On the 101 in my bumper-car Prius, there’s one billboard that invariably gets a chortle out of me.
It’s for AI security and compliance startup Vanta, with the tagline: "Compliance that doesn’t SOC 2 much." SOC 2 is a certification that outlines how companies should manage and protect customer data. While it’s not legally required, it's become a crucial standard for enterprise SaaS companies—though the certification process is notoriously time-consuming.
Vanta, which this summer raised $150 million at a $2.45 billion valuation, was started in 2018 to automate information security compliance (like SOC 2). The SOC 2 process has traditionally been arduous, requiring companies to send auditors soon-outdated screenshots, PDFs, and documents—something Vanta has streamlined using AI and other technologies. But SOC 2 is just one form of compliance a company might need, and there are almost innumerable others, from GDPR to FedRAMP. Accordingly, there’s been a growing group of AI compliance-oriented startups gaining traction in recent months and years. Just a few of the companies that touch this category include Cribl, Eon.io, Klarity, Norm AI, Relyance AI, and BigID. (OpenAI also just hired its first Chief Compliance Officer.) PitchBook sent Fortune data showing that, this year, the top 50 deals in the space added up to about $1.75 billion in deal value.
I spoke to Vanta CEO and cofounder Christina Cacioppo about what’s making AI and compliance such a ready-made fit. In part, it’s just the right time, she says, as compliance itself has never been more important for tech companies up and down the food chain.
"I think it’s inevitable," said Cacioppo. "There's so much more scrutiny on tech companies than pick your prior year, or a decade ago…So, some of it is at least inevitable that there’s more government and public scrutiny on what they’re doing. And I think tech companies pushing back on that fact is just a losing proposition…And I think AI, because of its zeitgeist-iness, is uniquely positioned to the flashpoint issue."
In short, AI is designed to simplify these processes at a time when tech companies must be more compliant than ever—partly due to the very world AI is creating. Vanta today released its 2024 State of Trust Report, which underscores this point. The report finds that 55% of companies say that security risks have "never been higher," in a new reality connected to AI’s rise. Additionally, over 30% of companies surveyed reported that AI has amplified risks related to both phishing and malware, while 27% noted a rise in compliance violations with increased AI adoption.
Now, this may sound somewhat bleak. But for startups with solutions, there’s opportunity. Vanta has a growing slate of customers that include Atlassian, Quora, Mistral AI, ZoomInfo, The Salvation Army, and Duolingo. In part, Cacioppo thinks Vanta’s offering has resonated because they’re in the business of giving people time back—and because compliance can be ultimately revenue-generating.
"The insight with compliance is that it’s a cost center,” Cacioppo told Fortune. "It should be a revenue-driver, because the first time you get one of those combined certifications, you open up new markets. ‘I can now sell to companies that I want to talk to in healthcare, because I have HIPAA, federal because I have FedRAMP…You can tie a lot of this to revenue, and I think if you can actually tie the security pieces to revenue, you’ll get more security."
Vanta in recent years has also moved beyond SOC 2, expanding to governance, risk, and compliance (GRC) solutions for larger customers.
"If you keep making customers really happy and the problem is big enough—and the pain is intense enough—there's always going to be a market in that space," said Vanta CPO Jeremy Epling, who’s previously worked at GitHub and Microsoft.
It’s essentially part of a long chain, one in which everyone is increasingly security-aware, Cacioppo said. Customers are increasingly demanding and sophisticated when it comes to software security and compliance, and tech companies that are competing for customers subsequently need their compliance in order to close those deals.
"We guide them through a bunch of the actual hard work," said Cacioppo. "Then [customers] can use it to grow their business."
It’s an intriguing case of a sector poised to capitalize on the way AI is creating more risk, as AI is simultaneously creating solutions. And the reality is that, if you’re one of many companies looking to up your compliance game, the process should SOC a little less.
See you tomorrow,
Allie Garfinkle
Twitter: @agarfinks
Email: alexandra.garfinkle@fortune.com
Submit a deal for the Term Sheet newsletter here.
Nina Ajemian curated the deals section of today’s newsletter. Subscribe here.
