acilox / solutions / vigil
🛡️ AI Copilots & Automations

Vigil

AML alert-triage and SAR-drafting agent that scores every alert on a continuous suspicion scale, cites each typology claim to the exact transaction behind it, and drafts a regulator-ready SAR — clearing false positives while never letting a true positive slip. The agent proposes; a compliance officer disposes and files.

0
False negatives
swept
FP cleared @ fixed FN
100%
Typology claims cited
<60s
Demo to value, no API keys

Why this exists

A BSA/AML analyst drowns in transaction-monitoring alerts, and the industry-standard false-positive rate runs 90–95% — an ocean of noise a small team has to clear by hand while the one alert that actually launders money hides inside it. Missing that alert is not an efficiency problem; it is a regulatory failure with personal liability attached. Generic "AI triage" tools quietly optimise for closing alerts fast, which is exactly backwards: the metric that matters is how many false positives you can retire *without ever raising the false-negative rate*, and most tools assert that number rather than measure it. Vigil is built for the officer who has to defend the model to an examiner — every disposition carries the transactions that drove it, the suspicion score is computed on a continuous scale and swept against a real false-positive/false-negative curve, and no SAR is ever filed autonomously. This is the trust flagship of the Acilox Agent Studio: the demo a compliance officer is meant to scrutinise.

How it's wired together

monitoring

clear

escalate / RFI

custom agent loop

hypothesize
typology detectors
structuring · layering · mule

cite
claim → transaction

reflect
drop uncited

suspicion score
continuous · windowed

transactions

KYC profile

counterparties

enrich
baseline · risk · PEP

AlertScope
typed contract
typology · citations · score
SAR narrative · confidence

policy engine
recall-protected · FN = 0

auto-clear
stored rationale

officer queue
dispose + file SAR

SAR draft
officer-filed only

audit log
hash-chained + library hash

Vigil architecture overview

How it works, end-to-end

  1. Enrich against a windowed customer baseline

    Each alert loads the customer's KYC profile, counterparties, and transactions inside a bounded lookback window, and compares observed activity to a per-customer expected baseline. Risk rating and PEP status — dead signals in most triage tools — feed the score. The read is time-bounded by design, so a customer clean today but who structured long ago is judged on the right window.

  2. Typology detectors that bind evidence, not vibes

    Deterministic detectors for structuring, layering, and mule activity run against a versioned, SHA-256 content-hashed typology library (parameters are data, not code). Every hypothesis a detector raises binds the exact transactions that support it — a claim with no citation is dropped in the reflect pass before it can reach a disposition.

  3. A continuous suspicion score with a real FP@FN sweep

    The headline metric is earned, not asserted. A continuous suspicion score blends baseline deviation with typology likelihood and a bounded risk/PEP bump; the eval harness sweeps the clear threshold over that score and reports the operating point that maximises false-positive reduction while holding false negatives at zero, plus the full curve and the separation margin between the weakest suspicious alert and the strongest cleared one.

  4. Recall protected by construction

    Disposition is ordered so recall can't be traded away: an alert with an evidenced typology escalates first and can never auto-clear; a missing-KYC alert routes to RFI; only a baseline-explained alert with no typology clears — and even then it clears with a stored rationale, never a silent drop. The eval fails outright on a single false negative.

  5. Officer files, agent proposes

    The product posture is deliberate: the agent drafts a 5W SAR narrative with an evidence index, but the casemanagement adapter has no autonomous file action. Filing is an officer-only console route. Every disposition — cleared, escalated, or filed — writes a hash-chained audit row that also records the typology library version and content hash it ran under.

  6. Exposed as MCP tools for any assistant

    The whole engine is published over the Model Context Protocol behind an optional extra, so Claude Desktop or another agent can list and read alerts, pull a persisted AlertScope, enrich a customer, search transactions, and fetch a SAR draft — all read-only, nothing that files. Run it with `vigil mcp`.

The choices that matter

Decision

Earn the headline metric, don't assert it

False-positive reduction at a fixed false-negative rate is the number a risk committee reads — so it is computed by sweeping a continuous suspicion score against the labelled corpus, reported with its operating threshold, its curve, and a separation margin. A binary detector with a hard-coded reduction fraction was explicitly rejected: 'at fixed FN' has to be math, not marketing.

A continuous score plus a threshold sweep is more machinery than a yes/no rule. It's the price of a metric an examiner can actually interrogate.

Decision

Recall is a construction, not a hope

Evidenced-typology alerts escalate before any clear path is even considered, and the eval gates false negatives at zero. In AML the asymmetry is absolute — a cleared launderer is a catastrophe, a reviewed false positive is a Tuesday — so the architecture makes the catastrophic error unreachable rather than merely unlikely.

Protecting recall by ordering keeps some false positives in the officer queue that a looser model would auto-close. That is the correct direction to be wrong in.

Decision

Detection parameters are versioned data, not code

The typology library is a content-hashed YAML artifact; its version and hash are stamped into every audit row and shown on the Sources page. An examiner can prove exactly which rule pack scored a given alert, and tuning a threshold is a data change with an audit trail, not a code deploy.

A hash-verified library is more ceremony than module constants. Auditability is the whole product.

Decision

The agent never files

Vigil proposes dispositions and drafts SARs; a human officer disposes and files. The one irreversible, legally-weighty action stays behind an officer-only route with no adapter shortcut — the trust boundary that makes the rest of the automation acceptable.

A fully-autonomous filer would look more impressive in a demo and be unshippable in reality. The boundary is the point.

Built on

Python 3.12FastAPI · UvicornSQLAlchemy 2.0 · AlembicPostgreSQL 16 · pgvectorRedis · RQPydantic v2 · structlogHTMX · Jinja2PyYAML · SHA-256 content hashingAnthropic SDK · sentence-transformers