Compliance Is Broken. Here's How We Got Here.
The Delve Scandal Isn't Surprising. It's the Inevitable Result of Performative GRC
According to the independent investigation published on substack about Delve scandal, where a compliance automation platform was alleged to have been generating fake audit reports, fabricating evidence, and using certification mills to rubber-stamp hundreds of identical SOC 2 reports, is an eye-opener for many. But as someone who has built and audited real security programs and controls for over 12 years across various industries, these gaps are not new to me.
And I’m not alone. Competent security and GRC professionals have been watching this erosion for years. Calling it out. Quietly shaking their heads every time another company shows up with a cheap audit, template-driven policies, and no idea what’s actually in them. This scandal is just the most visible symptom of a much deeper disease.
Template-Driven GRC: The Root of the Problem
Here’s what happened in the GRC space over the past several years. Compliance automation platforms flooded the market, promising SOC 2, ISO 27001, and HIPAA in weeks. Many of them are, at their core, template packs with a thin SaaS wrapper. You sign up, adopt pre-written policies wholesale, click through prepopulated forms, and get a certificate at the end. This investigation showed this in painful detail. Clients described the experience as nothing more than clicking through prepopulated forms and accepting everything.
This template-driven approach became disturbingly common, especially among startup and scaleup SaaS companies. And to be fair, there’s nothing wrong with using templates as a starting point. If you need a methodological framework for structuring your policies and processes, templates are a legitimate tool to get you oriented. The problem begins when organizations adopt them wholesale, unchanged, uncontextualized, unimplemented, and treat them as the finished product rather than a guiding tool.
These template policies are easy to spot for anyone who knows the domain. They are written to satisfy the bare minimum audit requirements, not to demonstrate real security. Generic language that could apply to any organization. They reference controls, tools, and processes that the company has never implemented. And critically, they miss what actually matters. The context of the organization they claim to represent.
What Real Policies Look Like vs. What Templates Look Like
Here is the core issue that many people outside of security don’t understand. Your policies are not standalone documents. They form an interconnected system. Your risk management policy, your data protection policy, your incident response plan, your supplier security, your appsec, your access control policy, they all have deep interdependencies. And they must reflect your organization’s actual implementation.
Your data classification methodology should flow into your risk assessment. Your risk classes should be reflected consistently across every relevant policy and implemented control. Your incident response procedures should reference the actual tools you use, the actual escalation paths your team follows, the actual communication channels you’ve established. Your different security programs provide insights and feed into your overall security risk posture. When a competent evaluator reads your policies, they should be able to trace a coherent thread from your risk appetite through your control framework to your day-to-day operations.
That’s what the definition of done looks like for a real security program. Policies that are alive in the organization. That reflect what people actually do. That create a measurable security posture when they work together. This requires budget, team, and real expertise.
What templates give you instead is a collection of disconnected documents sitting in some compliance automation solution or Sharepoint, written in vague language, full of commitments nobody in the organization can explain or defend. They only wake up when there’s an audit. And usually only with a cheap auditor who won’t ask hard questions.
The Incompetency Pipeline
The worst part of this ecosystem isn’t the templates themselves. It’s the pipeline of incompetence they enable. Here’s how it works.
Management treats security as a cost center. This is common in small and growing SaaS companies where leadership is focused on product and revenue. Security gets treated as a sales enabler, a checkbox that unlocks enterprise deals. They don’t want to invest in security. They want the appearance of security, as cheaply and quickly as possible. Not all startups are like this, but enough of them are that it’s become a pattern the industry can no longer ignore.
They buy the cheapest compliance automation solution. The ones marketing “SOC 2 in weeks”. These platforms deliver template policies, pre-fabricated evidence, and connect you with budget auditors who won’t look too closely. According to the investigation, they revealed exactly this model in action. Pre-generated board meeting minutes. Fake device security evidence. Auditor conclusions written before the auditor ever saw the company.
They staff security with people who enable the theater. Whether through inexperience, pressure from management, or simply not knowing better, the people responsible for GRC in these startup SaaS become administrators of a performative process. They adopt the templates, click through the forms, produce the certificates. They cannot explain the policies because they didn’t write them. They cannot defend the controls because they didn’t implement them. They cannot interpret the interdependencies because they’ve never thought about them.
They stack certifications as trophies. Rather than deepening their security posture, management’s response to any security concern is to add more certifications. SOC 2, ISO 27001, HIPAA, GDPR. Each one obtained through the same performative process. The trust center grows more impressive while the actual security posture remains hollow.
I know why security professionals hate being in performative security companies if they are passionate about security. They fight daily to make meaningful impact while management undermines the work at every turn. For any good security professional, being responsible for performative security theater without real meaningful implementation or protection is a professional and ethical failure. And yet this is exactly what cheap compliance automation, cheap auditors, and disengaged management have created. It's also worth acknowledging the broader pressure that contributes to this. When VC and PE timelines prioritize speed to market and deal velocity, security budgets are often the first thing deprioritized. The pressure to close enterprise deals fast creates demand for the fastest, cheapest path to a compliance certificate, not the most thorough one. This isn't unique to any one investor or company. It's a systemic incentive problem where the people funding growth and the people responsible for security are optimizing for fundamentally different outcomes.
The Audit Problem Goes Beyond the Budget Firms
After reading the Delve investigation, some might conclude that the solution is simply to hire more expensive, more reputable auditors. From my extensive experience working with very reputable audit firms, the answer is more nuanced.
Does expensive mean trustworthy? Not entirely. Reputable auditors don’t fake certificates or audit reports, that much is true. And you can immediately tell the difference in quality. A well-done SOC 2 report will clearly describe the test criteria for each control, specify what samples were assessed, and document the actual procedures performed. The generic reports by contrast read like AI-generated filler. Vague language, no specifics, no evidence of real examination. The reports shown in the investigation were a perfect example. Identical test procedures and conclusions across hundreds of Type II reports, with grammatical errors copy-pasted verbatim across every single one.
But here’s the uncomfortable truth. Even the best traditional auditors don’t fully assess every vertex of your security. ISO 27001 and SOC 2 audits were not designed to cover application security, cloud security architecture, AI security and governance, or the dozens of other specialized domains that modern security demands. These areas require fundamentally different skill sets and deep hands-on experience. The kind of experience typically developed at larger companies that have the funding, resources, and tooling to do security properly.
This doesn’t mean ISO 27001 or SOC 2 are only for big enterprises. These certifications are fundamentally democratic. They can and should be implemented in small organizations. But not by using cheap audit tactics with incompetency. You need management that takes security seriously. That allocates real attention and budget. That hires at least one competent full-time person or an outsourcer, even in a small 50 person SaaS company, to run day-to-day security operations and ISMS management. Not just during audit season with a person wearing multiple hats in the org.
What Happens When the Theater Collapses
And here’s what the performative compliance crowd doesn’t think about. What happens when they actually become visible to attackers?
This is where the real fun begins. Attackers are strategic. They study supply chains. They look for the weakest link. And small SaaS companies that handle enterprise data are increasingly becoming that weak link. More attacks will target these small vendors once attackers realize the lucrative benefits of accessing larger enterprise data by exploiting them. Enterprises trusted them with sensitive data based on a nice-looking trust center and a rubber-stamped SOC 2 report. But there’s no real security behind the facade.
When the breach happens, that’s when the panic begins. Then the real audits come. Forensic investigators, not template-checkers. Then the lawsuits. Then the regulatory investigations. And that’s when everyone discovers just how performative the security was. How the policies were never implemented. How the evidence was fabricated. How the people responsible for security can’t answer basic questions about their own controls.
And those beautifully polished AI-generated answers on the security questionnaires? They become exhibits in the legal proceedings.
The investigation highlighted this risk explicitly. Hundreds of companies, some processing protected health information (PHI) for millions of US citizens, some serving national defense interests, all operating under compliance reports generated from the same template with only the company name changed. To be clear, this doesn't mean all of these companies lack real security. Some may have invested in proper vulnerability management, detection capabilities, incident response, and other meaningful security programs. And that investment matters far more than any certificate when real attacks come. But the compliance report is what enterprises and partners relied on to make trust decisions. And when that report turns out to be theater, it undermines trust in companies that may genuinely deserve it alongside those that don't. That is the real damage of performative compliance. It poisons the well for everyone.
The Vendor Due Diligence Gap
Large enterprises and mature organizations have their own defenses against this. They run extensive vendor due diligence programs. Thorough document verification, targeted questions designed to expose gaps, independent penetration testing to verify what’s on paper matches reality. They pull in the person responsible for security and ask them to interpret their own policies, explain their implementations, and provide evidence. This process quickly exposes whether you’re dealing with a real security program or a performative one.
But here’s the problem. SMBs and smaller companies buying SaaS from these vendors don’t have the resources for that level of due diligence. They don’t have dedicated vendor assessment teams. They don’t have the expertise to know what questions to ask. They rely on the certifications, the trust pages, and the audit reports. Exactly the artifacts that the performative compliance industry has learned to manufacture.
And vendor due diligence itself is broken at many organizations. I don’t blame the GRC professionals involved in small and medium scale startups. This is how badly underfunded security is. They rarely read full security reports. Rarely check audit findings in details. Never validate pentest reports, appsec practices, data flows, third party risks, vuln fixing SLAs, detection and response capabilities. If you are experienced you know how deep this goes. In most cases these functions are managed by inexperienced people or multifunctional teams without proper training. Checklist based assessment, tick the boxes, move on. This is exactly how fake audit reports go unnoticed. Nobody in underfunded teams cares real security practices as long as you provide rubber stamped reports.
Compliance Is an Infrastructure, Not a Checklist
Compliance is not a template-driven checklist. It is an infrastructure. It should be baked into the product and the business, adhered to and monitored day to day, from design to finish. Not something you bolt on before an audit and forget about until next year.
The reported Delve scandal brought long-standing issues into public view. But the underlying disease, performative compliance enabled by template-driven GRC, cheap auditors, incompetent practitioners, and management that doesn’t care, is systemic and widespread.
What Comes Next
I’ve decided to write on helping SMBs do proper vendor due diligence and AI security risk assessments. The industry needs better signals for separating real security from security theater. And the professionals who are fighting to do this work properly deserve support.
I also put together a practical checklist for evaluating compliance automation tools and auditors. If you’re in the market for a GRC platform or about to choose an auditor, read this before you sign anything:
Stop Buying Compliance Theater: The Full Checklist
Fight for real security. Push back. Educate your leadership. Build something meaningful. That is what this profession demands from us.
More soon.
Follow me on LinkedIn for more on cybersecurity.