What is vibe compliance?

TL;DR
  • Vibe compliance is compliance that looks done on paper but was never tested.
  • Auto-generated policies, one-click adoption, a green dashboard, and no actual assessment underneath.
  • It passes a quick procurement skim and falls apart on the second look. Two different companies should never have the same system description.
  • A generated document just asserts. A real SOC 2 is a CPA who tested the controls and reached a conclusion.

Where the term came from

"Vibe compliance" is a riff on "vibe coding," which means shipping software you described to an AI without ever reading what it wrote. The compliance version of that started showing up in conversation around March 2026, when an anonymous group published a leaked spreadsheet from the compliance startup Delve. Researchers indexed 533 reports across 455 companies and found them 99.8% identical: the same boilerplate, the same grammatical errors, the same fabricated test values, with only the company name and logo swapped. One auditor's license number appeared in 487 of 494 reports. Every report logged "No exceptions noted" 220-plus times. The conclusions reportedly existed in draft before any client had submitted evidence.

Delve has denied the allegations, which remain contested and unproven in court. But the leak put a name to something I had watched build for years: a report that looks like a SOC 2 and was never an audit.

What it looks like in practice

Vibe compliance has a recognizable shape. A platform generates a stack of policies (information security, access control, incident response) from a template. The founder clicks "adopt." A dashboard turns green. None of it has been tested against how the company actually runs.

The tell is that the document describes a company that doesn't exist. In five years of fieldwork I read a lot of policies that said access reviews happen quarterly while the access logs showed they had never happened at all. That gap is the whole story. The policy is the *vibe*. The evidence of the control actually operating is the *audit*. Vibe compliance ships the first and skips the second.

A few patterns I would flag:

  • Template policies nobody implemented. A 40-page security policy adopted in one click, describing controls the team has never actually run.
  • A dashboard that is green because it was generated, not because it was tested. The tool created the control, marked it present, and called it compliant. Nobody collected the evidence that it operated. In plain terms: a green checkmark on a dashboard tells you a box was checked, not that anyone verified the work behind it.
  • A report with zero exceptions. A clean year across dozens of controls, with no deviation ever noted. An exception is just a recorded instance where a control did not work as intended, and over a full year across many controls, finding none usually does not mean everything was perfect. It more often means nobody looked closely.

Why it passes a first glance and fails real scrutiny

Vibe compliance survives the procurement skim. A buyer's analyst opens the PDF, sees an auditor's logo, confirms the security standards the report is graded against are listed, and files it. The format is right. That is all a quick first glance checks.

It fails the second look fast. SOC 2 reports are not meant to be generic. Section 3, the system description, is supposed to describe *this* company: its architecture, its infrastructure, its team, its real processes. Two companies in different industries with different technology stacks should never have the same Section 3. When they do, either the company pasted in a template the auditor didn't catch, or the auditor reused the same text across engagements. Either way, the audit did not happen the way it is supposed to.

You can check the auditor too, and the most reliable way is to verify the named individual CPA. A SOC 2 report is signed and issued in a licensed CPA firm's name, with a specific CPA leading the engagement and standing behind the work. You can confirm that person holds an active license through CPAverify, the public license-lookup service, and it is fair to ask about their real audit experience. Enrollment in the AICPA Peer Review Program is a nice extra signal for an established firm, though a brand-new firm won't have a peer review yet, so its absence is not by itself a problem. What is a real flag is a US-branded report signed by an offshore certification mill operating out of a shell address, which is part of what the Delve leak is alleged to have exposed.

A generated document is not an opinion

Here is the distinction the scandal made hard to ignore. A SOC 2 report is a CPA's formal *opinion*, governed by AICPA attestation standards (AT-C 205). Attestation here just means the audit and the CPA's written opinion that comes out of it. The standard is explicit that inquiry, which is simply asking people how things work, is never enough on its own. Every control needs that inquiry plus corroboration: actually inspecting something, observing it happen, or re-performing it yourself. The auditor has to independently form a conclusion about whether the controls operated, and is barred from designing or running those controls themselves. That independence wall is regulatory law, not a product choice, and it is exactly why a compliance platform cannot sign off on its own audit.

A generated document skips all of that. It asserts; it does not conclude. There is no independent party who tested anything and put their license behind the answer.

> The market reality: a quality SOC 2 is not free, and the cheap end is where vibe compliance tends to hide.

Industry pricing tells the story. A Type II audit from a specialist firm typically runs $15K to $70K, with small-company audit fees often $12K to $20K, while Big Four quotes can reach $430K. When a vendor's only selling points are speed and price, something usually gives. And what gives is the testing.

That is the line I would give any founder evaluating a report, whether it is theirs or a vendor's: a clean PDF is not assurance. The assurance is in what was tested, what was found, and who put their name behind the answer.

Frequently asked questions

What is vibe compliance?
Vibe compliance is compliance that looks finished on paper but was never tested. It is auto-generated policies, one-click control adoption, and a green dashboard with no real assessment underneath. The document looks like a SOC 2 report, but no auditor independently verified that the controls actually operated.
Is automated compliance the same as vibe compliance?
No. Automation that speeds up real evidence collection and testing is fine, and it is widely used. Vibe compliance is when the automation replaces the assessment entirely: generating policies and marking controls present without anyone testing them. The difference is whether a CPA independently tested the evidence and signed an opinion, or a tool just produced a document.
What was the Delve scandal?
In March 2026, an anonymous group published a leaked spreadsheet from Delve, a Y Combinator-backed compliance startup that had raised $32M. Researchers found roughly 494 SOC 2 reports that were about 99.8% identical, with conclusions reportedly written before clients submitted any evidence. Delve has denied the allegations, which remain contested and unproven, though Y Combinator removed the company from its directory.
Can you fake a SOC 2 report?
You can produce a document that looks like one, which is essentially what the Delve leak is alleged to have exposed. But a genuine SOC 2 is a licensed CPA's tested opinion under AICPA standards, and the field is largely self-policed, so verification matters. Confirm the individual CPA leading the engagement holds an active license (you can check this on CPAverify), ask about their real audit experience, and read whether Section 3 actually describes that specific company.
How is a real SOC 2 different from vibe compliance?
A real SOC 2 is evidence-based and independently tested. Under AT-C 205, inquiry alone, meaning just asking how things work, is never enough. Every control needs corroboration through inspection, observation, or re-performance, and the auditor must reach an independent conclusion. A real report names the actual exceptions, the specific instances where a control did not work. Vibe compliance has none of that: it is a generated document with no independent testing and, suspiciously, never a single exception.

Keep reading

Sources
  1. Under AICPA attestation standards (AT-C 205), inquiry alone is never sufficient; the practitioner must inspect, observe, or reperform and test the controls.
  2. Journal of Accountancy: promises of 'fast and easy' threaten SOC credibility.
  3. SOC 2 is an examination performed by a CPA under the AICPA's SOC for Service Organizations framework, producing the CPA's report, not a certification.