Misryoum reports that compliance startup Delve was linked to Context AI’s security certifications as Vercel disclosed a separate breach, renewing questions about audit reliability.
Delve, a compliance startup already facing serious accusations, is now tied to another high-profile security incident—this time through its work with an AI customer.
Delve was the security certification provider for Context AI. Misryoum understands. after Vercel revealed last weekend that hackers breached internal systems and accessed some customer data.. Vercel said the attacker path began when an employee downloaded a Context AI-linked app and connected it to Vercel’s Google-hosted corporate account.. The attackers then used that employee’s access to reach internal systems.
Context AI has since confirmed it previously used Delve for compliance and security certification work. but says it has moved on.. Misryoum reports that Context AI transitioned its compliance program to another provider. Vanta. and engaged an independent audit firm. Insight Assurance. to conduct new examinations.. As part of the re-examination. it is updating public materials and plans to share a new attestation once the process is complete.
The immediate takeaway for businesses is uncomfortable but straightforward: security certifications are not “security.” They are a snapshot of policies. processes. and controls—meant to demonstrate that a company has mechanisms in place to reduce the likelihood of incidents and improve response.. In practice. the biggest breaches often originate in human actions. software supply chains. integrations. configuration settings. or identity access—areas no audit can perfectly eliminate.
That matters because Delve’s position in the market is built on trust.. According to the broader reporting record. Delve previously drew fire from an anonymous whistleblower alleging it was “rubber-stamping” customer security claims and improperly presenting audit outcomes.. Delve has denied those allegations.. The company’s credibility then took another hit after a security certification customer—LiteLLM—said it was removing Delve following a breach where malware was planted in open source code.
There is also a wider compliance ecosystem risk here.. When organizations rely on third-party certifications as a proxy for safety, they can unintentionally lower their own guardrails.. Procurement teams may treat certifications as a pass/fail signal rather than a starting point for ongoing diligence.. Security leaders, meanwhile, still have to ensure that integrations, access permissions, third-party tooling, and incident response workflows are continuously monitored.
Lovable’s experience underscores that this is not a rare pattern.. Misryoum notes that Lovable said it had already ditched Delve after the earlier controversy. redoing portions of its certification process while separately admitting it had inadvertently shared customer chat data publicly.. Lovable also said it had dismissed vulnerability reports months earlier and later attributed the initial exposure to a configuration error rather than an external hack—while also acknowledging it initially denied a breach.
For companies choosing compliance providers now, the question becomes: what is actually being verified, and how frequently?. Certifications can be backward-looking. and they may not track rapid changes in codebases. new deployments. updated access controls. shifting cloud configurations. or evolving threat models.. That leaves room for gaps between “certified at time X” and “operating safely at time Y.” Delve’s renewed scrutiny makes that gap harder to ignore.
Delve’s own challenges appear to be widening.. An anonymous whistleblower. “DeepDelver. ” has published additional allegations claiming Delve mishandled refunds and continued normal business operations—including an offsite trip described as taking place in Hawaii between April 15 and April 19.. Misryoum cannot independently confirm all claims. but Delve’s refusal to respond to requests for comment has only added to the uncertainty surrounding the company.
In the short term. Misryoum expects more re-certifications and switching among startups that used Delve. particularly those operating in AI-heavy environments where integrations and identity access are common attack surfaces.. In the longer term. the industry may face pressure to move away from certifications as a blanket assurance and toward continuous control validation—where evidence is updated more frequently and where customers demonstrate ongoing security governance rather than periodic compliance paperwork.
For customers and partners of compliance providers, the lesson is clear: treat attestations as useful signals, not guarantees.. The real work begins after the certificate—through tight access management. monitoring. secure integration practices. and a willingness to re-check assumptions when the threat landscape and business operations evolve.
Longer life comes from pursuing goals—here’s why, Misryoum
Capital One $425M settlement: potential payouts for 360 Savings customers