ae-platform / module-04 · financial domain · H2 · PI-5
EU AI Act · High-Risk HITL-08 · Dual-reviewer · 1h SLA Streaming · Always-on
Module 04  ·  Financial Domain  ·  H2 · PI-5  ·  2026

FinRisk Sentinel: Financial Anomaly Detection
Streaming, Dual-Reviewer, 1-Hour SLA

18s
payment to dual HITL alert
streaming pipeline, not batch
0.87
anomaly score, München case
85.8σ above 90-day baseline
1h
SLA on HIGH severity alerts
CFO + Finance Controller, simultaneous
Abstract

FinRisk Sentinel monitors the live financial event stream continuously — not in batch. It computes rolling baselines per account, per payment type, and per peer group, scoring every incoming transaction against a dynamic model of normal behaviour. The architectural distinction from Asset IQ's streaming anomaly detector is the sliding-window aggregation layer: FinRisk computes population statistics — rolling mean, rolling standard deviation, Z-score against a 90-day baseline, peer-group deviation — before any anomaly model sees the event.

High-severity anomalies reach the CFO and Finance Controller simultaneously through a dual-reviewer HITL-08 checkpoint. Both see the same data; either can act. The first decision closes both queues via an optimistic lock — no coordination required, no double-action possible. SHAP attribution is written to BigQuery before the HITL record is created, so the audit trail is grounded in the model's actual computation from the moment of scoring.

Isolation Forest streaming anomaly detection Z-score enrichment peer-group baseline SHAP TreeExplainer dual-reviewer HITL optimistic lock EU AI Act Art. 13 / 14

§1 System Context

FinRisk Sentinel's context is defined by what feeds it and what it produces. The input is the BigQuery financial event stream — populated by Salesforce contract events and RevRec AI classification outputs. The output is a dual-reviewer HITL alert that neither the CFO nor the Finance Controller can miss, and a BigQuery anomaly events record that closes the audit trail.

Figure 1
System context (C4 Level 1) — streaming input, dual-reviewer HITL output, always-on, 1-hour SLA on high-severity alerts
FinRisk Sentinel Module 04 · Financial Domain Sliding window feature computation Isolation Forest anomaly scoring Z-score enrichment vs 90d baseline Peer-group deviation computation SHAP TreeExplainer attribution HITL-08 dual-reviewer manager Cloud Run · Vertex AI · Firestore · BigQuery europe-west3 · VPC-SC · always-on Sub-5min event latency BigQuery · Financial Events Salesforce contract events RevRec AI classification outputs Pub/Sub ae-financial-events Vertex AI Feature Store Account baseline features 90d rolling stats · peer groups CFO · Finance Controller HITL-08 · dual reviewers Simultaneous · either can act 1-hour SLA · auto-escalate BigQuery · Anomaly Events ae_audit.anomaly_events SHAP + HITL + decision Immutable · CMEK Salesforce Account Activity log entry Anomaly alert ref attached EU AI Act · Annex III High Risk · Art. 13 · Art. 14 Dual-reviewer = Art. 14 compliance
FinRisk Sentinel boundary (teal) · financial event stream input (teal) · dual-reviewer HITL-08, CFO + FC (coral) · Feature Store baselines (purple) · Salesforce output (blue).

§2 Architecture — Streaming Pipeline

FinRisk Sentinel's architectural distinction from Asset IQ's streaming anomaly detector is the sliding-window aggregation layer. Asset IQ scores individual sensor readings; FinRisk computes population statistics — rolling mean, rolling standard deviation, Z-score against a 90-day baseline, peer-group deviation — before any anomaly model sees the event. The model scores against a dynamic baseline that updates with every new transaction.

Figure 2
Pub/Sub → sliding window → Isolation Forest → SHAP → severity router → dual-reviewer HITL-08
StageComponentFunctionOutput
1Pub/Sub ae-financial-eventsStreaming ingestion from Salesforce + RevRec AIRaw payment event
2FinRisk Agent (Cloud Run, min 2 instances)Concurrent Pub/Sub pull · SA: finrisk-sa@ · WIF authEvent accepted for scoring
3Sliding window layer90d rolling mean/std · Z-score · peer-group deviation (Feature Store online)Enriched feature vector
4Isolation Forest (Vertex AI endpoint)finrisk-anomaly@v1.2 · synchronous, sub-200msanomaly_score 0–1
5SHAP TreeExplainerTop-3 feature attribution · deterministic, synchronousSHAP values
6BigQuery SHAP writeae_audit.shap_explanations · written before HITL · EU AI Act Art. 13Immutable SHAP record
7Severity router<0.50 Log Only · 0.50–0.75 Alerting (no HITL) · ≥0.75 HITL-08Routed outcome
8Firestore HITL-08Two docs: CFO + FC, simultaneous · either decision closes both · 1h SLADual-reviewer checkpoint
9BigQuery anomaly eventsae_audit.anomaly_events · every decision, HITL ref, SHAP refClosed audit record + Salesforce Activity entry
Score < 0.50 routes to Log Only; 0.50–0.75 to Alerting (Cloud Monitoring, no HITL); ≥ 0.75 to HITL-08 dual-reviewer with severity-dependent SLA.

§3 Agent State Machine

The FinRisk Sentinel state machine is distinguished by two features not present in other modules: four-tier severity branching from SCORING, and concurrent-decision handling in HITL-08. When two reviewers can both act, the state machine must correctly handle simultaneous action, action before the SLA, and the case where neither acts before the SLA.

Figure 3
IDLE → STREAMING → WINDOWING → SCORING, then four severity branches converging at POSTING → COMPLETE
StateTriggerDetail
IDLE → STREAMINGagent startPub/Sub pull · always-on
STREAMING → WINDOWINGevent received90d rolling stats · Z-score · peer-group deviation · Feature Store online
WINDOWING → SCORINGfeatures readyIsolation Forest + Z-score · anomaly_score 0–1
SCORING → LOG ONLYscore < 0.50BQ write · no alert
SCORING → ALERTING0.50–0.75Cloud Monitoring · no HITL
SCORING → SHAP → HITL-08 HIGH0.75–0.90CFO + FC · simultaneous · 1h SLA · optimistic lock
SCORING → SHAP → HITL-08 CRITICALscore > 0.90CFO + FC + immediate escalation · 30min SLA · phone alert · auto-freeze pending review
SCORING → ERRORVertex AI timeoutHITL fallback
HITL-08 → POSTINGdecision committedBQ anomaly_event + Salesforce Activity
POSTING → COMPLETEwrite confirmedAudit trail closed
Optimistic lock: the first decision commits to Firestore; the second write detects the version conflict; both queues auto-close. No double-action is possible. SHAP is written to BigQuery before HITL-08 is created — Firestore is immutable at every state transition.

§4 Data Flow & Sequence

The Universitätsklinikum München account — the same account whose contract was processed by ContractGuard, whose revenue was recognised by RevRec AI, and whose MRI unit is monitored by Asset IQ — makes a payment significantly above its 90-day baseline. FinRisk scores it at 0.87 and creates a simultaneous HITL-08 for both the CFO and Finance Controller.

Figure 4
Sequence: €2.84M payment → dual HITL-08 → Finance Controller acts first at t+22min
TimeActorEvent
t+0Salesforce → Pub/Subpayment_event · €2,840,000 published to ae-financial-events
t+2sFinRisk Agent → Feature Storeget_online_features(UKM_account) + sliding_window()
t+4sFeature Store → Agent90d_mean: €184K · std: €31K · Z: 85.8
t+6sAgent → Vertex AIisolation_forest.score(enriched_feature_vector)
t+8sVertex AI → Agentanomaly_score: 0.87 · severity: HIGH
t+10sAgent → SHAPshap_values(enriched_feature_vector)
t+12sAgent → BigQueryBQ write: shap_explanations(UKM_payment_202603) before HITL · EU AI Act Art. 13
t+14sAgent → Firestorehitl.create_dual(HITL-08, score=0.87, shap, baseline, transactions[5])
t+18sFirestore → CFO + FCHITL-08 queue (HIGH) delivered simultaneously to both reviewers
t+22minFinance Controllerdecision: Approve · reason: legitimate Q1 early payment · FC acts first
t+22minFirestoreoptimistic lock · CFO queue auto-closed
t+23minAgent → BigQuery + SalesforceBQ anomaly_event committed · hitl_ref · shap_ref · Salesforce Activity updated
t+23minStateComplete · audit trail closed · CFO queue closed by optimistic lock

§5 HITL-08 Presentation

HITL-08 is the most urgent HITL in the suite. The CFO and Finance Controller receive the same alert simultaneously — a sparkline for visual context, a transaction table for the numbers, SHAP for the model's reasoning, and a dual-reviewer status panel showing whether the other reviewer has already acted. The first decision closes both queues.

FinRisk Sentinel — HITL-08 HIGH · Universitätsklinikum München · SLA: 47m · CFO also reviewing
Anomaly Summary
Anomaly Score
0.87
HIGH severity · > 0.75 threshold
Z-Score
85.8σ
2.8σ above 90d mean
Payment Amount
€2.84M
vs 90d mean €184K
High Severity · HITL-08 · Dual Reviewer
90-Day Payment Baseline vs Anomalous Event
Rolling 90-Day Payment History · Universitätsklinikum München
Normal range €2.84M 90d ago 45d ago Today mean €184K
Recent Transactions — Last 5
DateAmountTypeZ-ScoreStatus
2026-02-28€164,320Invoice payment−0.6σNormal
2026-02-14€201,840Invoice payment+0.6σNormal
2026-01-31€178,500Invoice payment−0.2σNormal
2026-01-15€221,750Invoice payment+1.2σNormal
2026-03-15€2,840,000Payment (type: unspecified)+85.8σ⚠ Anomaly
SHAP Attribution — Top 3 Features
payment_to_baseline_ratio
+0.52
val: 15.4× baseline (2,840K ÷ 184K)
z_score_deviation
+0.29
val: 85.8σ — highest ever for this account
payment_frequency_anomaly
+0.11
val: payment 13 days after last (normal: 14–16 day cycle)
Dual Reviewer Status
Finance Controller (you)
Reviewing
Your decision will close this alert and auto-close the CFO queue via optimistic lock.
CFO
Also reviewing
CFO notified at the same time. If CFO acts first, your queue will close automatically.
✓ Approve — Legitimate Payment
⚠ Escalate — Suspicious
↷ Defer 15min
⏱ SLA: 47 minutes remaining · timeout → CEO + Risk Committee auto-alert · decision immutably recorded · SHAP already in BigQuery
Account Context
Account
Universitätsklinikum München
Account tier
Tier-1 Hospital · EMEA-North
Relationship
Active · 8 years · Contract CV2026-0042 signed 2026-03-15
Payment history
42 payments · 0 disputes · avg. payment cycle: 15.2 days
Anomaly score
0.87 · High
Above HITL-08 threshold (0.75)
HITL checkpoint
HITL-08 · 1h SLA
Dual-reviewer (CFO + FC)
SHAP record
Written to BigQuery before this queue was created · EU AI Act Art. 13 ✓
Context note. This account signed a new €2.84M contract on 2026-03-15 (same day). Early full-contract payment is possible but atypical. Recommend Approve if payment matches contract reference.
Concurrent reviewer. CFO has this same queue open. First decision wins. Second decision triggers optimistic lock — no double-action.

§6 Architecture Decision Records

Three FinRisk decisions, every alternative documented.

ADR-011 Isolation Forest over ARIMA / statistical threshold (restated for FinRisk Sentinel) Accepted · ML Design

BigQuery ML's ARIMA_PLUS model was evaluated — a natural choice for financial time-series anomaly detection given that payments are temporal events with seasonality. It was rejected for three reasons. (1) ARIMA models require a minimum history length per entity before they can produce reliable forecasts — new accounts or accounts with irregular payment schedules produce poor ARIMA fits. Isolation Forest requires only that a normal operating period exists, not a minimum number of observations; ClaraVis has accounts that pay quarterly, annually, or on irregular project schedules. (2) ARIMA_PLUS operates in batch mode in BigQuery ML — it is not a streaming model. For a financial anomaly system with a 1-hour HITL SLA, a batch model requires scheduling infrastructure that introduces latency; Isolation Forest runs on the Vertex AI endpoint as a synchronous REST call with sub-200ms response. (3) The deterministic SHAP TreeExplainer requirement applies equally here — ARIMA does not produce structured SHAP attributions. The CFO asking "why was this payment flagged?" needs a feature-level explanation, not an ARIMA residual value. A Z-score enrichment layer alongside Isolation Forest produces a human-readable metric ("+85.8σ above baseline") while Isolation Forest provides the multi-dimensional model signal that accounts for correlated features.

ADR-FR01 Streaming Pub/Sub scoring over scheduled BigQuery batch detection Accepted · Agent Design

The alternative design was to run FinRisk as a scheduled BigQuery query — every 15 minutes, query the transactions table, compute Z-scores in SQL, and alert on outliers. This is a common financial monitoring pattern and avoids the operational complexity of a streaming Cloud Run agent. It was rejected because: (1) a 15-minute batch window means a payment anomaly can sit undetected for up to 15 minutes before any alert fires — operationally unacceptable for a high-severity financial event such as a potentially fraudulent payment or a wire transfer error. The streaming architecture detects and alerts within 18 seconds of the payment event reaching Pub/Sub. (2) BigQuery SQL cannot call a Vertex AI Isolation Forest endpoint synchronously — the batch approach would require either BigQuery ML (rejected above) or a scheduled Cloud Function bridge that replicates the streaming agent's complexity without the latency advantage. (3) the sliding window feature computation (90-day rolling stats, peer-group deviation) requires maintaining state across events — natural in a streaming agent with in-memory state, but requiring materialised views or intermediate tables in batch SQL, adding query cost and maintenance overhead. The streaming architecture is more complex to operate but delivers a 1-hour HITL SLA that a batch architecture cannot match.

ADR-FR02 Dual-reviewer HITL-08 over single-reviewer for high-severity financial alerts Accepted · Product Design

Single-reviewer HITL — either CFO or Finance Controller, not both — was the initial design for simplicity. It was replaced with dual-reviewer for three reasons. (1) Separation of duties: for high-severity financial alerts (score ≥ 0.75, potentially indicating fraud or error), requiring only one reviewer creates a single point of control. Having both reviewers notified simultaneously ensures the faster-responding, better-informed reviewer can act within the SLA without requiring coordination. (2) EU AI Act Article 14 requires adequate human oversight proportionate to the risk; for a system flagging potential financial fraud in a regulated medical device company, "adequate oversight" for high-severity alerts is documented as dual-reviewer — matching the four-eyes principle already applied to financial authorisations above a threshold at ClaraVis. (3) the optimistic lock mechanism resolves the concurrent-decision problem cleanly: Firestore's transaction model guarantees the first committed decision is final, the second write detects the conflict via the document version check, and both queues close automatically. No coordination between reviewers is required.

§7 Stakeholder Rebuttals

Six objections raised during the FinRisk design review. Each rebuttal is grounded in architectural evidence, not opinion.

CTO · S-01
Why not BigQuery ML ARIMA — it's already in the data warehouse?
"ClaraVis already uses BigQuery, and BigQuery ML has ARIMA_PLUS. Why build a separate Cloud Run streaming agent and a separate Vertex AI endpoint when the anomaly detection capability is already in the tool we're paying for?"
Architect Response
ARIMA_PLUS is a batch forecasting model — it runs in scheduled query mode, not in a streaming, sub-second scoring mode. ADR-FR01 documents the latency argument: a 15-minute batch window is operationally unacceptable for a high-severity financial alert system with a 1-hour SLA. By the time a batch model fires an alert, 15 minutes have already elapsed; the streaming architecture detects and alerts in 18 seconds. ARIMA also does not produce structured SHAP attributions that satisfy EU AI Act Article 13. The CFO and Finance Controller need to see "this payment was 15.4× the account baseline and 85.8σ above the rolling mean" — not an ARIMA residual value. The Isolation Forest plus Z-score combination provides both the model signal and the human-readable explanation in a single scoring pass.
Evidence: ADR-FR01 (streaming over batch) · ADR-011 (Isolation Forest over ARIMA) · HITL-08 UI (Z-score human-readable + SHAP) · EU AI Act Art. 13
CFO · S-03
What's the false positive rate — every spurious alert wastes senior executive time?
"Every HIGH severity alert lands in my queue and requires my attention within the hour. If FinRisk fires 20 false positives a week, that's 20 hours of executive time wasted. What is the expected alert volume?"
Architect Response
At ClaraVis's transaction volume (approximately 340 invoiced payments per month across all accounts), the Isolation Forest model with a 0.75 HIGH threshold and Z-score enrichment is calibrated to fire HIGH alerts on approximately 1–3 events per month — not per week. The model's contamination parameter is set to 0.005 (0.5% expected anomaly rate). The vast majority of elevated payments — an account paying early, a large Q4 order, a multi-year prepayment — score below 0.75 and route to Alerting (no HITL) or Log Only. The sidebar context note shows the account's contract activity on the same date, allowing the CFO to approve a legitimate early payment in under 60 seconds. The dual-reviewer design means that if the Finance Controller acts first, the CFO queue closes automatically — eliminating the CFO's time cost entirely for false positives the FC recognises immediately.
Evidence: FinRisk Model Card (contamination parameter 0.005) · HITL-08 UI context note · ADR-FR02 (dual-reviewer, first-act closes both)
Finance Controller
How does FinRisk distinguish genuine anomalies from planned large payments?
"At quarter-end, some of our largest accounts make bulk payments covering 3–6 months of invoices simultaneously. These are expected — but they'll look like massive anomalies to a model that only knows the 90-day rolling mean. Won't FinRisk flood us with false positives at Q1 and Q4 close?"
Architect Response
Two mechanisms address this specifically. First, the Feature Store account baseline features include a payment_seasonality_flag set for accounts with documented Q1/Q4 bulk payment patterns — the Isolation Forest model is trained on data that includes these seasonal payments, so the contamination rate accounts for them. The payment_frequency_anomaly SHAP feature captures whether the payment arrived on schedule or out-of-cycle. Second, the HITL-08 sidebar context shows the account's contract and invoice history alongside CRM notes — a Finance Controller reviewing a Q4 bulk payment sees immediately that it matches three outstanding invoices, and the approval takes 30 seconds, not 30 minutes. The system is designed to make every HIGH alert reviewable in under five minutes with full context, so genuine anomalies are caught and false positives are dismissed quickly.
Evidence: FinRisk Feature Store (payment_seasonality_flag) · HITL-08 UI (account context sidebar) · ADR-011 (Isolation Forest trained on seasonal data)
Enterprise Architect · S-08
How does the sliding window handle sparse payment schedules for smaller accounts?
"A small account that pays annually has maybe 1–2 payments in 90 days. The rolling statistics will be meaningless or undefined. How does FinRisk handle this?"
Architect Response
Accounts with fewer than 5 payment events in the rolling 90-day window fall back to peer-group-level baseline statistics rather than account-level statistics. The peer group is defined by account tier (Small, Mid, Enterprise), industry vertical, and region — accounts with similar payment frequency profiles. A small research institution that pays annually is compared against other annual-paying research institutions in the same region, not against its own sparse history. This fallback is explicit in the Feature Store account baseline features: the feature vector includes a baseline_source field (Account or Peer Group) that the SHAP attribution reports, and the HITL-08 interface shows which baseline source is being used.
Evidence: FinRisk Feature Store (baseline_source feature, peer-group fallback) · HITL-08 UI SHAP section (baseline source displayed) · Isolation Forest contamination parameter
CISO · S-09
Financial transaction data — what access controls apply?
"The ae-financial-events topic carries actual payment amounts, account identifiers, and transaction references. This is classified financial data. Who has read access to this topic and the downstream BigQuery tables?"
Architect Response
The ae-financial-events topic has three principals with subscription access: the FinRisk SA (pull subscription only), the RevRec AI SA (publish only), and the Data Governance SA (schema validation only). No developer SA has subscription access. The anomaly_events table in ae_audit is governed by the same IAM policy as the SHAP explanations table: Finance Controller (read), CFO (read), FinRisk SA (write), audit SA (read for compliance queries). Raw Pub/Sub payloads are not persisted in BigQuery — only the processed anomaly record is written, and the full transaction reference is stored as a hash, not plain text. The plain-text reference is only accessible via the Salesforce Account record, with its own IAM-governed access control.
Evidence: Pub/Sub topic IAM (three SA principals) · BigQuery ae_audit access policy · CMEK configuration · transaction reference hashing
CCO · S-02
Does FinRisk fall under EU AI Act given it flags financial transactions?
"Annex III includes AI systems used in creditworthiness assessment and financial access decisions. Is FinRisk a high-risk system under that classification, and what are the obligations if it is?"
Architect Response
FinRisk Sentinel monitors ClaraVis's own incoming financial transactions for anomalies — it does not assess counterparties' creditworthiness or make access-to-financial-services decisions, so it does not fall cleanly under Annex III Category 5b. The conservative position adopted in the architecture is to treat FinRisk as High Risk regardless of the precise Annex III category, because the consequences of a false negative (a missed fraudulent transaction) or a mishandled false positive (freezing a legitimate payment) are material. The dual-reviewer HITL-08 design satisfies Article 14 at the highest level of human oversight — two senior principals, 1-hour SLA, optimistic lock preventing double-action. The SHAP attribution per alert satisfies Article 13; the Model Card in Vertex AI Model Registry satisfies Article 11.
Evidence: FinRisk Model Card (EU AI Act classification) · HITL-08 dual-reviewer design (ADR-FR02) · SHAP attribution (Art. 13) · VPC-SC + CMEK (Art. 15 robustness)

§8 Demo Pathway

Three minutes. One payment. Two reviewers. Eighteen seconds to alert. The München hospital account makes a payment that FinRisk flags. The pathway below shows the streaming pipeline in action, the simultaneous dual-reviewer HITL-08, and the optimistic lock when the Finance Controller acts before the CFO.

00
Setup · 30s before
Show the FinRisk monitoring dashboard — live event stream
Open the FinRisk Sentinel monitoring dashboard in Cloud Monitoring. Show the live Pub/Sub message rate on ae-financial-events, the Cloud Run instance count, and the rolling anomaly score distribution for the past 24 hours — mostly Log Only (green), a few Alerting (amber), zero High. This establishes that the system runs continuously and that HIGH alerts are genuinely rare.
Cloud MonitoringPub/Sub monitoringCloud Run dashboard
01
Payment Event · 0:00
Publish a synthetic payment event — watch the pipeline respond
Publish a synthetic payment event to ae-financial-events via the Pub/Sub Console: account_id UKM_MCH_001, amount €2,840,000.00, payment_date 2026-03-15. The Cloud Run logs show: "Event received," "Fetching baseline features…," "Z-score computed: 85.8," "Isolation Forest score: 0.87 · severity: HIGH" — all in under 10 seconds.
"I'm publishing a payment event directly to the Pub/Sub topic — simulating the Salesforce trigger. Watch the Cloud Run agent respond. The event lands, the baseline is fetched, Z-score computed, anomaly scored — all in under 10 seconds."
Pub/Sub publishCloud Run logsFeature Store onlineVertex AI endpoint
02
SHAP + BigQuery · 0:20
SHAP computed and written to BigQuery before HITL
The Cloud Run logs continue: "SHAP computed · payment_to_baseline_ratio +0.52 · z_score_deviation +0.29 · payment_frequency_anomaly +0.11," "Writing SHAP to BigQuery before HITL creation…," "SHAP written · creating HITL-08 dual-reviewer checkpoint…" A quick SELECT on ae_audit.shap_explanations shows the row already exists before the HITL queue appears.
"The SHAP explanation is in BigQuery before the HITL queue exists. This is the EU AI Act Article 13 design — the explanation is part of the audit trail from the moment of scoring, not created retrospectively when someone asks for it."
SHAP TreeExplainerBigQuery shap_explanationsFirestore HITL-08
03
HITL-08 · 0:35 — the moment
Open both reviewer queues simultaneously — the dual-reviewer interface
Two browser windows side by side: the Finance Controller's HITL-08 queue and the CFO's. Both show the same alert — the anomaly header (score 0.87, Z-score 85.8σ, €2.84M), the sparkline, the highlighted anomaly row, the SHAP strip, and the dual-reviewer status panel showing both reviewers are currently reviewing.
"Both reviewers see the same interface at the same time — the sparkline shows the pattern, the transaction table shows the numbers, SHAP shows why the model flagged it. The sidebar shows the account signed a new €2.84M contract on the same date — context the Finance Controller recognises immediately as a likely early full-contract payment. Click Approve in the Finance Controller window."
HITL-08 dual interfaceSparkline SVGTransaction tableSHAP strip
04
Optimistic Lock · 1:30
The CFO queue auto-closes via optimistic lock
After the Finance Controller approves, the CFO browser window shows the queue status changing to "Resolved — Finance Controller approved at 14:07:22 · reason: legitimate Q1 early payment." The Cloud Run logs show: "HITL-08 decision committed · FC · optimistic lock version 2 → CFO queue closed · state: COMPLETE."
"The Finance Controller approved. The CFO's queue closed automatically — no action required. The optimistic lock in Firestore handled the concurrency: the FC's decision committed at version 1, and when the system tried to mark the CFO's copy as requiring action, it found version 2 already committed, so it auto-closes. No double-action, no coordination, no race condition."
Firestore optimistic lockCFO queue auto-closeCloud Run logs
05
Audit Trail · 2:10
Query the complete anomaly audit trail
In BigQuery, the audit join query — ae_audit.shap_explanations joined to ae_audit.anomaly_events on transaction_id — returns the three SHAP values, the anomaly score, the FC's decision and timestamp, and the CFO's auto-close record. This is the complete EU AI Act Article 13 + 14 evidence package for this financial anomaly event — the same BigQuery pattern as every other module in the suite.
"Four modules now — ContractGuard, RevRec AI, Asset IQ, FinRisk Sentinel — and every one of them produces the same audit query pattern. That's what a shared platform looks like."
BigQuery ae_auditanomaly_events joinshap_explanations join

§9 Adjacent Modules

Financial domain complete — four modules done. ContractGuard, RevRec AI, and FinRisk Sentinel complete the Financial domain within the Quote-to-Cash pillar. All three share the same München account narrative, the same BigQuery audit pattern, and the same SHAP-before-HITL design discipline.