The Delve Whistleblower Files: From Fake Compliance to Investor Fraud Allegations
Article
Fake compliance SaaS due diligence just entered a new phase. When DevelopmentCorporate first covered the Delve scandal on March 22, the story was alarming — but technically contested. Delve denied fabricating audit reports. CEO Karun Kaushik called the allegations misleading. The company’s investors and Y Combinator backers stayed quiet.
That framing collapsed on March 28, 2026. A whistleblower — a Delve employee — came forward and delivered to investigative Substack DeepDelver a substantial dump of internal screenshots, videos, and recorded conversations. What those materials contain is no longer a matter of disputed interpretation.
The story has crossed a threshold. This is no longer a compliance theater scandal. It is a potential investor fraud case, with Delve’s own CEO on record acknowledging in internal documents that the platform could not deliver what the Series A pitch deck claimed — during the period in which that funding was being raised.
And as of April 1, 2026, it has gotten worse. New reporting from TechCrunch reveals that Delve allegedly sold a no-code tool built on an unlicensed fork of a competitor’s open source product — to a prospect who turned out to be the very whistleblower now bringing the company down. The irony of a compliance platform allegedly violating a software license is difficult to overstate.
| The contrarian read: Every M&A buyer, PE investor, and enterprise CTO who accepted Delve-generated compliance certifications at face value now has a third-order problem. The first order was fake compliance. The second was potential investor fraud. The third — now confirmed by a named founder — is undisclosed IP provenance on a product Delve sold as proprietary. That exposure does not stay contained to Delve. |
What the Whistleblower Delivered
The whistleblower reached out after the original DeepDelver investigation published. According to the March 28 Part II post, they provided “a huge amount of data, screenshots and videos” covering internal operations, employee communications, and recorded executive conversations.
DeepDelver committed to releasing findings daily over five days rather than holding the material for a single long-form article. Day 1 alone contained four categories of evidence that individually are significant — and collectively transform the legal character of the allegations.
Karun Kaushik responded to the original investigation on March 27 with an X/Twitter statement viewed 489,000 times, denying the core allegations. Y Combinator publicly supported the LinkedIn version of that statement. Within 24 hours, the whistleblower data had arrived.
The Accorp Exchange: Evidence That the CEO Knew
The most legally significant content in the Day 1 whistleblower release is a recorded conversation between CEO Karun Kaushik and an employee named Ross. In it, Karun asks directly:
| “Does Accorp actually look at our platform at all?” [smiles] — Karun Kaushik, CEO of Delve |
Ross responds with a laugh. The exchange then turns to liability:
| “By the way, they take all the liability. So it’s not like I’m complaining. It’s more like a risk mitigation.” — Karun Kaushik |
This exchange is not ambiguous. It shows the CEO of a compliance platform explicitly questioning whether its audit partner reviewed any evidence — and then expressing comfort with that arrangement because the liability would attach to the auditor, not Delve. This is the core of how compliance theater scales. As we documented in our analysis of AI-washing across the SaaS landscape, the market rewards AI claims over operational substance. Here, the incentive misalignment went one step further: the compliance vendor designed its auditor relationship specifically to push liability downstream while maintaining the appearance of independent verification.
Accorp has since publicly denied any affiliation with Delve. That denial raises its own question: if the relationship was as described in the recording, who is telling the truth?
Project Audit Automation: Contradicting the Core Defense
Delve’s official response to the original DeepDelver investigation characterized the company as an “automation platform” that provides templates to auditors — not an entity that generates reports. The whistleblower data directly contradicts this.
Internal screenshots show a channel called “Project Audit Automation” with active participation from Ross Corey, Yuri Genyk, Agnes Shan, and Jayu Patel. A separate screenshot shows an internal tool described as “Selin’s Report Generator” — named after co-founder Selin Kocalar.
A separate internal message notes that “v0 of Delve AI was live” as of August 9, 2025. The timing matters: this was described internally as being built after the Series A raise.
The legal implication is direct. Delve’s public defense rested entirely on the claim that it was a template provider, not a report generator. These screenshots show an internal project named specifically for automating audit report generation — with cross-functional employee participation and a named tool for doing so. The question for Insight Partners and Y Combinator is the same question their lawyers are asking: what did the company know, when did they know it, and what did they represent in the Series A materials?
The Pitch Deck vs. the Internal Admission: A Securities Fraud Question
The most damning element of the Day 1 whistleblower release is not the Accorp recording. It is a Notion post written by Karun Kaushik in November 2025 — during or after the Series A fundraising period — that directly contradicts the platform capabilities pitched to investors.
In that internal post, Kaushik wrote:
| “As of now, Delve’s control system is not built for rapidly onboarding frameworks in a stable manner. It was built off of the initial SOC 2 control system, and then amended and modified for HIPAA, ISO 27001, and GDPR. Since January 15th, no new frameworks have been released in the platform.” — Karun Kaushik, internal Notion post (November 2025) |
The Series A pitch deck, also released in the whistleblower data, shows Delve claiming multi-framework AI-native compliance capabilities as a core investment thesis. The Notion post was written during — or after — the period in which that capital was committed. The pattern is one we’ve tracked systematically. As we documented in our AI funding bifurcation analysis, AI-native startups at the Series A tier were commanding 25–30x EV/Revenue multiples based on claims of genuine automation capability. Our AI valuation gap analysis shows that 83% of buyers paid higher multiples for AI-native positioning. Delve captured that premium by claiming capabilities that its own CEO documented internally were not implemented.
This is the point at which the Delve story crosses from compliance fraud into potential securities fraud territory. A material misrepresentation in investor materials — claiming product capabilities that internal documents show were not yet built — is the foundational element of a 10b-5 securities claim.
The Pathways Gambit: Open Source IP Appropriation at a Compliance Company
The April 1, 2026 TechCrunch report by Julie Bort adds a dimension the original investigation did not reach: product IP provenance. Specifically, it raises the question of whether Delve built — or simply forked — a core product it sold to prospects as its own.
The story begins with the whistleblower’s own origin. DeepDelver was not a disgruntled former employee who stumbled onto wrongdoing. DeepDelver was a Delve sales prospect. During a sales pitch, Delve demonstrated a no-code agent-building tool it called “Pathways.” The prospect recognized it immediately.
Pathways bore a strong resemblance to Sim.ai‘s open source agent-building product, SimStudio. The prospect asked Delve directly whether Pathways was based on SimStudio. Delve’s team said they built it themselves.
That answer appears to have been incorrect.
DeepDelver subsequently presented evidence that Pathways was a fork of SimStudio — a modified copy, changed just enough to be sold as Delve’s own — without proper attribution under the Apache 2.0 license. The Apache license is permissive: it allows free commercial use and modification. But it requires attribution. Claiming the tool was built in-house is not attribution.
The Sim.ai CEO Confirms: No License Agreement Existed
Emir Karabeg, founder and CEO of Sim.ai, confirmed to TechCrunch that his company had no license agreement with Delve whatsoever. His statement was unambiguous: “We knew they planned to use Sim for something and later tried unsuccessfully to sell them an agreement.” The implication is significant. Delve was aware of Sim.ai’s product, considered a licensing arrangement, failed to reach one, and then built on the code anyway.
Adding to the awkwardness is the relationship structure. Sim.ai was a Delve customer. Both companies were Y Combinator alumni — a network where cross-portfolio purchasing is standard practice. Sim.ai paid Delve for its compliance product. Delve did not pay Sim.ai for its agent-building technology.
Karabeg told TechCrunch he had been consoling Delve’s founders after the first whistleblower post went public. That changed when he learned of the Pathways allegation. Since then, he said, he and the Delve team have not been in contact.
Why IP Provenance Is an M&A Due Diligence Issue — Not Just a PR Problem
It is worth calibrating the legal characterization carefully. DeepDelver described this as “stealing intellectual property” — which is a stretch under the technical definition. Open source software under Apache 2.0 is designed to be used, forked, and modified. The violation, if proven, is not theft. It is license non-compliance: using the code without attribution and affirmatively misrepresenting the origin. That distinction matters, but it does not eliminate the exposure.
For any M&A buyer or investor conducting due diligence on a SaaS company, undisclosed open source dependencies are a standard red flag. As we documented in our analysis of AI startups claiming proprietary IP, the market has repeatedly rewarded the appearance of proprietary technology over the reality of API wrappers and forked open source code. Delve’s Pathways allegation sits in that same pattern.
The specific liability vectors are:
- Attribution violation: Apache 2.0 requires that original copyright notices be preserved and that modifications be documented. If Pathways stripped those notices, that’s a license breach.
- Misrepresentation to prospects: Telling a sales prospect that a forked open source tool was built in-house is a factual misrepresentation in a commercial context. If that prospect signed a contract based on that representation, it creates breach exposure.
- IP chain of title in M&A: Any acquirer of Delve — or of a company that licensed or embedded Pathways — inherits this exposure. Open source license compliance is a standard diligence checkbox. An undisclosed fork with no attribution agreement fails that check by definition.
- Series A investor disclosure: If Pathways was presented to Insight Partners as a proprietary no-code product during the $32 million fundraise, and it was actually a forked open source tool under license negotiation that collapsed, that omission may constitute a material misrepresentation in investor materials.
| The compounding irony: Delve sells compliance. Its value proposition to customers is that it helps them demonstrate adherence to frameworks, policies, and licensing obligations. The allegation that it sold a compliance product built on an unlicensed software fork — to a prospect it told was proprietary — is not a coincidence. It is a pattern. |
The Auditor-Switching Gambit
Since the original allegations surfaced, Delve has communicated to clients that it is switching SOC 2 audits to a firm called Ezzy & Associates. Clients are being told they will not need to restart their SOC 2 Type 2 observation periods when switching from Accorp.
That assurance is deeply irregular. A SOC 2 Type 2 audit covers a specific observation period. Changing auditors mid-period — particularly when the original auditor has publicly disavowed any relationship with the platform — typically requires restarting the observation period with the new auditor. Telling clients they do not need to restart suggests either that Ezzy is agreeing to accept the existing evidence record, or that Delve is making a representation to clients it cannot deliver.
Ironically, the founder of Ezzy & Associates holds a Certified Fraud Examiner (CFE) designation. Whether Ezzy is being used as a legitimate clean-slate solution or as a liability-laundering mechanism is, at this point, an open question. Delve is also continuing its ISO 27001 work with Glocert — the same firm mentioned in the original DeepDelver investigation — despite the public attention those relationships have received.
Y Combinator’s Position — and What Insight Partners’ Silence Signals
When Kaushik posted his denial on LinkedIn on March 27, Y Combinator publicly expressed support. That support now sits alongside whistleblower video of Kaushik laughing about whether his audit partner reviewed any evidence, an internal Notion post acknowledging the platform’s core capabilities were not built, and a named founder confirming Delve had no license agreement for technology it was selling as its own.
The Insight Partners exposure has become more concrete. TechCrunch confirmed that Insight’s blog post about its $32 million investment in Delve was, for a period, unavailable on the firm’s website. Its LinkedIn post about the investment has not been restored. Delve has scrubbed mentions of Pathways from its site, along with numerous other pages. The company’s media inquiry email address no longer functions.
Digital erasure is a predictable response to legal exposure — but it is not a defense. The Wayback Machine preserves archived versions of scrubbed pages. The TechCrunch reporting is timestamped. Karabeg’s statements are on the record. Delve’s communications to clients about the auditor switch are presumably documented in email.
The broader market implication is one we flagged in our analysis of the AI bubble’s structural vulnerabilities: when institutional capital endorses companies built on narrative rather than operational substance, the credibility cost of that endorsement is paid when the narrative collapses. For YC, Delve is becoming a test case. For Insight Partners, it is now an active reputational and legal management exercise.
The Pathways allegations have generated significant public attention. TechCrunch reported that the story trended on X, complete with a community note on the relevant post. Whether that level of public visibility accelerates regulatory attention — from the SEC, the FTC, or AICPA ethics bodies — remains to be seen.
What This Means for M&A Due Diligence: A Five-Pillar Framework
Our original article established a three-pillar GRC compliance verification framework. The whistleblower data added a fourth pillar: executive representation risk. The Pathways allegation adds a fifth: software IP provenance.
The Original Three Pillars (Unchanged)
- Auditor independence verification: Must include inquiry into auditor-switching history. If a target switched audit firms after the original investigation, require an explanation and a new Type 2 observation period with the current auditor.
- Evidence authenticity review: The boilerplate language flags from Part I remain valid. The whistleblower data adds a new marker: ask whether the compliance platform used internal tooling branded as “report generation.” If yes, the independence claim fails.
- Regulatory liability assessment: HIPAA criminal exposure, GDPR fines at 4% of global revenue, and trust page misrepresentation remain the three quantifiable liabilities.
Pillar Four: Executive Representation Risk
Any acquisition target that used Delve and is currently in a fundraising or M&A process has a new category of liability: the representations made to prior investors may now be subject to challenge. Buyers must ask: did the target represent to its own investors or customers that it held valid compliance certifications? If those certifications were produced by a platform whose CEO is on record questioning whether the audit partner reviewed any evidence, those representations carry breach exposure.
This connects directly to the reps-and-warranties dynamics we analyzed in our SaaS M&A buyers’ perspective analysis. When sellers and buyers disagree about the durability of a business model, the disagreement surfaces in the multiple, the earnout structure, and the reps and warranties. Compliance fraud exposure surfaces in exactly the same place — but with criminal liability attached.
Pillar Five: Software IP Provenance
The Pathways allegation introduces a fifth pillar that applies beyond the Delve situation specifically: any SaaS target that claims proprietary tooling must be able to demonstrate clean IP chain of title for that tooling. The Pathways case illustrates the failure mode — a product marketed as proprietary, built on an open source fork, with no license agreement and active denial of the underlying codebase’s origin.
In M&A diligence, this surfaces in the IP schedule and in open source license compliance reviews. Standard practice includes running the target’s codebase through an open source scanning tool. But the Pathways situation suggests a gap: if the tool was sold to clients rather than embedded in infrastructure, it may not appear in a standard code scan of the acquiree’s own repo. The question must be asked explicitly: did you sell, license, or embed any third-party software for which you did not hold a written license?
For founders preparing for exit, the M&A due diligence checklist framework we maintain at DevelopmentCorporate now includes this question as a standard item in the IP section. Proactive disclosure is dramatically less expensive than discovery post-LOI.
Audience-Specific Implications Matrix (Updated)
| Audience | Immediate Risk | Required Action |
| PE/VC Investors | Portfolio companies using Delve may hold legally invalid compliance certs. Any portfolio company that represented Delve certs to its own investors now carries potential rep breach exposure. New: IP hygiene risk if Pathways was embedded in any portfolio company’s tech stack assessment. | Immediate portfolio audit for Delve usage. Engage independent CPA for gap assessment. Evaluate whether representations to LPs or enterprise customers must be corrected. Add IP chain-of-title check to standard SaaS diligence. |
| SaaS Founders (Exit Planning) | A Delve-generated SOC 2 in your data room will be flagged in diligence. This is now a binary question, not a risk-adjustment question. If Pathways was licensed or sold to you as proprietary, the IP chain of title for that tool is also in question. | If you used Delve, unpublish your trust page now and engage an independent Big 4-adjacent auditor. If you integrated or resold Pathways, obtain IP provenance documentation immediately. Proactive disclosure before LOI is far cheaper than discovery during diligence. |
| Enterprise CTOs / CISOs | Vendors onboarded based on Delve-certified trust pages may have implemented zero of the listed controls. New: any vendor that embedded Pathways/SimStudio in their product stack may have undisclosed open source license obligations that create downstream liability for your organization. | Add three questions to your VSQ: (1) “What compliance platform did you use?” (2) “Can you provide your auditor’s AICPA peer review number?” (3) “Were any third-party open source tools embedded in your product under a license agreement?” Require re-certification from any vendor that used Delve. |
The Bottom Line
Twelve days ago, the Delve story was a compliance theater scandal. A startup faked audit reports. Its auditor partners rubber-stamped the results. Hundreds of companies may be operating under invalid certifications.
Ten days ago, the story became a potential investor fraud case. A whistleblower provided internal recordings of the CEO laughing about whether the audit partner reviewed any evidence. A Notion post in Kaushik’s own voice documented that the platform’s core AI capabilities — the ones pitched to Insight Partners — were not built during the fundraising period.
Today, the story has added a third dimension. A named founder — Emir Karabeg of Sim.ai — confirmed to TechCrunch that his company had no license agreement with Delve for the technology Delve was selling as its own proprietary product. Insight Partners has scrubbed its investment post. Delve’s media email is dead. The Pathways pages are gone from the site. And the story is trending on X with a community note.
The auditor-switching play — moving to Ezzy & Associates while telling clients they do not need to restart observation periods — either represents a legitimate remediation path or a compliance liability laundering mechanism. The Pathways erasure follows the same pattern.
For M&A practitioners, the action item is the same as we stated in our M&A due diligence checklist update — but with greater urgency and a new fifth pillar. Treat any Delve-generated compliance certification as having no evidentiary value until independently re-verified. Treat any acquisition target that used Delve as carrying a potential prior-representation liability. And ask explicitly whether the target sold or embedded any third-party open source software without a written license agreement.
The cost of that verification is measurable. The cost of discovering it post-close — with HIPAA criminal exposure, GDPR fines, securities misrepresentation claims, and open source IP chain-of-title questions layered on top — is not.
| Is your portfolio company or acquisition target using an AI-native compliance platform? DevelopmentCorporate provides compliance provenance audits — including software IP hygiene checks — as part of enterprise SaaS M&A due diligence engagements. Contact us at DevelopmentCorporate.com. |
