Complex Systems with Patrick McKenzie (patio11)

Delve into compliance theatre

24 snips

Mar 26, 2026

A deep dive into how compliance rules spread across vendors and procurement. Discussion of layered security controls and what real audits actually test. Examination of allegations that a compliance vendor sold superficial, templated reports. Concerns about marketing claims, identical reports across firms, and where liability and accountability fit into audit systems.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

INSIGHT

Why Compliance Regimes Become Viral

Compliance regimes are designed to be viral so upstream institutions can force downstream vendors to adopt the same controls.
Patrick McKenzie explains HIPAA and SOC 2 chains where enterprises demand vendor attestations and BAAs, which spreads compliance across suppliers.

INSIGHT

Defense In Depth Is The Point Of Controls

Real security controls rely on defense in depth: HR offboarding triggers IT deprovisioning, full disk encryption, and logging to bound exposures.
McKenzie illustrates with the laptop-sold-on-eBay postmortem and layered mitigations to limit data loss.

INSIGHT

Audits Must Test The Evidence Not Just The Claim

Auditors don't just accept checklists; they test samples and verify evidence, e.g., selecting specific departed employees and tracing laptop recoveries.
McKenzie recounts auditors sampling rows from spreadsheets and causing 'terrified Slack messaging' when gaps appear.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

Patrick McKenzie (patio11) explains how compliance regimes designed to be viral brought many more firms into the scope of frameworks like SOC 2. This created a market demand for compliance-on-the-cheap by companies like Delve. Delve has been accused in an anonymous bit of investigative journalism as engaging in Potemkin compliance.

Patrick contrasts what real audits look like with what Delve allegedly delivered. He argues that selling compliance theater as compliance is fraud, not the sort of benign rule-breaking celebrated in startup culture.

–
Full transcript available here: https://www.complexsystemspodcast.com/delve-into-compliance-theatre/

–
Presenting Sponsors: Mercury, Meter, Granola & Framer

Complex Systems is presented by Mercury—radically better banking for founders. Mercury offers the best wire experience anywhere: fast, reliable, and free for domestic U.S. wires, so you can stay focused on growing your business. Apply online in minutes at mercury.com.

Networking infrastructure has a way of accumulating technical debt faster than almost anything else in IT. Meter handles the full stack (wired, wireless, and cellular) as a single integrated solution: designed, deployed, and managed end-to-end so there's only one vendor to call when something goes wrong. Visit meter.com/complexsystems to book a demo.

If meetings consistently leave you with hazy action items and lost context, Granola handles the transcription so you can actually participate and gives you searchable notes afterward. Try it free at granola.ai/complexsystems with code COMPLEXSYSTEMS

Building and maintaining marketing websites shouldn’t slow down your engineers. Framer gives design and marketing teams an all-in-one platform to ship landing pages, microsites, or full site redesigns instantly—without engineering bottlenecks. Get 30% off Framer Pro at framer.com/complexsystems.

–
Links:
Fake Compliance as a Service - Part 1: https://substack.com/home/post/p-191342187
Editorial independence episode: https://www.complexsystemspodcast.com/episodes/editorial-standards-and-independence/
Dan Davies episode: https://www.complexsystemspodcast.com/episodes/dan-davies-organizations-fraud/

–
Timestamps:
(00:00) Intro
(02:14) The taxonomy of compliance
(04:11) Why compliance is viral
(09:08) Defense in depth
(14:19) Accountability and liability
(16:05) The allegations against Delve
(19:53) Sponsors: Mercury | Meter
(22:41) The allegations against Delve (cont'd)
(24:31) The response and evidence
(29:38) Implausible patterns
(38:22) Heuristics for truth
(40:10) Sponsors: Granola | Framer
(42:52) Heuristics for truth (cont'd)
(44:28) Naughtiness vs. fraud
(51:16) A voice in the startup community
(53:05) Advice for the exposed
(56:38) Wrap