What Happened
Last week, LiteLLM's open-source version was hit by credential-stealing malware. Bad enough on its own — but it got worse when whistleblower allegations surfaced that Delve, the company handling LiteLLM's security compliance certifications, had allegedly fabricated audit data and used rubber-stamp auditors.
LiteLLM CTO Ishaan Jaffer announced on X this Monday: they're dropping Delve, switching to Vanta for re-certification, and hiring their own independent third-party auditor.
Why It Matters
For an AI gateway trusted by millions of developers, SOC 2 certification should mean "we take your data security seriously." When the certification itself is fraudulent, it protects nothing but a false sense of security.
Delve's founder denied the allegations and offered free re-audits, but the whistleblower followed up with even more damning evidence. Once trust collapses, rebuilding costs far more than re-certification.
Takeaway
When choosing compliance vendors, don't just look at the certificate — examine whether the audit process is transparent and auditors are independent. For self-hosted AI infrastructure especially, security is a baseline, not a marketing bullet point.