Delve review: AI-native compliance automation, and the 2026 controversy you must factor in
Delve built an AI-native compliance platform that uses agents to collect evidence and accelerate SOC 2 and HIPAA readiness, raising $32M in 2025. A 2026 controversy over the quality and integrity of reports produced through the platform makes diligence essential before adopting it.
What Delve set out to build
Delve is a Y Combinator-backed compliance automation company founded in 2023 that positions itself as AI-native rather than AI-bolted-on. Its premise is that much of compliance work, gathering evidence, taking screenshots, drafting policies, and answering security questionnaires, can be handled by autonomous AI agents instead of human operators clicking through dashboards. In July 2025 the company raised a $32M Series A, reportedly led by Insight Partners at a roughly $300M valuation, which made it one of the more talked-about new entrants in the space. That momentum drew comparisons to incumbents like Vanta and Drata, with Delve arguing it could compress timelines further by automating more of the human busywork.
How the platform works
The platform tailors a control set to your company context, the team, integrations, and risk tolerance, then aims to strip out requirements it deems irrelevant so you are not chasing checkbox evidence. AI agents take screenshots, validate evidence, scan pull requests for security issues via SAST, and run daily infrastructure scans, while a policy assistant and questionnaire autofill handle inbound security reviews. An enterprise-tier computer-use agent automates screen-based evidence capture. Supported frameworks span SOC 2 Type I and II, HIPAA, ISO 27001 and ISO 42001, GDPR, PCI DSS, HITRUST, FedRAMP, CCPA, plus AI-specific regimes like the EU AI Act and the NIST AI RMF, which is a notably broad list for a young platform.
The 2026 controversy and why it matters
In March 2026, an anonymous investigation published under the name DeepDelver alleged serious integrity problems with reports produced through Delve, drawing on a late-2025 data exposure of draft documents. The allegations included near-identical boilerplate across hundreds of SOC 2 reports and questions about how independently the underlying audits were conducted; a follow-up post alleged intellectual-property misappropriation from another company. Delve publicly disputed the claims, emphasizing that it provides a platform while independent auditors perform audits and issue reports. By April 2026, Y Combinator had reportedly removed Delve from its directory amid the fallout. Regardless of how the dispute ultimately resolves, the episode is material to any purchasing decision and should not be ignored.
What the episode teaches about evaluating any automation vendor
The central lesson is that a SOC 2 report is only as credible as the independence and rigor of the CPA firm behind it, and an automation platform cannot substitute for that. If a vendor steers you toward a specific auditor, ask who that auditor is, whether they are an independent licensed firm, and how they exercise judgment rather than rubber-stamping platform output. A report built from genuine, company-specific controls reads differently from a templated document, and sophisticated enterprise buyers increasingly scrutinize that difference. Boilerplate language, conclusions that appear pre-written, or evidence that does not map to controls you actually operate are all warning signs.
Who might still consider Delve, and how to do diligence
The underlying technology, AI agents that reduce manual evidence work, addresses a real pain point, and teams attracted to that automation may still evaluate Delve. If you do, treat it as a high-diligence purchase: insist on naming the independent auditor, request references from customers who have completed a full Type II cycle, ask how the company has responded to the 2026 allegations, and have your own security or legal team review a sample report for substance. Confirm contractual data-handling and breach-notification terms given the reported exposure of draft documents. For risk-averse buyers, or those whose own customers will scrutinize the report, a more established vendor with a long track record may be the safer path until the situation is clearer.