.svg){kind=logo}
SOC 2 is the AICPA’s attestation framework for SaaS companies — the most common security certification requested by enterprise procurement teams. This page tracks the latest SOC 2 news and compliance updates each month: framework changes, audit industry news, notable breaches, tool developments, and regulatory shifts. Updated monthly.
SOC 2 Compliance News Today — May 2026
AICPA
AICPA Directs Peer Reviewers to Flag Identical SOC 2 Reports
On May 14, the AICPA Peer Review Board issued guidance directing reviewers to compare audits across the same firm — identical risk assessments, sample sizes, and testing procedures across multiple clients will be flagged as "nonconforming." A structured monitoring program launches June 1. This is the AICPA’s direct institutional response to the Delve scandal. For startups choosing an auditor: your CPA firm’s own quality processes are now under formal regulatory scrutiny.
TOOL
Vanta Hits $300M ARR, Credits “Shadow AI” as Growth Driver
Vanta announced $300M ARR on April 29 — triple in two years — with 16,000+ customers and NRR above 100% for eight straight quarters. The company’s own data shows 70% of businesses now have “shadow AI” (tools employees adopted without security review), which is driving new urgency around compliance program scope. If your team is shipping AI features or adopting AI tools without updating your SOC 2 scope, you’re in the majority — but you’re taking on risk.
SCANDAL
Delve Scandal: Legal Concerns Emerge Over SEC Filings
Legal analysts flagged that at least one public company cited Delve audit reports in SEC filings, and large technology companies accepted these documents during vendor security reviews — raising potential securities disclosure concerns. No enforcement actions had been filed as of late May. If you accepted a Delve SOC 2 report from a vendor in 2024 or 2025, it’s worth revisiting your vendor risk documentation.
SOC 2 News — April 2026
SCANDAL
Delve Expelled from Y Combinator After Fake SOC 2 Audit Allegations
On April 3, Y Combinator removed Delve from its companies directory and asked founders Karun Kaushik and Selin Kocalar to leave the program, citing a breakdown of trust. Delve had raised $32M at a $300M valuation, marketing SOC 2 attestations produced in days using “agentic AI.” Any compliance vendor promising SOC 2 in hours or days should prompt serious questions about what a CPA firm is actually verifying — and how. See how long SOC 2 actually takes.
SCANDAL
IANS Research: Delve Exposes a Systemic Compliance Industry Problem
IANS Research (April 19) argued the Delve scandal isn’t a one-off — it signals a broader industry pattern of compliance tools optimizing for speed over substance. The piece introduced “certification mills” — often overseas CPA operations rubber-stamping AI-generated reports at scale. On the buy side, enterprises are starting to ask not just “does this vendor have a SOC 2?” but “which firm signed it, and is that firm credible?” See our guide to best SOC 2 compliance software.
TOOL
Thoropass: 69% of Companies Say AI Adoption Is Outpacing Security Controls
Thoropass released its 2026 State of Audit and Compliance Report (500+ security and compliance professionals). 69% say AI adoption is outpacing their controls. 55% cite AI-related data exposure as their top breach concern — above ransomware. 57% believe AI incidents are most likely to trigger regulatory action in 2026. If you’re building AI features, your SOC 2 scope almost certainly needs to expand to cover AI data flows and model governance.
SOC 2 News — March 2026
SCANDAL
Exposé: Delve Allegedly Fabricated 493 of 494 SOC 2 Reports
On March 19, anonymous Substack account “DeepDelver” published evidence that Delve pre-wrote audit conclusions before clients submitted any evidence. Of 494 SOC 2 reports examined, 493 used identical boilerplate text — including the same grammatical errors. The evidence came from a publicly accessible Google Sheet containing hundreds of confidential draft audit reports that had been exposed in late 2025. The biggest SOC 2 scandal since the framework was introduced.
SCANDAL
DeepDelver Part II: Delve Accused of Stealing IP from Sim.ai
Follow-up installments (March 28–31) alleged that Delve rebranded technology stolen from Sim.ai — a fellow YC company that had been a Delve customer — and sold it as “Pathways” to enterprise clients including Notion, Brex, Anthropic, and Gusto. An internal whistleblower provided screenshots and recordings contradicting Delve’s public denials.
SCANDAL
“SOC 2 Is Broken”: Industry Reacts to the Delve Exposé
Corporate Compliance Insights ran an analysis arguing the scandal reveals a fundamental flaw in how enterprises use SOC 2. The question isn’t “does this vendor have a SOC 2?” — it’s “does this vendor actually do what their SOC 2 claims?” Compliance automation tools prioritizing speed and cost can hollow out the genuine security verification that makes SOC 2 valuable.
SOC 2 News — February 2026
AICPA
Journal of Accountancy: “Promises of Fast and Easy Threaten SOC Credibility”
A feature article raised industry-wide alarm before the Delve scandal broke: compliance vendors marketing SOC 2 in “hours” are pressuring smaller CPA firms to rush engagements, and some SOC leaders worried report quality was deteriorating. The AICPA was already aware of the problem — Delve’s collapse a month later confirmed it publicly.
SOC 2 News — January 2026
TOOL
RiskFront Raises $3.3M Pre-Seed for Agentic Compliance Automation
San Francisco startup RiskFront closed a $3.3M pre-seed for AI-agent-driven risk and compliance automation, targeting financial services. Another data point confirming agentic AI is becoming the dominant product narrative across compliance tooling — every new entrant in 2025–2026 is leading with autonomous agents rather than workflow automation.
SOC 2 News — December 2025
SCANDAL
Delve Data Leak: Clients Notified of Exposed Audit Reports
Hundreds of Delve clients received emails in December 2025 alleging their confidential SOC 2 audit reports had been exposed via a publicly accessible Google Sheet. The incident was largely unnoticed at the time. Three months later, it became the primary evidence base for the DeepDelver exposé that brought down the company.
AICPA
AICPA Votes to Require Annual Questionnaire for All Enrolled Firms
On November 11, the AICPA Peer Review Board voted to institute a mandatory annual questionnaire for all enrolled firms via PRIMA, starting June 1, 2026. The board concluded that triennial peer reviews are insufficient — AI tools and high-volume SOC engagements have made annual check-ins necessary. This is a structural change to how CPA firm oversight works in the US.
TOOL
Thoropass Renames Audit Arm to “Thoropass Assurance”
December 16: Thoropass rebranded its CPA subsidiary (formerly Laika Compliance LLC) to Thoropass Assurance, consolidating as a single brand combining software and in-house auditor. Thoropass remains the only major compliance platform with an embedded audit firm — a structural differentiator that matters more now that the quality of external auditor networks is under scrutiny.
SOC 2 News — November 2025
REGULATORY
SEC Drops SolarWinds Cybersecurity Case With Prejudice
November 20: The SEC and SolarWinds filed a joint stipulation dismissing the landmark cybersecurity disclosure enforcement action — the first to name a CISO personally liable — with prejudice. Under new SEC leadership, the agency is retreating from aggressive novel enforcement theories. For startups: CISO personal liability risk from disclosure failures dropped significantly, though basic materiality and accuracy obligations still apply.
TOOL
Vanta Launches Agentic Trust Platform with AI Agent 2.0
November 19: Vanta upgraded its AI Agent to proactively identify program gaps, provide remediation guidance, and take autonomous actions across compliance workflows — policy libraries, evidence verification, vendor risk assessments. Vanta is systematically moving toward fully automated compliance management. The direction of travel for the whole industry.
SOC 2 News — October 2025
BREACH
SOC 2 Type 2-Certified Fast Track CRM Breached Four Months After Renewal
In early October, Malta-based iGaming CRM Fast Track confirmed a sophisticated cyberattack hitting multiple casino operator clients — exposing customer PII, financial transaction histories, and KYC documents. Fast Track had renewed its SOC 2 Type 2 just four months earlier in June 2025. The clearest recent example that certification is a point-in-time snapshot, not a guarantee of continuous security posture.
AICPA
AICPA Proposes Centralised Peer Review for Private Equity-Backed Audit Firms
September 16: The AICPA Peer Review Board proposed requiring PE-backed audit firms — including Blackstone-backed Citrin Cooperman — to be reviewed by the National Peer Review Committee rather than state entities. A direct response to concerns that private equity ownership is eroding audit firm independence. For SOC 2 buyers: know who owns your auditor.
SOC 2 News — September 2025
TOOL
Vanta Launches Continuous Vendor Monitoring Powered by Riskey
September 9: Vanta embedded Riskey’s technology into its platform — delivering real-time vendor change alerts with AI-generated severity ratings and remediation guidance. The shift from annual vendor questionnaires to always-on monitoring is gaining momentum. Enterprises demanding continuous vendor risk visibility will increasingly expect this from their SOC 2 scope too.
AICPA
AICPA Quality Management Standards Effective December 31, 2025
PRSU No. 2 — aligning peer review with updated SQMS standards — became effective for audit engagements ending December 31, 2025. CPA firms running SOC 2 audits needed to establish a documented quality management system by December 15. This update directly shapes how your auditor manages the quality of your engagement.
SOC 2 News — July 2025
TOOL
Vanta Raises $150M Series D at $4.15B Valuation
July 23: Vanta closed a $150M Series D led by Wellington Management, with Sequoia, Goldman Sachs, J.P. Morgan, CrowdStrike Ventures, and Atlassian Ventures participating. Total funding reaches $504M with 12,000+ customers and $200M+ ARR. The compliance automation market is consolidating around a small number of well-funded players — with Vanta pulling clearly ahead.
TOOL
Vanta Acquires Riskey to Add AI-Powered Vendor Risk Monitoring
July 17: Vanta acquired Israeli startup Riskey, which built AI-based real-time third- and fourth-party risk monitoring. Vanta’s first acquisition in Israel. The goal: replace static annual vendor questionnaires with continuous automated monitoring — a capability that became central to Vanta’s platform by September 2025.
SOC 2 News — March 2025
TOOL
Google Announces $32B Acquisition of Cloud Security Platform Wiz
March 18: Google announced it would acquire Wiz for $32B — the largest acquisition in Google’s history. Wiz provides cloud misconfiguration detection and compliance control monitoring including SOC 2 visibility. The deal closed March 2026. If you’re a Wiz customer, your compliance toolchain is now Google Cloud infrastructure.
SOC 2 News — February 2025
TOOL
Drata Acquires Trust Center Platform SafeBase for $250M
February 10: Drata acquired SafeBase — the leading standalone trust center platform used by LinkedIn, Palantir, and 1,000+ enterprises — for $250M. SafeBase AI automates 80%+ of security questionnaire responses. Drata is expanding from compliance automation into the broader trust management category, making the trust center a core part of the platform rather than a bolt-on.
TOOL
Drata Crosses $100M ARR in 3.5 Years
February 2025: Drata announced $100M ARR with 7,000+ customers, joining Wiz, Deel, Ramp, and Slack as one of the fastest SaaS companies to reach that milestone. The compliance automation market has produced two scaled companies (Vanta and Drata) in under five years — validating the category while signalling that the window for new entrants is narrowing.
Free Demo
Pursuing SOC 2 for your startup?
ComplyJet helps startups get SOC 2 certified in weeks — flat pricing, no per-seat fees, white-glove support.
