I wrote something a few weeks ago that I haven't been able to shake. When the whole architecture of compliance is optimised for producing evidence rather than producing security, it was probably inevitable that someone would work out you can just produce the evidence. Pre-filled report, customer name at the top, auditor's signature at the bottom.
That was a thought experiment. Then it happened.
The Fastest Platform Wins
The compliance automation market has been running a single race for three years: who can get you certified fastest. Days, not months. Every pitch deck, every Series A announcement optimised for the same metric: speed to certificate.
You can see why. For most SMEs, compliance is a gate. A client asks for your SOC 2 before they'll sign. A tender requires ISO 27001. The certificate unlocks revenue, and every day without it is a day you're losing deals. So when someone offers to get you through in a fraction of the time, you don't ask too many questions about how.
This is the market dynamic that created what we saw this month with Delve, a YC-backed compliance startup valued at $300 million. An anonymous investigation alleged that the platform achieved its speed by generating audit evidence rather than helping organisations earn it. Pre-filled templates reused across hundreds of clients. Auditor conclusions written before any auditor reviewed the evidence. Trust pages listing controls that were never implemented. The company denies the allegations, but its lead investor has scrubbed its investment thesis from the web, and demos have been suspended.
The allegations are serious, the investigation is ongoing, and I don't know what's true and what isn't. But the structural problem underneath is something I've been writing about for months, and it matters whether or not any single company turns out to be guilty of anything.
When speed is the value proposition, the pressure to generate evidence rather than support genuine security becomes architectural. It's not a moral failing. It's an incentive structure. The market rewards fast certification. Customers want the certificate yesterday. Every participant in the system has a reason to move quickly and very few have a reason to ask whether the work underneath is real.
Automating Work vs. Automating Evidence
There's a useful distinction here that the industry has been sloppy about. Automating compliance work and automating compliance evidence sound similar. They're not.
Automating compliance work means handling the parts that don't require human judgement. Gathering information about your regulatory environment. Mapping controls against a framework. Surfacing the questions you need to answer. Collecting evidence from systems where activity is already logged. This removes friction from the process of actually understanding your security posture.
Automating compliance evidence means producing the outputs that auditors expect to see, regardless of whether the underlying work happened. Templates pre-populated with conclusions. Policy documents assembled from boilerplate nobody in the organisation has read, let alone shaped. Faster, obviously. Also hollow.
The Delve allegations describe what the second path looks like at scale. But you don't need fraud to see the damage. Even done in good faith, speed-first compliance produces organisations that are certified but not capable. And the customers bear the cost. Organisations that believed they were HIPAA-compliant when they weren't. Companies whose trust pages listed controls that didn't exist. Business decisions, contracts, and risk accepted based on a certification that may not have reflected reality.
That's not just a compliance failure. It's a trust failure that damages the credibility of every company in this space, including ours.
What We're Building Instead
This is where I want to be direct about what we're doing at Askara, because the structural choices matter and I'd rather explain them than hope people notice.
We didn't set out to be the fastest compliance platform. We set out to build one where the compliance is real.
Evidence is a byproduct, not a product. Our system doesn't generate evidence for you. It helps you do the actual work of security, and the evidence emerges from that work naturally. When your team reports an incident in Slack and the agent helps classify and resolve it, the audit trail creates itself. When you work through your risk assessment with the system asking questions and surfacing research, the documented risk register is the output of your thinking, not a template with your name on it.
This is slower than filling in a template. It's supposed to be.
Human judgement stays with the human. Our AI does the research. It gathers context about your industry, your regulatory environment, your threat landscape. But then it comes back with questions, not conclusions. "Here's a potential risk. Does this apply to your situation? Why or why not?" The human has to engage. The human has to own the decision.
This means our customers can explain their risks in their own words, because they thought through them. When an auditor asks "why did you choose this control?" someone in the organisation can answer. That's the test we keep coming back to: if you can explain it without looking anything up, you've built a foundation. If you can't, you've built documentation.
We're not pretending this is easy. It asks more of the people going through it. But here's what nobody tells you about doing compliance this way: it's actually engaging. When you're working through your own risks, making real decisions about your own organisation, you feel it. There's an adrenaline to strategising about your actual security posture that no pre-filled template will ever produce. You're not clicking through a process. You're thinking. And thinking, it turns out, is a lot more fun than ticking boxes.
When you come out the other side, you have something real. Policies shaped by your context. A team that understands what they're protecting and why. Compliance that gets used, not performed.
The question every buyer should be asking their compliance platform right now isn't "how fast can you get me certified?" It's "what will I actually understand when this is done?"
The answer tells you everything.