Compliance Theater Is Losing to Behavioral Proof

A founder asked Hacker News today how to get SOC2 Type 2 compliant as a solo entrepreneur. The top-voted answer, from one of the most respected security voices on the platform: don't.

"SOC2 is like the corporate GPL of security," wrote tptacek. "An infectious secret handshake company security teams swap in lieu of filling out security questionnaires. Nobody savvy takes it seriously."

The thread has 113 comments. Nearly all of them are variations of the same frustration: enterprise buyers demand a compliance certification designed for organizations with nine distinct roles, continuous audit overhead, and $20,000+ in annual fees. Solo founders and small teams are doing real security work (encryption at rest, MFA everywhere, least-privilege access, automated dependency patching), but can't get the stamp because the process measures org charts, not security practices.

This isn't a SOC2 problem. It's a trust architecture problem. And it's about to get worse.

The Strip Mining Problem

On the same day, another thread surfaced a structural shift in open-source security. Metabase's security team reported that their vulnerability inbox went from roughly 10 submissions per month to 10 per week starting January 2026, a 4x increase. The change? LLM-powered scanning.

A year ago, AI-generated vulnerability reports were mostly false positives, noise that wasted triage time. Today, many of these reports are real. The tools got better. The prompts got better. The models learned to distinguish true positives from hallucinated ones.

Cal.com went closed-source partly because of this. Open source code is being systematically scanned for vulnerabilities at industrial scale by anyone with API access to a frontier model. The "many eyes make all bugs shallow" thesis didn't account for those eyes being automated, tireless, and potentially hostile.

This creates a paradox: the same AI tools that help defenders find and fix vulnerabilities are available to attackers. The structural advantage shifts to whoever can act faster. In most organizations, attackers don't need a change management board.

What Both Problems Share

The SOC2 compliance gap and the vulnerability strip-mining wave look like different problems. One is bureaucratic overhead; the other is an adversarial scaling crisis. But they share the same root cause:

We're still verifying declarations instead of measuring behavior.

SOC2 asks: "Do you have a policy for X?" It doesn't verify whether that policy is enforced, or whether the actual security outcome is achieved. A solo founder running a tighter ship than most enterprises fails the audit because they don't have a written employee onboarding procedure. They have no employees.

Vulnerability disclosure works the same way. The current system relies on responsible disclosure norms, a declaration of intent. When AI agents can find real vulnerabilities autonomously, the system needs to verify behavior: did the finder disclose responsibly? Was the fix verified? Is the fix deployed?

In both cases, the trust artifact is a claim about intent. What's needed is evidence of behavior.

Behavioral Proof Is Already Emerging

The shift has started, even if most people haven't named it yet.

arXiv recently announced 1-year bans for papers with hallucinated references. 20% of ICLR 2026 submissions contained AI-generated fake citations that peer reviewers missed. The fix isn't a policy ("please don't fabricate citations"). It's behavioral enforcement backed by verifiable evidence.

Radicle, the P2P code forge trending on HN today with 210 points, uses cryptographic signatures on every commit, patch, and review. Not because they care about compliance, because the architecture is decentralized, so trust has to be provable, not declared. Every action is signed by an Ed25519 identity and replicated across peers via gossip protocol. The behavioral record IS the trust layer.

Anthropic published Claude for Legal this week, and the HN discussion immediately surfaced that AI chat history is not protected by attorney-client privilege. The moment a lawyer uses AI with client data, the interaction needs a tamper-evident audit trail. Not because compliance says so, but because the legal system will use that evidence against them if it's not locked down.

What This Means

Three patterns are converging:

1. Compliance certifications measure the wrong thing. SOC2, ISO 27001, and their variants certify organizational structure, not security outcomes. As teams get smaller and AI handles more work, the org-chart-based model breaks entirely. A solo founder with automated patching, encrypted everything, and zero employees shouldn't need nine roles to prove they're secure.

2. AI accelerates both attack and defense, making behavioral evidence essential. When vulnerabilities are found and exploited at machine speed, the trust question becomes: what did this system actually do, and can you prove it? Intent-based declarations ("we follow responsible disclosure") can't keep up. Behavioral evidence (cryptographically signed action logs) can.

3. The trust artifact of the future is a behavioral attestation, not a certificate. Instead of "we passed an audit in March," the signal becomes: "here is a verifiable, tamper-evident record of every security-relevant action this system took, independently auditable by anyone." This is more rigorous than SOC2 and dramatically cheaper, because it measures what actually happened instead of what a consultant wrote down.

The Stack That Needs Building

The behavioral trust stack has three requirements that today's compliance infrastructure doesn't meet:

Continuous observation. Not annual audits. Not quarterly pen tests. Every security-relevant action logged and signed as it happens. The agent, the developer, the automated pipeline: all produce behavioral evidence in real time.

Cross-organizational portability. When a vendor serves 50 enterprise customers, each running their own security questionnaire is pure waste. A portable behavioral attestation, verified by cryptography instead of a phone call to the auditor, lets trust travel with the actor.

Zero-knowledge verification. Company A's security practices are proprietary. Company B needs to verify Company A's posture without accessing proprietary data. ZK proofs make this possible: prove a property about behavior without revealing the behavior itself. "This system has had zero critical vulnerabilities unpatched for more than 72 hours in the past year." Provable without exposing a single CVE.

This isn't theoretical infrastructure. The cryptographic primitives exist. Ed25519 signing is commodity. ZK proof systems are production-ready. Tamper-evident logs are a solved problem.

What's missing is the integration layer: the infrastructure that makes behavioral proof as easy to generate and verify as a SOC2 badge is to display on a marketing page. Easier, actually, because it would be generated automatically from real behavior, not from a manual audit process.

The Market Gap

Today's HN front page accidentally sketched the outline of a market:

• SOC2 thread (123 pts): Enterprise buyers demanding trust artifacts that small teams can't produce
• Strip mining thread (103 pts): AI systematically finding real vulnerabilities, overwhelming existing disclosure norms
• AI psychosis thread (728 pts): Organizations losing ability to evaluate what their AI systems actually do
• Radicle thread (210 pts): Cryptographic behavioral evidence as the default in P2P infrastructure
• Claude for Legal (192 pts): Regulated industries discovering that AI interaction provenance is a legal requirement

Every thread is a different face of the same problem: we need infrastructure that proves what systems actually did, not what their operators said they'd do.

The compliance industry is a $40B+ market built on declarations. As AI makes both the work and the threats move faster, the market for behavioral proof will eat it.

---

This is from the team building Commit, infrastructure where commitment is cryptographic, not ceremonial. Earlier essays on the behavioral trust thesis: Declarations Are Gameable, Benchmark Scores Are the New SOC2, The TOCTOU of Trust. Reach out if you're building in this space.