AML alert-triage and SAR-drafting agent that scores every alert on a continuous suspicion scale, cites each typology claim to the exact transaction behind it, and drafts a regulator-ready SAR — clearing false positives while never letting a true positive slip. The agent proposes; a compliance officer disposes and files.
A BSA/AML analyst drowns in transaction-monitoring alerts, and the industry-standard false-positive rate runs 90–95% — an ocean of noise a small team has to clear by hand while the one alert that actually launders money hides inside it. Missing that alert is not an efficiency problem; it is a regulatory failure with personal liability attached. Generic "AI triage" tools quietly optimise for closing alerts fast, which is exactly backwards: the metric that matters is how many false positives you can retire *without ever raising the false-negative rate*, and most tools assert that number rather than measure it. Vigil is built for the officer who has to defend the model to an examiner — every disposition carries the transactions that drove it, the suspicion score is computed on a continuous scale and swept against a real false-positive/false-negative curve, and no SAR is ever filed autonomously. This is the trust flagship of the Acilox Agent Studio: the demo a compliance officer is meant to scrutinise.
Each alert loads the customer's KYC profile, counterparties, and transactions inside a bounded lookback window, and compares observed activity to a per-customer expected baseline. Risk rating and PEP status — dead signals in most triage tools — feed the score. The read is time-bounded by design, so a customer clean today but who structured long ago is judged on the right window.
Deterministic detectors for structuring, layering, and mule activity run against a versioned, SHA-256 content-hashed typology library (parameters are data, not code). Every hypothesis a detector raises binds the exact transactions that support it — a claim with no citation is dropped in the reflect pass before it can reach a disposition.
The headline metric is earned, not asserted. A continuous suspicion score blends baseline deviation with typology likelihood and a bounded risk/PEP bump; the eval harness sweeps the clear threshold over that score and reports the operating point that maximises false-positive reduction while holding false negatives at zero, plus the full curve and the separation margin between the weakest suspicious alert and the strongest cleared one.
Disposition is ordered so recall can't be traded away: an alert with an evidenced typology escalates first and can never auto-clear; a missing-KYC alert routes to RFI; only a baseline-explained alert with no typology clears — and even then it clears with a stored rationale, never a silent drop. The eval fails outright on a single false negative.
The product posture is deliberate: the agent drafts a 5W SAR narrative with an evidence index, but the casemanagement adapter has no autonomous file action. Filing is an officer-only console route. Every disposition — cleared, escalated, or filed — writes a hash-chained audit row that also records the typology library version and content hash it ran under.
The whole engine is published over the Model Context Protocol behind an optional extra, so Claude Desktop or another agent can list and read alerts, pull a persisted AlertScope, enrich a customer, search transactions, and fetch a SAR draft — all read-only, nothing that files. Run it with `vigil mcp`.
False-positive reduction at a fixed false-negative rate is the number a risk committee reads — so it is computed by sweeping a continuous suspicion score against the labelled corpus, reported with its operating threshold, its curve, and a separation margin. A binary detector with a hard-coded reduction fraction was explicitly rejected: 'at fixed FN' has to be math, not marketing.
A continuous score plus a threshold sweep is more machinery than a yes/no rule. It's the price of a metric an examiner can actually interrogate.
Evidenced-typology alerts escalate before any clear path is even considered, and the eval gates false negatives at zero. In AML the asymmetry is absolute — a cleared launderer is a catastrophe, a reviewed false positive is a Tuesday — so the architecture makes the catastrophic error unreachable rather than merely unlikely.
Protecting recall by ordering keeps some false positives in the officer queue that a looser model would auto-close. That is the correct direction to be wrong in.
The typology library is a content-hashed YAML artifact; its version and hash are stamped into every audit row and shown on the Sources page. An examiner can prove exactly which rule pack scored a given alert, and tuning a threshold is a data change with an audit trail, not a code deploy.
A hash-verified library is more ceremony than module constants. Auditability is the whole product.
Vigil proposes dispositions and drafts SARs; a human officer disposes and files. The one irreversible, legally-weighty action stays behind an officer-only route with no adapter shortcut — the trust boundary that makes the rest of the automation acceptable.
A fully-autonomous filer would look more impressive in a demo and be unshippable in reality. The boundary is the point.