. Automated compliance that works is hard and valuable. Automated compliance that doesn't work is fraud with extra steps.
Sources: TechCrunch AI | TechCrunch AI