LiteLLM, the AI gateway platform used by millions of developers, is cutting ties with compliance startup Delve and starting its security certifications from scratch. The move, reported by TechCrunch AI, follows a brutal week that saw LiteLLM’s open source version hit by credential-stealing malware.
Here’s what happened: LiteLLM had previously hired Delve to obtain two security compliance certifications. These are meant to prove a company has real safeguards in place to prevent exactly the kind of incident that just occurred. But Delve itself is now under fire, accused of generating fake compliance data and using auditors who rubber-stamped reports without proper scrutiny.
📌 The key moves:
- LiteLLM CTO Ishaan Jaffer announced on X that the company will switch to Vanta, a Delve competitor, for re-certification
- LiteLLM will also hire its own independent third-party auditor to verify compliance controls
- Delve’s founder has denied the fraud allegations and offered free re-tests to all customers
- An anonymous Delve whistleblower responded by releasing alleged receipts over the weekend
Why this matters for the AI ecosystem. Compliance certifications are the backbone of enterprise trust. When a company like LiteLLM shows up with a SOC 2 or similar badge, enterprise buyers take it as a signal that security controls are real and verified. If those certifications were built on fabricated data, the entire trust chain breaks.
This situation exposes a growing problem in the AI infrastructure space. As startups race to meet enterprise security requirements, a cottage industry of compliance-as-a-service companies has emerged. Most are legitimate. But the Delve allegations suggest that some may be cutting serious corners, and their customers are the ones left holding the bag when things go wrong.
LiteLLM sits at a critical point in the AI stack. As a gateway that routes requests between applications and various LLM providers, it handles API keys, credentials, and sensitive data at scale. A credential-stealing malware attack on that kind of infrastructure is about as bad as it gets.
The timing makes this especially painful. Getting hit by malware right after questions surface about whether your security certifications were legitimate is a worst-case scenario for any company. LiteLLM’s decision to publicly ditch Delve and re-certify with Vanta is damage control, but it’s also the right call. Transparency after a breach builds more trust than silence.
What to watch next. The Delve whistleblower situation is still developing, with new evidence surfacing over the weekend. If the allegations hold up, other Delve customers will likely follow LiteLLM’s lead. And enterprise buyers everywhere should be asking harder questions about who actually conducted their vendors’ compliance audits.
For the full details, check the original reporting at TechCrunch AI.