Sam Li's job, on paper, is to make SOC 2 audits less miserable. In practice this involves running a 240-person company on Park Avenue South, shipping software, employing licensed auditors, meeting with buyers who would rather be doing almost anything else, and periodically explaining to venture capitalists why compliance is a durable business in a market that keeps producing new frameworks (ISO 27001, HITRUST, PCI DSS, HIPAA, GDPR, CCPA, and, most recently, ISO 42001 for artificial intelligence management systems). The company he runs is called Thoropass. It used to be called Laika, after the Soviet space dog. The rebrand is one of the more legible moves in his career: the auditor is not the client you want reminded of doomed pioneers.
Thoropass sits in an unusual spot. Most compliance startups sell software that helps a customer prepare for an audit, then hand the customer off to a third-party auditor whom the software may or may not be integrated with. Thoropass sells the software and employs the auditors. This is either vertical integration or a large services drag on gross margin, depending on whom you ask. Sam Li has, so far, gotten investors to buy the first framing. The company has raised roughly $98 million across four rounds, the most recent being a $50 million Series C that closed in November 2022. The pitch is that the customer's real pain is not the checklist but the handoff between the software and the auditor, and that owning both sides of that handoff is the durable version of the product.
He is, in the language of his own investors, a second-time founder. This is a category with its own economics. The first-time founder learns by hitting things. The second-time founder has already hit them.
The first company was Zinc Platform, an insurance API business Sam co-founded and ran as CTO while enrolled at Harvard Business School. He dropped out of HBS to work on it full time, which is the sort of decision that reads better in retrospect if the company succeeds. Zinc did not. In 2018, after a look at the balance sheet, he closed it down. His own diagnosis, offered publicly and repeatedly, is that the team had scaled before finding real product-market fit - a mistake that is easy to make in insurtech, where a plausible-looking API can absorb an enormous amount of capital before anyone notices that the customer is not, actually, buying.
What he did next was less common. He took a year as an Entrepreneur in Residence at Bain Capital Ventures. His description of the role is characteristically unhelpful: "I went to their office, drank their coffee, ate their snacks." What it actually gave him was a year to look at deals across categories - insurance, fintech, security - and think about what he wanted to build. The compliance idea came out of noticing that customers of every category kept complaining about the same thing: they had software for their cap table (Carta), for their payroll (JustWorks or Gusto), for their expenses (Ramp or Brex), and no software at all for the security audits their enterprise customers were about to demand.
Owning the audit
Sam co-founded Laika in 2019 with Austin Ogilvie and Eva Pittas. The three-way founding team split the work along the lines you would draw on a whiteboard: product, go-to-market, and operations. The company grew through the 2020-2022 fundraising window when almost anything with "compliance" in the deck could raise, and then had to prove out its model in the harder 2023-2024 market. The rebrand from Laika to Thoropass came during that transition. The name is meant to evoke thoroughness and the through-line of a compliance journey. It also, less advertised, avoids naming your company after a dog that died in a spacecraft.
The bet on running a licensed audit firm is the piece that most differentiates Thoropass from its competitors. A compliance SaaS product is a product. A compliance SaaS product plus an audit firm is a product plus a services line, with the associated headcount, seasonality, and regulatory oversight. This is the sort of thing venture-scale investors typically flee from. Sam Li's argument, articulated across podcast interviews and investor talks, is that in this specific market the services aren't a drag - they're the reason the software actually works. If the auditor and the tool are the same organization, the tool can be built to the standard the auditor will actually accept. Otherwise, the customer is stuck in the middle, translating.
Whether that thesis holds is an open question the market will answer over the next several years. The company has enough customers and enough capital to make the case. It also has to prove that the audit revenue scales with the software revenue rather than pulling headcount off it.
Shanghai, Charlottesville, Cambridge
Sam grew up in Shanghai. Both his parents were professors. He has said, in podcast interviews, that he got his first computer around age ten and, in his words, fell in love with it. That's the standard founder-origin note - the interesting part is what followed. He came to the US after high school and studied computer science and economics at the University of Virginia, an unusual pair for someone who ended up starting a company. The economics half of that degree shows up in how he talks about businesses: he treats compliance as a category with unit economics rather than as a mission.
After UVA he worked at Goldman Sachs, then at Google, and briefly at Samsung Electronics. He enrolled at Harvard Business School, dropped out for Zinc, closed Zinc, went back and finished the MBA. He is technically both an HBS dropout and an HBS graduate, which is the sort of resume line that only makes sense if you know the middle chapter.
Outside of work he describes himself as an avid traveler and a serious cook. His Thoropass bio notes, deadpan, that he "takes cooking very seriously." Which is either a joke or an accurate description of his kitchen, or, probably, both.
What the trophy means
In 2024, Goldman Sachs named Sam Li one of the Most Exceptional Entrepreneurs of the year at its Builders and Innovators Summit. This is the sort of award that reads well in a press release and less well as a predictor of anything - Goldman's list is designed to be a network, not a leaderboard. Still, its inclusion of a compliance founder is a small data point about where the market thinks the interesting durable companies are being built. Ten years ago the same slot on the list would have gone to a mobile-first consumer app.
The thing about Sam Li is that he does not present as a compliance evangelist. He talks about the market the way a former analyst would: as an addressable problem that happens to be big, sticky, and structurally underserved. There is no manifesto. The manifesto is the product roadmap.
Reading his interviews in sequence, one pattern surfaces. He does not describe his first company's failure as a story arc. He describes it as a set of specific decisions he would make differently, most of them about pacing. He hired ahead of demand. He raised money against a thesis instead of against traction. He scaled a team on the assumption that the product would work. When Thoropass talks about how it grew, the pacing shows up in the tempo of the funding rounds and the headcount. This is what a founder looks like the second time through.
The AI compliance thing
Thoropass added ISO 42001 - the ISO standard for AI management systems - to its checklist relatively early. The company also markets AI cybersecurity solutions alongside its core audit stack. This is partly the answer to a real customer question (buyers of AI products want to know that the seller has thought about how the AI is governed) and partly the answer to an investor question (is compliance still growing?). Sam Li's public framing is closer to the first. Every new framework is another line item on the checklist his company already sells, and the checklist is the moat.
None of this is glamorous. Compliance is the opposite of glamorous. That is arguably the point. Boring, at scale, done properly, is a business. Sam Li has built roughly $98 million of one.