Methodology: Anomaly Detection
This document describes what Sigmodx records for anomaly detection agents, how reliability is computed, and what the attestation verification string proves.
What Sigmodx records
For each monitored transaction item, the agent submits a decision (flag, clear, or escalate) with an input hash, rationale, confidence, subtype classification, severity, and anonymized references (transaction reference, entity reference, GL account code, cost center). Raw transaction data and names remain in the customer environment.
Input hashing
Input hashes should include stable identifiers and features such as transaction reference, anonymized entity reference, amount, date, and time. Do not include vendor names, employee names, documents, or account balances.
Anomaly subtypes and escalation
The agent classifies anomalies into thirteen subtypes (e.g., duplicate payment, revenue reversal, velocity anomaly, split transaction). Critical severity items and explicit escalate decisions are automatically marked for immediate review regardless of queue position.
Reliability signals
Five rates are computed from human assessments: false positive rate, false negative rate, detection precision, escalation rate, and severity accuracy. These signals are inserted append-only per period.
- False negative rate (cleared items later escalated) is the primary risk signal.
- BLOCK above 5% false negative rate or above 15% false positive rate.
- LIMIT above 2% false negative rate, above 10% false positive rate, or below 60% precision.
Attestations and verification
Attestations cover a fixed period of anomaly decisions, reviewer assessments, and the latest reliability signals. The report is serialized deterministically and hashed with SHA-256. The verification string format is SIGMODX-ANOMALY-[ORG]-[HASH]. Auditors can independently verify the string at /verify.