Anatomy of agentic AI AML triage: what the machine decides
An AI agent can read a money-laundering alert, gather the context and propose a verdict in seconds. What it cannot do is sign the suspicious-activity report to Servicio Ejecutivo de la Comisión de Prevención del Blanqueo de Capitales e Infracciones Monetarias. Unidad de inteligencia financiera de España (FIU), receptor oficial de las comunicaciones de operativa sospechosa de las entidades obligadas.SEPBLAC in your name. The following is an illustrative scenario (not a real client) of an agent triaging AML alerts: where it decides alone, where it stops, and what gets logged so the decision is defensible.
The scenario
A payment institution monitors its operations with an AI agent. At 02:30, outside the compliance team's hours, the system flags a customer who has split five transfers below the reporting threshold in under an hour, all to the same beneficiary in a high-risk jurisdiction. The pattern is textbook structuring. The operational question is not "did the agent see it?" but "what is the agent authorised to decide alone, and where does the decision that requires a person begin?".
Minute 0: what the agent gathers
The agent opens a timestamped case file and assembles the context an analyst would take time to cross-reference by hand: customer history, risk profile, relationship with the beneficiary, sanctions lists and how well the activity fits the declared business. Spain's Law 10/2010 and Royal Decree 304/2014 require a special examination of any complex or unusual operation. The agent does not replace that examination: it prepares it, with every data point traced to its source.
That gathering work is where automation pays off with no regulatory risk: it decides nothing irreversible, it just orders the evidence.
What the agent decides alone
Not every alert is a suspicious-activity report. Most are noise: a seasonal charge, a payroll run, an already-justified pattern. Here the agent does close the case on its own, within a bounded perimeter:
| Agent decision | Condition |
|---|---|
| Dismiss the alert | The pattern has a documented, low-risk explanation. |
| Enrich and escalate | The signal crosses the review threshold: it goes to an analyst. |
| Request information | A data point is missing to complete the special examination. |
The criterion is not "the agent decides the easy ones." It is that the agent can resolve the reversible (a dismissal can be reopened) and never what cannot be undone.
The boundary: the suspicious-activity report
In the scenario, the structuring pattern crosses the threshold. The agent does not file to SEPBLAC. It escalates the case with its analysis and proposal, and stops there. The decision to report (or not to, which also binds the institution) is made by a person and validated by a second under the four-eyes principle.
Reporting to the regulator is a human decision, by rule
Filing a suspicious operation carries legal and reputational consequences that are not delegated to a model. Law 10/2010 places accountability on the obliged entity, not on its tool. The agent speeds up the path to the decision; it does not replace it.
One nuance is worth stating: the Reglamento UE 2024/1689: marco europeo para sistemas de IA basado en riesgo. Prohíbe usos inaceptables, regula los de alto riesgo y establece transparencia para modelos generativos. Entrada en vigor escalonada 2025-2027.AI Act (Regulation (EU) 2024/1689) excludes financial-fraud detection from its high-risk list, so an AML triage agent does not automatically inherit Annex III obligations. The requirement for human control over the report does not come from there, it comes from the sectoral AML regime, and it holds just the same.
Where it breaks without governance
The risk is not only the slow manual process. It is also the agent without brakes, deciding more than it should. Both extremes fail:
| Failure point | Consequence |
|---|---|
| Agent closes alerts it should have escalated | A real signal is filed away with no record of who decided it. |
| Shared service credential | The log says which account acted, not which agent or on whose behalf. |
| Triage with no traced special examination | The disposition cannot be justified in an inspection. |
| Report signed with no second control | The segregation of duties the rule requires is lost. |
A fast triage that cannot be defended before SEPBLAC is not an advantage: it is an exposure.
What sustains governance
That an agent speeds up triage without weakening control is a matter of architecture, not trust in the model:
- The agent's own identity. It acts under a verifiable cryptographic identity, not a shared credential. It is the same thesis we hold for connectivity: without an attributable identity, the audit trail points to no one.
- Four eyes over the irreversible. The agent dispositions the reversible; the suspicious-activity report is approved by two people. Human control concentrates where it matters, not on every alert.
- An audit trail with evidentiary value. What the agent saw, what it proposed, who validated it and when is logged, with the integrity the ten-year document retention of Law 10/2010 already requires.
The agent filters and times; the person decides what cannot be undone
Automating AML triage is not about the system reporting on its own, but about the suspicious operation reaching a human decision sooner and better documented. The judgment stays human; the clock and the evidence belong to the system.
How BlueUPALM approaches AML triage
| Capability | Implementation |
|---|---|
| Gathering | Timestamped case file with context traced to its source. |
| Special examination | Analysis prepared against the Law 10/2010 criteria. |
| Agent perimeter | Autonomous disposition of the reversible only, escalation of the signal. |
| Four eyes | Suspicious-activity report approved by dual human control. |
| Audit trail | Immutable record of evidence, proposal and validation. |
Related reading
- Agentic AI and regulation: who answers when the agent acts alone — The regulatory frame this scenario comes from.
- SEPBLAC software: automate AML reporting without losing traceability — The Anti-Money Laundering: prevención de blanqueo de capitales. Consume 5-10% del presupuesto operativo de una entidad media; los sistemas tradicionales generan >95% falsos positivos. Leer más → AML reporting downstream of this triage.
- Agentic AI and Zero Trust: why identity must precede connectivity — The per-agent identity that makes the audit trail attributable.
Want to see governed AML triage in your operations?
We will walk you through BlueUPALM's flow of special examination, agent perimeter and four eyes with a scenario from your sector.