The AI readiness cult
The harder enterprises work to prove they were AI-ready, the less capable they actually become.
TLDR:
Enterprise boards under AI pressure stopped building capability and started collecting proof of it.
Roadmaps replaced programmes.
Announcements replaced outcomes.
Compliance certificates replaced security.
The market rewarded all of it equally because nobody was checking.
That collective incuriosity did not start with Delve and will not end with it.
It is the operating logic of the AI readiness cult - and last week gave us the first evidence of its cost.
The cult
Three years ago, a specific pressure settled over enterprise boards: appear AI-serious. Not actually be AI-serious. Appear it.
The distinction matters because the pressure came from earnings calls, analyst briefings, investor relations and procurement optics - none of which require verification. They require the artefact. Show me the roadmap. Show me the maturity score. Show me the compliance certificate.
So the market produced artefacts.
Meta committed $600 billion to AI infrastructure and announced plans to cut roughly 16,000 jobs - 20% of its workforce - to fund it. Analysts called it decisive.
HSBC weighed 20,000 role eliminations as part of an AI-attributed restructuring. Analysts called it bold.
Advisory firms delivered AI programme roadmaps. CIOs announced AI deployments at earnings calls. The signal became the strategy. The artefact became the deliverable.
THIS IS THE CULT:
a self-reinforcing belief system in which
the appearance of readiness is rewarded
as if it were readiness itself.
And here is the precise consequence that wasn’t really noticed until last week.
Enterprise procurement teams require SOC 2 Type II because their own security teams told them to put it in vendor contracts. Not because they read the reports. The certificate goes into a compliance folder. The folder goes into a deal. The deal closes. Nobody opens the folder again until something breaks.
That is the market Delve entered.
Delve was not some back-alley operation. It was a Y Combinator graduate with $32 million raised, named logos and a Trust Center product.
That credential did exactly what credentials do in a cult: it substituted for verification.
Nobody checked the reports because YC had vetted the founder. Nobody questioned the timeline because Bessemer-backed clients were signing. The assumption was that someone upstream had already done the work.
Nobody had.
The factory the cult ordered
Delve’s clients were AI startups trying to sell to enterprises. Names in the leaked database: Bland AI, Sully.ai, Lovable, HockeyStack, WisprFlow. Startups under cash pressure, trying to close deals with large companies that required SOC 2 Type II before they would even take a meeting. The compliance certificate was the entry point.
When I tried to verify Delve’s own case studies, they were gone. Deleted from their website. Their LinkedIn posts edited.
Fortunately, the Wayback Machine had them. Here are some archived links: HockeyStack, WisprFlow, 11x, Remi.
What they say, in Delve’s own words.
WisprFlow:
SOC 2 Type I and Type II in two weeks. Named clients Mercury and Superhuman waiting to close.
11x:
$2.3 million in contracts unlocked, 143 employee hours saved.
HockeyStack:
Eight figures in enterprise pipeline unlocked.
Remi:
32 days to report. Both Type I and Type II “achieved in rapid succession.”
Delve’s SOC-2 product page, still live on March 22, says something different: Platform Setup 10-15 hours. Observation period 3 months.
The product page says 3 months. Every case study says days or weeks. They all were on the same website. At the same time.
Delve's official response, published March 20, called everything "industry standard." It confirmed the templates. It confirmed the Indian audit firms. It provided zero independent verification for any of its five arguments. The 11x case study - written by Delve - simultaneously acknowledged the standard and marketed around it.
The leaked database told the rest: 494 reports with identical boilerplate across 259 different companies. Audit conclusions written before auditors had seen a single client document. Four controls marked "untestable" on every single report. Certificates issued by a Wyoming shell company and Indian parent entities - not the licensed independent CPA firms that SOC 2 legally requires.
Delve raised $32 million. It signed 1,700 clients. It deleted the case studies the week the scandal broke.
The fraud was the symptom. The lack of curiosity was the root cause.
CapabiliSense
In 2024, I started building the honest version of this.
CapabiliSense traces capability gaps directly to source documents.
No self-reported inputs.
No certificates.
Traceable evidence that a board could actually examine.
Me and Alex spent a year building it. Five filed invention declarations. A working product.
Pilots ran. Letters of intent were signed. Then every firm that signed one went quiet.
The reason was always the same. To be the first client on a capability evidence platform, you have to be willing to have your gaps documented and attributed to you by name.
Every enterprise wanted the evidence. Every enterprise wanted someone else to go first.
We ran out of money before the market discovered it needed evidence.
Delve raised $32 million in venture capital selling certificates nobody examined.
Why this week is different
Three things happened at the same time. They are not connected. That is exactly what makes them important.
Delve's exposure put live legal liability in front of 1,700 companies that signed contracts, made HIPAA representations and took out insurance policies against certificates that a shell company issued in weeks.
On March 17, the European Parliament's Internal Market and Civil Liberties committees voted 101 to 9 to push enforcement of high-risk AI rules to 2 December 2027. The plenary vote follows on March 26. That sounds like breathing room. The same proposal requires vendors claiming their system is low-risk to register that claim formally. The claim goes on record. Faking it carries fines up to €15 million.
BlackRock published their 2026 proxy voting guidelines - the annual document that tells companies how the world's largest asset manager will vote on board appointments. It states that if a board has not demonstrated sufficient oversight of material risks, BlackRock may vote against responsible directors. AI governance is a material risk. The standard is “evidence of oversight”, not a “statement of intent”.
A regulator and the world’s largest asset manager arriving at the same conclusion in the same week: SHOW YOUR WORK.
Compliance evidence cannot be reconstructed retroactively. The day you start documenting your controls is Day One. The EU deadline gives organisations until 2027. That window is open now.
The test
Watch Delve’s 1,700 clients.
If any one of them faces a documented contract breach, insurance void or regulatory finding tied to those certificates, the others will start checking their own exposure. One case is enough.
If nothing happens before July, the market absorbed it and the cult holds.
The cult does not require bad actors. It requires enough incurious buyers to make bad actors rational.
If you want more of this kind of work
I write these Signals between working with teams who are trying to build AI governance that holds under examination. Each one takes me 6–8 hours to research, cross-check and write.
If this helped you see something more clearly, the best way to support it is simple:
or
Key Sources
DeepDelver – Delve: Fake Compliance as a Service, European Parliament – MEPs vote to postpone high-risk AI rules to December 2027, BlackRock – 2026 Proxy Voting Guidelines for Benchmark Policies
The CapabiliSense story is the one that should sit uncomfortably with anyone reading this. You built the honest version. It failed. Not because the market didn't understand what you were offering — your pilots ran, letters of intent were signed — but because being first to document your own gaps publicly is a different ask than buying a certificate nobody will examine. The market wasn't irrational. It was selecting for exactly what it wanted: deniability with paperwork attached.
That's the cult in its purest form. Not stupidity. Not even laziness. A rational preference for the artefact over the evidence, because the artefact closes the deal and the evidence opens an audit.
Which connects to something your previous piece didn't quite reach. The last mile problem and the compliance problem are the same problem in different clothes. Both are System 1 solutions to System 2 requirements. The Production Layer that never gets funded, the certificate that substitutes for the security report nobody reads — both are organizations doing the minimum legible thing instead of the actual thing. The appearance of governance rewarded as if it were governance itself.
The "show your work" convergence is the most interesting part of the piece — EU enforcement, BlackRock proxy guidelines, and Delve's exposure arriving in the same week from unconnected directions. That's a real signal. But your test at the end gives the market too much credit. "Watch if anyone gets punished" is still just a slower version of the same incuriosity. One liability case teaches 1,700 companies to be more careful about getting caught, not more careful about what they're buying. The cult doesn't require bad actors. It also doesn't require punishment to survive. It requires the next Delve to be slightly less traceable.
The Wayback Machine catch is the detail that will stay with me. Product page saying three months. Every case study saying days or weeks. Both live on the same website at the same time. That's not ambiguity. That's a market so incurious that nobody thought it worth hiding.