Skip to main content
Try Tangos (opens in new tab)

Closing the Investigation Compliance Gap

Financial institutions have spent a decade improving detection. Alert volumes, screening coverage, and transaction monitoring have all scaled. The investigation layer has not. Every major enforcement action of the past two years traces to the same failure: not detection gaps, but investigation and documentation gaps. The hardest threats don’t sit inside a single alert. They live inside networks, hide in plain sight, and compound faster than investigation expertise can scale. Closing that gap requires investigation intelligence, not more alerts. This article defines the gap, illustrates it through the Iran sanctions case, and explains what it actually takes to close it.

The Gap

What gets detected is not what gets proven

Detection has improved. The gap that matters now is between the alert and the closed case: the evidence chain that proves what the alert suspected, the documented reasoning that survives an examiner’s review, and the audit trail that reconstructs every decision. Most institutions can flag. Few can prove. That distance is where financial crime survives, and where enforcement actions are written.

The problem is not effort or intent. It is structural, and it has four compounding dimensions.

Traceability

Modern financial crime does not travel in straight lines. Funds move across jurisdictions, through shell entities, across asset classes (real estate, trade finance, crypto, art), and through correspondent networks before they surface anywhere visible. Tracing that path requires pulling evidence from dozens of sources across multiple languages and linking it into a defensible chain. A case that cannot show that chain cannot be defended. Most cases cannot show the chain.

Networks

Financial crime is organised. The architecture is specifically designed to defeat the investigation, not just the screening system. Shell company layers, money mule rings, nominee directors, layered beneficial ownership structures: these exist to create distance between the regulated touchpoint and the criminal actor. Adversaries don’t attack your rules. They attack your seams. The gap between your identity layer and your transaction monitoring. Between your sanctions screening and your KYC file. Between the named entity and the network it operates within.

An investigation that stops at the named entity has not investigated the threat.

Capacity

Alert volumes are growing 40 to 60 percent annually. The investigation workforce is not. A senior investigator capable of closing a complex L2 or L3 case takes three to five years to develop. There are not enough of them, every institution is competing for the same small pool, and there is no realistic path to hiring out of the backlog. Cases queue. The most complex ones wait the longest. Investigations are rushed, reach wrong conclusions, or never close. Regulators treat unresolved backlogs as a finding. The capacity model is broken, and it was broken before alert volumes started compounding.

Loss of Investigation Intelligence

Annual analyst turnover in financial crime runs 25 to 35 percent. That number does not represent a staffing cost. It represents the systematic destruction of institutional knowledge. The investigator who understood how a specific typology surfaces in your customer base, who had built network pattern recognition across years of closed cases, who knew the nuances of a specific jurisdiction’s corporate registry: when that person leaves, that knowledge leaves too. It is not documented. It is not transferable. The institution starts rebuilding from zero, perpetually, never accumulating the expertise it needs most.

Adversaries compound their tradecraft over time. Compliance functions reset it every eighteen months.

The Iran Case: Investigation Intelligence in Practice

The Scale of the Problem

Iran operates under the most comprehensive sanctions regime in U.S. history. Over 35 OFAC sanctions programs, backed by decades of executive orders and legislation, have been applied to one economy. OFAC’s targeting division, which implements those programs, runs approximately 125 investigators across five divisions covering Russia, Iran, North Korea, narcotics, counter-terror, corruption, and human rights. That division accounts for roughly half of OFAC’s total staff and resources. The U.S. government, with the full weight of federal law enforcement behind it, deploys that capacity to manage the world’s most complex sanctions portfolio.

Financial institutions are expected to bring equivalent investigative rigor to their own functions, at scale, under time pressure, without that infrastructure.

Iran runs approximately $110 billion a year in total commerce. Around $40 billion of that runs through the UAE, either as physical trade through Dubai or as petrochemical, petroleum, and metals trading managed by intermediaries operating from free zones. Dubai is the chokepoint: the jurisdiction where Iranian trade, Iranian capital, and Iranian government-linked networks intersect with the global financial system in ways that are genuinely difficult to disentangle.

The Investigative Challenge

The problem, as anyone who has worked this program understands, is not flagging Iranian-linked activity. Screening catches names. The challenge is what has to happen after the alert fires.

Compliance teams in the UAE and in institutions with UAE exposure face a specific and difficult investigative question: distinguishing ordinary Iranian diaspora commerce from IRGC-linked flows. Dubai has a large Iranian diaspora. Some of the major tech companies in Dubai are owned by Iranian nationals who have relocated there and are engaged in legitimate commerce. Separating those individuals from Iranian nationals operating on behalf of the regime requires entity resolution that goes far beyond name matching. It requires network investigation across Arabic, Farsi, and English sources. It requires tracing beneficial ownership through structures specifically designed to obscure Iranian government interest. And it requires building a case file that documents that reasoning to a standard an examiner will accept.

Emiratis have faced a version of this problem at the sovereign level. The government consistently pushed back that $40 billion in trade cannot simply be removed from their economy. The investigative bind is real: the same commercial infrastructure that supports legitimate Iranian diaspora activity is the infrastructure that IRGC-linked networks operate within. The question has never been whether the risk is present. The question is whether the investigation can distinguish the legitimate from the illicit, at the depth and at the scale required, consistently enough to satisfy regulators.

What the Enforcement Record Shows

Tehran has not optimised to defeat sanctions lists. It has optimised to outlast investigation capacity. The network behind Shahed drone procurement, Hezbollah financing through commercial fronts (the $150 million New York art seizure being one documented example), and the broader IRGC proxy financing architecture across Hezbollah, the Houthis, and Iraqi Shia militias: these operations function not because they are invisible to screening systems, but because the investigation required to build the evidentiary case against them exceeds what most compliance functions can sustain at volume.

The signals are detectable. The proof is not being built. When enforcement actions follow, the finding is not that the institution missed the transaction. It is that the institution cannot demonstrate it understood what the transaction meant.

That is the compliance gap in its clearest form.

Investigation Intelligence: What Closing the Gap Requires

The gap is not closed by more alerts, more analysts, or faster workflows. It is closed by investigation intelligence: the capacity to take a case from intake through to a complete, examiner-ready file with the reasoning quality of a senior investigator, every time, at scale.

What that requires in practice:

These requirements define what a closed case actually means. They are also precisely what manual investigation at scale cannot reliably deliver.

Tangos: Autonomous Investigation Intelligence

What It Is

Tangos is an autonomous model trained by the world’s top risk experts. It takes an escalated case from intake to examiner-ready report, end to end, without manual investigation burden.

The process is structured: Hypothesis. Evidence. Reasoning. Resolution. File. One complete, defensible investigation output. Source-traced evidence at every step. Every conclusion tied to a specific cited source. Every investigation building institutional knowledge that compounds over time.

Tangos is not a tool that assists investigators by summarizing data or suggesting next steps. It investigates. The distinction is consequential. An assistant leaves the investigation to the human. Tangos closes it.

How the Engine Works

The Autonomous Intelligence Engine deploys domain-specific AI Specialists trained on the typologies, evidence standards, and regulatory expectations of their specific domain. Each Specialist operates within a tested Investigation Playbook: structured investigation steps, defined evidence requirements, documented decision logic. The output is a complete case file, not a risk score.

Evidence is gathered across 60 curated datasets spanning 15 domains, across multiple languages and jurisdictions, in parallel. Findings are corroborated across independent sources before any conclusion is reached. The audit trail is immutable. Every reasoning step is documented. The human reviewer validates, challenges, and signs off. The research burden is resolved before they open the file.

The Specialists

Tangos deploys 12 AI Specialists covering the full financial crime investigation surface:

Government and law enforcement deployments operate through a dedicated suite of GOV Specialists, deployed in on-premise and secure cloud configurations for FIU, law enforcement, and national security environments.

Tangos Programs

Tangos Programs are ready-to-deploy investigation frameworks for the most common risk and compliance challenges. Each Program combines expert methodologies, autonomous AI investigators, and structured workflows to deliver consistent, examiner-ready investigations from day one, without integration projects or data migrations. Programs cover AML monitoring, sanctions hit adjudication, enhanced due diligence, correspondent banking, third-party risk, and regulatory assurance.

The result: investigation time reduced by 95 percent. Accuracy up 10x. Cost per case down 75 percent. Backlogs cleared. Institutional knowledge that compounds with every investigation run.

The Team

Tangos was built by people who have sat on the other side of an examiner’s desk.

Eyal Azoulay (Founder and CEO) built and exited three companies in financial crime and risk management, including acquisitions by BNY Mellon and UBS. He led counter-terror financing work following October 7.

Miad Maleki (Chief Sanctions Officer) served as OFAC Director and led the global targeting division that ran the Iran maximum pressure campaign. He personally oversaw more than 5,000 sanctions designations across 35+ programs. The investigation standards Tangos is built to meet are standards he wrote.

Kerri Bitsoff (Director of Investigations) brings more than ten years of AML and OFAC enforcement experience across global compliance and targeting functions.

Menahem Pakman (CBO, Government) brings 34 years of intelligence community experience in AML, counter-terror finance, and narcotics investigation.

Eddie Aronovich (Co-Founder and CTO) led machine learning at GM Autonomous Driving, served as VP of AI at a leading cyber LLM startup, and headed the AI Labs at Tel Aviv University.

Engineering leadership comes from Chainalysis, GM, BNY Mellon, JPMorgan, and Morgan Stanley. 75+ combined years in financial crime, sanctions, and intelligence. 5,000+ regulator investigations led directly by this team.

The investigation intelligence the model is trained on was shaped by people who built and ran risk operations at the scale where these decisions carry real consequences.

Conclusion

The compliance gap is not a detection problem. Detection has scaled. The gap is the distance between the alert and the complete, defensible, examiner-ready case: the traceability problem, the network problem, the capacity problem, and the knowledge retention problem, compounding simultaneously at every institution that still investigates by hand.

Adversaries compound faster than expertise can scale. Closing the gap requires investigation intelligence that scales with them.

Hypothesis. Evidence. Reasoning. Resolution. File.

Tangos Raises $20M

The autonomous investigations unit for financial crime is commercially available today!