1. Article: The Delve Controversy
Unless you have been distracted by far more important things, you might have already heard of the Delve scandal.
If not, go right ahead and read this: https://deepdelver.substack.com/p/delve-fake-compliance-as-a-service
My thoughts:
1- TPRM teams would probably start flagging SOC2 associated with Delve and their auditors. This could result in a significant number of their clients choosing not to renew.
2- Who is this deepdelver that exposed the whole thing? Some have alleged it might be a competitor… but that doesnt take away from the quality of the investigation – its well-written, every allegation is backed up by evidence and context.
3- AICPA should do something about this otherwise more companies will come up in future with such creative strategies
But even before this substack post, Delve was controversial on LinkedIn among the GRC community. Here is Troy Fine talking about the company:
2. Article: UK Cyber Security and Resilience Bill
UK is coming out with a new Cyber Security and Resilience law (currently still in the Parliament process). Here’s the highlights from the current draft:
🔹 The bill expands the scope of the existing regulations to cover managed service providers (MSPs) of medium and large size, data centres, cloud computing providers, and newly designated “critical suppliers.”
🔹 Incident reporting timelines tighten to 24 hours for an initial notification and 72 hours for a full report.
🔹 Penalties increase significantly: standard violations carry up to £10 million or 2% of global turnover; serious violations up to £17 million or 4% of global turnover, with ongoing daily fines of up to £100,000.
🔹 Regulators gain new enforcement powers: inspection rights, document seizure, personnel interviews, and cost recovery from regulated entities.
Links:
https://www.gov.uk/government/collections/cyber-security-and-resilience-bill
https://publications.parliament.uk/pa/bills/cbill/59-01/0385/240385.pdf
3. Article: OneTrust has a New CEO
I read OneTrust’s announcement about John Heyman taking over as CEO and the framing is interesting. They think agentic AI governance will become more important and OneTrust has a great opportunity in that world.
🔹 Heyman succeeds Kabir Barday, who founded OneTrust… Barday moves to a strategic advisory board role.
🔹 Heyman’s background is scaling B2B technology companies… seems like OneTrust is going to focus on growth. Probably OneTrust intends to IPO in a couple of years?
🔹 The company’s strategic focus is going to be what Heyman calls “agents that are going to watch the agents” — building oversight systems to govern AI agent activity across enterprises as agentic deployments scale into the thousands.
4. Article: Creating a Defensible Assessment of AI Hiring Tools
I came across this US court case Mobley v. Workday where the court treated Workday’s AI hiring tool as acting as employer’s “agent.” This means employers can no longer buy an AI tool and shift compliance responsibility to the vendor. Both parties share accountability.
This excellent article by Hossein Borhani of Charles River Associates gives suggestions on how to defensibly evaluate such tools and demonstrate that your AI-based hiring systems operate impartially across groups.
Some suggestions from the author:
✅️ Run randomized internal experiments (replay tests using historical data with relabeled demographics)
✅️ Run matched-pair audits (synthetic applicants identical in qualifications but differing only in demographic indicators)
✅️ Build audit requirements into vendor-client contracts at the outset
✅️ Ensure independent oversight rather than internal-only review
✅️ Trigger fresh audits whenever the model, training data, or deployment context changes. Not just on a fixed annual schedule.
Great read especially if your company is considering such tools: https://media.crai.com/wp-content/uploads/2025/11/18105516/Workday-Case-Shows-Auditing-AI-Hiring-Tools-Is-Crucial.pdf
5. Article: Diligent Launches AI features for Internal Audit
All GRC vendors are now adding AI features in their platforms. And Diligent has come out with AuditAI which is the first I have seen where they claim very specific improvements:
✅️ Early adopters cut audit administration time by ~70% — cycles that ran ~120 hours of manual coordination are now running ~35 hours
✅️ Three capability areas: AI-assisted audit planning (suggests audit names, entities, and controls based on the org’s risk profile), automated request and evidence management (generates context-aware evidence requests, routes and follows up on them), and contextualized AI that understands relationships across risks, controls, audits, and findings across the Diligent One Platform
✅️ The system highlights regulatory changes that impact existing controls and testing — useful for teams tracking evolving requirements without a dedicated monitoring function
Looks pretty interesting to and hopefully we will see more such innovation in this space.
Link: https://www.diligent.com/lp/auditai
