When Compliance Becomes Theatre: Lessons from the Delve Allegations

The global cybersecurity market is worth an estimated $188 billion. And yet, much of what passes for “compliance” in this industry is performative — a checkbox exercise designed to produce a certificate, not to produce security.

Most security professionals know this. Few say it publicly.

In March 2026, a detailed third-party investigation raised serious questions about one of the fastest-growing GRC (Governance, Risk, and Compliance) automation platforms, Delve. The allegations, if substantiated, paint a troubling picture — not just of one company, but of a structural fault line running through the entire compliance industry.

This article isn’t about piling on a single vendor. It’s about asking a harder question: if the system makes this kind of failure possible, what does that mean for every organisation relying on it?

What’s Been Alleged

The investigation, published by a collaborative group of Delve clients who pooled resources after receiving a data leak notification, makes several serious claims. It is important to note that Delve has not confirmed any of these allegations, and Delve’s CEO has publicly disputed them, describing them as “falsified claims.” Readers should draw their own conclusions.

According to the investigation:

• The platform allegedly generated pre-populated compliance evidence — including fabricated board meeting minutes, risk assessments, and security incident simulation records — that clients could adopt with a single click, without those activities ever having taken place.
• Reports suggest that audit reports were allegedly generated by the platform vendor itself, rather than by independent auditors exercising professional judgement, potentially inverting the independence requirements of AICPA attestation standards (AT-C Section 205).
• The investigation claims that the auditing firms involved were allegedly “certification mills” — entities that rubber-stamped reports without conducting genuine independent verification. The article names several firms and traces their corporate structures through what it describes as shell entities and mailbox agents.
• If these allegations prove true, companies using the platform may have been unknowingly exposed to significant regulatory liability, including criminal penalties under HIPAA for willful neglect and fines of up to 4% of global revenue under GDPR.
• The investigation further alleges that the platform’s marketed “AI-native” automation was largely cosmetic, with the product reportedly consisting of pre-populated templates wrapped in a thin SaaS interface.

For readers who want the full detail, the complete investigation is available on Substack.

To be clear: these are allegations from a third-party source. CyQuantiFi has no independent knowledge of Delve’s internal operations. We present them here because, regardless of their individual accuracy, they illuminate a systemic problem worth examining.

The Real Problem: Point-in-Time Compliance Is Structurally Broken

Here’s the uncomfortable truth: even if every single allegation against Delve were disproven tomorrow, the structural problem they point to would remain.

Annual, point-in-time compliance is fundamentally inadequate for managing cyber risk. The Delve allegations merely illustrate, in dramatic fashion, what happens when an industry optimises for certificates rather than security.

Consider how the current model works:

• SOC 2 and ISO 27001 are snapshots. They capture a moment in time and are stale the moment the auditor signs the report. Your infrastructure changes daily; your compliance status was frozen months ago.
• Companies optimise for the certificate, not the security outcome. When the goal is “pass the audit,” rational actors minimise effort to achieve that goal. The audit becomes the product, not security.
• Annual cycles create a compliance cliff. Organisations sprint to prepare, pass the audit, then drift until the next cycle begins. Risk doesn’t take a year off between assessments.
• Risk is continuous; assessment should be too. Threat landscapes evolve weekly. New vulnerabilities are disclosed daily. An annual snapshot cannot possibly capture this reality.

Regulators are catching up. Australia’s Security of Critical Infrastructure Act (SOCI), the US SEC’s cybersecurity disclosure rules, and the EU’s Digital Operational Resilience Act (DORA) all push organisations toward continuous risk disclosure and real-time resilience — a clear signal that the point-in-time model’s days are numbered.

And yet, according to the FAIR Institute, 60% of organisations still cannot quantify their cyber exposure in financial terms. When boards ask “how much could we lose?”, they receive colour-coded heatmaps instead of dollar figures. When executives ask “are we compliant?”, they receive a certificate that may or may not reflect their actual security posture.

The system is designed to produce comfort, not clarity.

What Continuous Risk Quantification Looks Like

If point-in-time compliance is the disease, continuous risk quantification is the treatment. Not another dashboard of subjective scores — a fundamentally different approach to understanding and communicating cyber risk.

At CyQuantiFi, we’ve built this approach around several core principles:

• Real-time telemetry from live infrastructure, not annual screenshots. Your risk posture is calculated from what’s actually deployed, configured, and exposed — right now, not six months ago.
• FAIR methodology combined with Monte Carlo simulation produces dollar-denominated Value-at-Risk (VaR), not subjective severity ratings. This is the same class of quantitative methodology that financial institutions have used for decades to manage market and credit risk.
• Prediction market consensus layers crowdsourced risk intelligence on top of quantitative models. Every participant improves the signal, creating a risk-pricing mechanism that gets smarter with scale.
• Shift-left risk quantification means understanding your exposure before deployment, not discovering it after the breach. Quantify the risk impact of architectural decisions at design time.
• Board-ready output that drives decisions. “Your annualised loss expectancy for ransomware is $14.2M with a 90% confidence interval” is actionable. “Your risk is amber” is not.

This isn’t theoretical. CyQuantiFi was built by someone who operationalised quantitative risk methodology at the Australian Department of Defence — an environment where “compliance theatre” isn’t just embarrassing, it’s a matter of national security.

Five Questions to Ask Your Compliance Vendor

Whether you use Delve, a competitor, or manage compliance in-house, these questions will tell you whether your programme is grounded in reality or theatre:

1. “Can you show me the specific evidence collected for MY organisation, not a template?” If your evidence looks identical to every other customer’s, it isn’t evidence — it’s a prop.
2. “Who exactly is conducting the audit, and can I verify their independence?” You should be able to name the firm, verify their credentials, and confirm they have no commercial relationship with your platform vendor that compromises independence.
3. “How does your platform monitor risk between annual audits?” If the answer is “it doesn’t,” you have a compliance certificate, not a security programme.
4. “Can you translate my risk posture into a dollar figure my board can act on?” Boards allocate capital based on financial metrics. If your risk programme can’t speak that language, it can’t influence decisions.
5. “What happens to my compliance status if my infrastructure changes tomorrow?” If a single configuration change can silently invalidate your compliance posture with no alert, your programme is a point-in-time illusion.

The Certificate on the Wall

The certificate on the wall matters less than whether you can defend what it claims.

Whether or not the specific Delve allegations are ultimately confirmed, the lesson is clear: compliance that isn’t grounded in continuous, quantified risk measurement is theatre. It produces comfort for the board, ammunition for the sales team, and protection for no one.

The regulatory environment is shifting toward continuous disclosure. The threat landscape doesn’t pause for annual audit cycles. And the organisations that will thrive are those that replace performative compliance with genuine, measurable, dollar-denominated risk intelligence.

If your current approach can’t tell you — right now, in financial terms — what your actual exposure is, it’s time to ask why.

Learn how CyQuantiFi replaces compliance theatre with continuous risk quantification →