Delve built a machine designed to make clients complicit without their knowledge, to manufacture plausible deniability while producing exactly the opposite.

According to a detailed Substack investigation by DeepDelver, a leaked Google spreadsheet containing links to hundreds of confidential draft audit reports revealed that Delve generates auditor conclusions before any auditor reviews evidence, uses the same template across 99.8% of reports, and relies on Indian certification mills operating through empty US shells instead of the "US-based CPA firms" they advertise.

Audit Integrity & Independence

• Delve breaches AICPA/ISO rules by acting as auditor, generating pre-drafted assessments, tests, and conclusions
• Delve relies on audit firms that rubber stamp reports because genuine independent verification would expose the evidence as fabricated or deficient
• Named leadership (Karun Kaushik, Selin Kocalar, Charles Nwatu, Taher Lokhandwala, Isaiah de la Fuente, Varun Gurnaney) is complicit in intentional misconduct

Misrepresentation to Customers

• Delve misleads clients by claiming reports are produced by US-based CPA firms, when in reality they are produced by Delve and rubber stamped by Indian certification mills
• Delve leads clients to believe they are compliant when they are not
• Delve helps clients mislead the public by hosting trust pages that contain security measures that were never implemented
• Delve lies to clients when directly questioned, denying documented facts about the leak and report generation
• Delve markets AI-driven automation while the product is practically devoid of AI, relying on pre-populated templates, manual forms, and fabricated evidence

Product & Process Deficiencies

• Delve’s product is unable to get companies truly compliant
• Delve’s platform forces companies to choose between adopting fake evidence or performing mostly manual work with little real automation
• Unable to deliver real compliance through its platform, Delve depends on fraudulent auditors who rubber stamp reports for clients, falling back on off-platform manual work with external vCISOs and good auditors only when complaints or profile threaten its business interests

Regulatory & Compliance Risk

• Delve’s process results in clients violating GDPR and HIPAA requirements, exposing them to criminal liability under HIPAA and fines up to 4% of global revenue under GDPR
• Companies relying on Delve face regulatory, contractual, and reputational risk

The above individuals knowingly participated in Delve's deliberate misconduct regarding audit practices.

Delve Team

Delve was founded in 2023 by Karun Kaushik and Selin Kocalar, both Forbes 30 Under 30 members and MIT dropouts who met as freshmen. They started with a medical AI scribe, pivoted to compliance after hitting HIPAA headaches themselves, and went through Y Combinator in 2024.1

In July 2025, Delve raised $32 million in Series A funding led by Insight Partners. Before that they had raised a $3.3 million seed round and went through Y Combinator.

Delve’s pitch is speed through AI. They claim to get companies compliant in days rather than months, using what they call “agentic AI” through an “AI-native” platform.

Their marketing promises AI agents that automatically collect evidence, write reports, and monitor compliance gaps without human busywork.

Who it affects

Compliance exists so that when a startup says “we’re SOC 2 certified,” or “HIPAA compliant,” or “GDPR compliant,” a hospital or a bank or a defense contractor can trust that claim enough to share data. When that trust is manufactured instead of earned, the damage doesn’t stop at the company that bought the report. It flows downstream to their customers, their customers’ customers, and eventually to individuals whose medical records, financial data, or personal information ends up exposed because someone cut corners.

HIPAA and GDPR weren’t created as paperwork exercises. They exist because criminals actively want health records to sell, identities to steal, and systems to ransom. Faking compliance doesn’t just violate some abstract professional code. It leaves actual people unprotected against actual threats.

Delve’s clients are in an impossible position. They paid for expertise they didn’t get, received platforms showing 100% completion that meant nothing, and were handed the same pre-fabricated evidence as a thousand other companies. They were told this was how compliance worked now: fast, automated, handled. They published trust pages broadcasting security measures they never implemented, because Delve said those pages were accurate. Now they face liability for representations they made in good faith, based on assurances that turned out to be lies.

That is where the anger should go. Delve built a machine designed to make clients complicit without their knowledge, to manufacture plausible deniability while producing exactly the opposite.

Source: X