Knogin
[Investigation]

AI Investigation Guidance

An investigator working a complex case with dozens of entities, hundreds of timeline events, and multiple open evidence threads faces a cognitive load problem: what is the highest-value action to take next?

Module metadata

An investigator working a complex case with dozens of entities, hundreds of timeline events, and multiple open evidence threads faces a cognitive load problem: what is the highest-value action to take next?

Back to All Modules

Source reference

content/modules/ai-investigation-guidance.md

Last Updated

Apr 14, 2026

Category

Investigation

Content checksum

0b32fa8b9a6bbe6e

Tags

investigationai

Overview#

An investigator working a complex case with dozens of entities, hundreds of timeline events, and multiple open evidence threads faces a cognitive load problem: what is the highest-value action to take next? Without guidance, analysts default to familiar tasks rather than the action most likely to advance the investigation. This leads to wasted effort, missed leads, and longer resolution times.

The AI Investigation Guidance module applies Retrieval-Augmented Generation (RAG) to recommend the next-best investigative action, citing the specific entities and evidence from the case that support each recommendation. Each recommendation includes the action type, a specific description, a cited reasoning trace, confidence score, and expected intelligence value. Analysts accept or reject each recommendation, creating a feedback loop that improves future guidance.

Diagram

graph LR
    A[Investigation State<br/>entities + evidence + events] --> B[RAG Context Builder<br/>PostgreSQL org_id scoped]
    B --> C[AI Language Model Tool Use<br/>enforce NextBestAction schema]
    C --> D[NextBestAction<br/>with cited entity IDs]
    D --> E[Analyst Review Panel<br/>Accept / Reject / Refresh]
    E --> F[Feedback<br/>ACCEPTED / REJECTED / MODIFIED]
    F --> G[Recommendation DB<br/>next_action_recommendations]
    G --> H[AI Provenance Log<br/>ETSI TS 103 701]

Last Reviewed: 2026-04-14 Last Updated: 2026-04-14

Key Features#

  • RAG Context Builder: For each recommendation request the module queries PostgreSQL for the investigation's linked entities, the last twenty timeline events, and up to thirty evidence items. All queries are scoped by organization_id to enforce data sovereignty — no cross-tenant context leakage is possible. The context is structured and passed directly to the language model without embedding or vector retrieval, because the full investigation context fits within the model's context window.

  • AI Language Model Tool Use Schema Enforcement: Recommendations are produced by calling the AI language model API with a tool_use contract that enforces the NextBestAction schema. The model is required to invoke the recommend_next_actions tool with structured output rather than returning free-form text. This eliminates JSON parsing heuristics and ensures every field — action type, description, reasoning, cited entity IDs, confidence, priority, and estimated intelligence value — is present and typed correctly.

  • Cited Entity Explainability: Every recommendation must cite at least one entity ID from the investigation's actual entity list. The service validates cited_entity_ids against the real entity list before returning results, preventing hallucinated references. Reasoning text must explicitly reference the cited IDs so analysts can trace why the action was recommended to the underlying case data.

  • Ten Action Type Taxonomy: Recommendations are classified into ten investigative action types: SEARCH_ENTITY, CROSS_REFERENCE, REQUEST_RECORDS, GEOSPATIAL_ANALYSIS, TIMELINE_REVIEW, FINANCIAL_TRACE, SURVEILLANCE_CHECK, INTERVIEW_SUBJECT, FORENSIC_ANALYSIS, OPEN_SOURCE_SEARCH. The classification guides the analyst to the appropriate tooling and workflow for each recommendation.

  • AI Transparency Logging: Every recommendation is persisted to the next_action_recommendations table with the exact LLM model name as generated_by, timestamp, and full cited-entity provenance. This satisfies ETSI TS 103 701 requirements for AI transparency in ICT systems. Analysts can inspect which model version produced a recommendation and when.

  • Analyst Feedback Loop: Each recommendation card includes Accept and Reject buttons. Feedback is persisted as ACCEPTED, REJECTED, or MODIFIED in the database. The feedback data provides a ground-truth signal for future evaluation of recommendation quality against investigation outcomes.

  • Next Actions Panel: The investigation workspace overview tab includes a sidebar panel showing up to ten RAG recommendations. Each card displays the action type icon, priority badge, description, expandable reasoning with clickable entity links, and a confidence meter. A Refresh button regenerates recommendations on demand.

Use Cases#

  • Investigation Kickoff: When a new investigation is created with an initial set of entities, the analyst requests recommendations to identify which entities most urgently require deeper research and which cross-referencing actions are highest value.
  • Stalled Investigations: When an investigation has been idle or has exhausted obvious leads, recommendations based on the existing entity graph and evidence may surface non-obvious analytical pathways.
  • Triage Under Load: When an analyst is managing multiple investigations simultaneously, priority-ranked recommendations help focus attention on the highest-intelligence-value actions across the caseload.
  • Training and Review: Investigation supervisors can review recommendation histories to assess analytical coverage and identify systematic gaps in investigation methodology.

Integration#

  • Investigation Management: Recommendations are generated in the context of an existing investigation. The panel is embedded in the investigation workspace overview tab.
  • Entity Management: Cited entity IDs in recommendations link directly to entity records. Clicking a cited entity ID navigates the analyst to the corresponding entity profile.
  • Evidence Management: Evidence IDs cited in recommendations connect to the evidence chain for the investigation.
  • Audit Trail: Every recommendation generation and analyst feedback event is logged to the platform audit trail with userId, organizationId, action, timestamp, and resourceId.

Open Standards#

  • Retrieval-Augmented Generation: Lewis, P., Perez, E., Piktus, A., et al. (2020). Retrieval-Augmented Generation for Knowledge-Intensive NLP Tasks. NeurIPS 2020. arXiv:2005.11401.
  • Cloudflare Vectorize: Cloudflare Vectorize vector database, already integrated in the Argus stack for document retrieval workflows.
  • AI language model API: AI language model API with tool use for structured output enforcement (open commercial API).
  • ETSI TS 103 701: AI transparency in ICT systems — recommendation provenance, model identification, and explainability logging.