The Delve scandal: why we published our integrity framework before anyone asked

Last week, an anonymous whistleblower posted that Delve, a Y Combinator-backed AI compliance startup, had been generating SOC 2 reports that were essentially identical templates. The reporting that followed alleges 493 of 494 audit reports analyzed were the same document with names swapped, that auditor conclusions were pre-written before clients submitted any evidence, and that the third-party auditors in the chain were not what they appeared to be. On April 3, Y Combinator removed Delve from its portfolio, a separation the accelerator rarely makes public.

Two days before that separation, we published The Integrity Framework v1.0. The timing was a coincidence. The pattern was not.

The pattern is older than Delve

The framework names five recurring failure modes that have destroyed compliance categories before. Trust-arbitrage failure. Theater versus substance. Conflict of interest. Black-box AI. Velocity over rigor. Each has a poster child. Andersen and Enron. Wirecard and EY. Theranos. FTX. Now Delve, allegedly.

Compliance is the easiest category in software to fake. The buyer wants the artifact, not the work behind it. The vendor wants margin, which means scale, which means automation, which means the work compresses. If nobody checks the gap between the artifact and the work, the gap grows until somebody notices, and by then the customer base has bought hundreds of stamped-but-empty attestations.

Every collapse follows the same arc. Different industry, different decade, same shape.

What we did before the news broke

We published the framework as a working document with three operational layers, an eight-layer moat model, and a six-row vendor scorecard. Free. Forkable. Versioned. Citation-stable URL. Other operators can adopt it for their own products without writing a check or asking permission.

Then we walked our own products through the scorecard publicly. ClarityLift scores 3 yes / 1 partial / 2 no. FieldLedger scores 2 yes / 4 no, pre-launch. adacompliancedocs scores 2 yes / 4 no, pre-launch. Each per-product INTEGRITY.md names the gaps and what closes them.

The gaps include the things you would expect a careful vendor to flag. No annual third-party audit yet. Refund-on-failure clause drafted but not in the MSA. AI review gate enforced as retention-zero plus advisory-only output, not as a human sign-off step. We document them publicly because pretending the framework is satisfied when it is not is the failure pattern itself.

The anti-Delve commitment

Reading the Delve coverage is clarifying. The pattern is named, the public reporting is detailed, and a buyer who reads it now has a sharper question than they had a week ago. Not "can I trust your SOC 2," but "what specifically prevents you from doing what Delve allegedly did."

The answer, in our case:

• The framework is public and versioned. Anyone can read what we said we would do, when we said it, and check whether we are doing it. Quiet drift is the failure pattern; published commitments make drift visible.
• The architectural constraints are CI-enforced where the codebase shape allows. Retention-zero invariants. Forbidden patterns that block silent default-to-verified bugs at build time. Adversarial tests that plant sentinel strings and assert the scrubber catches them. The build fails on regressions, not the audit.
• The vendor scorecard applies to us. Same six rows we would ask any compliance vendor to answer. Self-grade is on the per-product INTEGRITY.md. Where we score no, the gap is named.
• Kill criteria are public. ClarityLift service standards state the thresholds at which we sunset features or the product. Specific numbers, written in advance. The structural commitment is that we would walk away from a compromised product before damaging customer trust.
• Annual third-party audit is on the roadmap with a date. Independent CPA or security firm. They review our methodology, sample our outputs, publish findings. Whatever they find. We pay for it.
• Refund-on-failure clause is in the standard MSA, not an enterprise-only term. If our verification turns out wrong because of our error, we refund. The clause makes our revenue conditional on the quality of our work, not on volume.

Each of these is a structural commitment. Each one is expensive to walk back. That expense is the moat.

Why publish before the framework is fully implemented

The temptation when shipping a trust artifact is to wait until everything is green. Wait until the audit is booked. Wait until every gap is closed. Polish, then publish.

That is the wrong move for two reasons.

First, a framework that gets published only when the operator is at 100 percent looks like a marketing claim. A framework that gets published at 60 percent with the gaps named looks like an engineering document. A buyer who can read the gaps trusts the rest more, because the absence of gaps is itself the suspicious signal in this category.

Second, publishing creates the forcing function. Once the framework is at a public URL with a version number, every gap is a deadline. Closing gaps in private is optional. Closing gaps in public is not.

We are not at 100 percent. We did not wait. Both of those statements are on the framework page right now.

What this means for buyers right now

Compliance products are about to face a credibility crunch. Every vendor in the space will be asked, in the next 90 days, the questions Delve was apparently unable to answer. Show us your methodology. Show us your refund clause. Show us your last independent audit. Show us how AI output reaches a customer-facing claim. Show us what would make you sunset this product.

The vendors who can answer concretely will keep their pipelines. The vendors who hand-wave will lose them. The framework's vendor scorecard is six yes/no rows. Score below 5 is information.

Run the scorecard against any compliance vendor you are evaluating, including us. Especially us.

How to use the framework

The Integrity Framework is live at /framework. The frozen v1.0 reference URL is /framework/v1.

Three things you can do with it:

1. Score a vendor. Six rows, yes or no. Walk through the scorecard on a sales call. Most vendors will not have a public methodology page, a refund clause, or a recent independent audit. That itself is a procurement signal.
2. Walk a known failure through it. The first case study is Delve mapped to all five failure modes. Score: 0/6. Sources cited. The case study is teaching material; the failure is the curriculum.
3. Fork it for your own product. No license. No fee. The framework is a Markdown source plus three layers of operational rules. Adopt it, version it, publish it. The only request is that you keep the version-and-changelog discipline. A framework that drifts silently is the failure mode itself.

What changes in v1.1

Reading the Delve reporting against v1.0 surfaced two places the framework can be sharper. Both are candidate items for v1.1.

The first is an explicit prohibition on pre-population of attestation outputs. The current AI-output-review-gate constraint covers this implicitly. Naming it explicitly makes the CI rule easier to write and the violation easier to spot. The candidate rule ID is CRIT-SV-NO-PRE-POPULATED-ATTESTATION.

The second is third-party identity verification for sub-processor auditors. When a compliance product routes evidence through a third-party auditor, the auditor's identity and accreditation should be verified at sub-processor onboarding and re-verified annually. Trust-but-verify on the chain.

Versioning works because cases like the one we walked actually move the framework forward. We will cite this post in the v1.1 changelog.

Hold us accountable

If we drift from the framework, the gap will be visible on these pages first. Email integrity@startvest.ai with anything you spot. The address is monitored quarterly by independent counsel.

Compliance is the trust business. Treating it like a volume business is what produced Delve. Treating it like the trust business is what the framework is for.

Sources for the Delve allegations cited above: see the case study sources list. Public reporting from QUASA Media, Captain Compliance, Silicon Canals, and Inc. We are not investigating Delve. We are mapping the publicly-reported pattern to the framework.