Insights / Re-verification
Re-verificationWhat compliance automation won't do for your SOC 2
Vanta, Drata, and Sprinto are useful tools. But a green dashboard is a status, not evidence, and the verification step that decides your audit opinion is the one automation skips.
Compliance automation platforms are genuinely useful. Vanta, Drata, and Sprinto collect evidence, map controls, and watch your stack so you do not have to. But if you are betting a clean SOC 2 on the platform alone, you are betting on the part of the job it does not do.
The 40 to 60 percent the platform does not touch
Practitioners estimate that 40 to 60 percent of SOC 2 controls depend on human process, ownership, and operational cadence that no automation platform handles. Access reviews that require judgment, vendor risk decisions, incident response that actually ran, control design for ambiguous criteria: these are not integrations you can switch on. They are work someone has to do and prove.
A green dashboard is a status, not evidence
A platform pulls data and shows you a status. It does not confirm that the control operated as intended across the whole period, it does not verify that the artifact behind a green check is the right artifact, and it will not push back when your system description contradicts your control matrix. Auditors test the underlying evidence, not your dashboard. The gap between "the platform says green" and "the auditor accepts it" is exactly where audits go sideways.
Automation collects. It does not test. The verification step is the one that decides your opinion, and it is the one automation skips.
What the Delve scandal really exposed
The 2026 Delve story was not an argument against automation. It was an argument against trusting automation as if it were assurance. When the testing layer is hollow, you get hundreds of identical reports and conclusions written before any evidence exists. The lesson is not "drop your platform." It is "put a human verifier between the platform and the auditor."
Use the platform. Then verify it.
The right model is both: keep your GRC platform for collection and continuous monitoring, and add independent, senior-led verification on top. That is precisely how we work. We treat your platform pull as the starting point, human-verify every artifact, and through the Evidence Engine we monitor operating effectiveness across the window and run a mock fieldwork dry run before the real auditor. The platform makes us faster. It does not make us optional, and it does not make you ready on its own.