News

The Delve Scandal: How Two 21-Year-Old Forbes 30 Under 30 Founders Built a $300M “AI Compliance” Unicorn — And Are Now Accused of Selling Fake Reports

|Author: Viacheslav Vasipenok|5 min read| 67
The Delve Scandal: How Two 21-Year-Old Forbes 30 Under 30 Founders Built a $300M “AI Compliance” Unicorn — And Are Now Accused of Selling Fake Reports

It was the perfect startup fairy tale. Two MIT dropouts, Selin Kocalar and Karun Kaushik, make Forbes 30 Under 30 in AI for 2026. They get into Y Combinator, raise $3 million, then $32 million at a $300 million valuation. Their company, Delve, promises lightning-fast AI-powered compliance for SOC 2, HIPAA, ISO 27001, and GDPR. The YC website proudly states they’ve helped “1,500+ companies.” Garry Tan called them one of the top startups in the batch.

Now the fairy tale is cracking.

An explosive anonymous investigation published on Substack by “DeepDelver” (a former client employee) accuses Delve of running what amounts to compliance theater — generating pre-filled, largely identical reports that auditors allegedly rubber-stamp with minimal (or no) real verification.

The result, according to the whistleblowers: hundreds of companies may have been sold false attestations that expose them to regulatory fines, contract breaches, and even criminal liability under HIPAA and GDPR.

From Medical AI to “Fastest Compliance in the World”

Kocalar and Kaushik started in 2023 trying to build an AI medical scribe for clinical notes. When that didn’t take off, they pivoted to something far more lucrative: helping startups survive the painful, expensive compliance process required before big contracts or acquisitions.

They entered YC in Winter 2024. By January 2025 they had a $3 million seed. By July they closed a massive $32 million round led by Insight Partners at a $300 million post-money valuation. The pitch was irresistible: AI that automates evidence collection, policy writing, and audit prep so companies can get certified in weeks instead of months.

On paper, it looked like RegTech magic.

The Allegations: Pre-Filled Templates, Identical Reports, “Certification Mills”

According to DeepDelver’s detailed Substack post (Part I of what they say is an ongoing series), the reality was far simpler — and far shadier.

  • Customers were given heavily pre-populated forms and evidence libraries. Many fields were already filled in before the company even submitted its own information.
  • Hundreds of final audit reports were nearly identical, down to the same grammatical errors and boilerplate language. Only the company name, logo, and signature changed.
  • The majority of audits were routed through two firms: Accorp and Gradient Certification. Both are described as operating primarily out of India with minimal U.S. presence (virtual offices and shell entities).
  • Evidence of board meetings, security tests, employee training, and risk assessments was allegedly auto-generated or fabricated — even for things that had never actually happened.

One leaked spreadsheet from December 2025 reportedly contained links to hundreds of these draft reports. When clients received an anonymous email highlighting the identical nature of the documents, Delve confirmed a “leak” but downplayed its significance.

Several high-profile customers have since quietly distanced themselves. Lovable, once prominently featured on Delve’s site as a success story, switched providers and had all mentions removed. Other clients have publicly announced they are ordering independent audits.

Delve’s Response: “We Provide Templates, Not Reports”

In a blog post titled “Response to Misleading Claims,” Delve pushed back hard. The company says it does not issue compliance reports or conduct audits. Instead, it positions itself as an “automation platform” that collects information from customers and gives third-party auditors access.

Key points from their statement:

  • Pre-filled templates are just “examples” or starting points.
  • Customers are ultimately responsible for the accuracy of the information they submit.
  • They work with many accredited, independent auditors; clients can choose their own or use ones from Delve’s network.

Critics argue this is a convenient way to shift liability while still marketing “100% compliance” in record time. The Substack authors note that Delve has not directly addressed many of the specific technical claims (identical reports, fabricated evidence, auditor relationships).

Also read:

Why This Matters

Compliance isn’t sexy, but it’s foundational. SOC 2 and HIPAA attestations are often required by enterprise customers, insurers, and acquirers. If hundreds of startups were sold invalid certifications, the downstream damage could be enormous — ranging from lost contracts to massive regulatory fines.

The scandal also hits at the heart of the current AI startup boom: the pressure to move insanely fast, raise at sky-high valuations, and ship before the product is fully real. Delve’s story — young founders, massive hype, rapid funding, Forbes cover — is the exact archetype investors and media love.

Whether this turns out to be a genuine case of systemic fraud or an over-hyped automation tool that cut too many corners remains to be seen. DeepDelver has promised more evidence in future installments. Meanwhile, Delve has reportedly paused product demos, and at least one major investor (Insight Partners) has quietly scrubbed its public endorsement of the company.

Two 21- and 22-year-old founders went from MIT dorm rooms to a $300 million valuation in under two years.

Now the question everyone in the startup world is asking is simple: Was Delve selling AI compliance… or just the appearance of it?

The answer could determine not only the fate of two young founders but also how much trust remains in the entire “AI solves compliance” category.

Share:
0