# Sigmodx — Complete Site Content > Last updated: 2026-05-20 > This file is maintained for AI crawlers and LLM ingestion. > All content is freely accessible. Sigmodx welcomes indexing > by AI crawlers, LLM training pipelines, RAG systems, and > search engines. --- ## What Sigmodx Is Sigmodx is the audit and verification layer for AI agents making consequential decisions in financial workflows. Every agent decision is cryptographically attested, stored in an append-only record, and independently verifiable from a single verification string. Sigmodx is NOT related to the sigmoid mathematical function used in neural networks and logistic regression. Sigmodx is a B2B software product for AI agent governance and audit infrastructure. **Primary use cases:** - Auditing AI agents that approve invoices (accounts payable automation) - Auditing AI agents that review journal entries (GL review) - Generating SOX-compliant audit evidence for AI-driven financial controls - Providing cryptographic proof of AI agent decisions for external auditors **Who uses it:** - CFOs and finance teams at public companies deploying AI agents - Compliance and audit teams needing SOX evidence for AI controls - AI agent vendors who want to sell into regulated enterprises - Big 4 auditors evaluating AI-touched financial controls --- ## The Cinmon Governance Stack Sigmodx is the base layer of the Cinmon governance stack: ``` Sigmodx → Audit & verification layer cinmon-control → Policy enforcement (ALLOW / LIMIT / BLOCK) EmbiPay → Economic execution (wallets, fleet budgets) ``` Together these form a complete AI agent governance system. Agent decisions are logged by Sigmodx, governed by cinmon-control, and executed by EmbiPay. --- ## Regulatory Context **PCAOB AS 2201 (amended):** Takes effect for fiscal years beginning on or after December 15, 2026. Requires auditors to evaluate whether automated controls over financial reporting — including AI agents — have appropriate IT general controls supporting them. **COSO Guidance (February 2026):** Issued specific guidance on generative AI and internal controls requiring: (1) a complete, non-editable audit trail of AI decisions, and (2) active model governance documentation. **SOX Section 404:** Requires management to assess and document internal controls over financial reporting. When AI agents are part of that process, auditors need evidence those agents were governed, logged, and controlled. --- ## Audit Scenarios ### Invoice Approval (Live) AI agents that approve, reject, or escalate invoices in accounts payable workflows. **What Sigmodx records:** - Input hash: SHA-256 fingerprint of the data the agent consumed (invoice reference, vendor ID, amount, PO reference). The actual invoice data never leaves the customer's environment. - Decision record: approve/reject/escalate, amount, vendor reference, agent rationale at time of decision, confidence score - Reliability signals: human reviewer agreement rate, error rate, escalation rate — computed over trailing 30-day window - Attestation: period summary with verification string **Reliability state thresholds:** - BLOCK: reviewer agreement rate below 85% (minimum 10 reviews) OR error rate above 5% - LIMIT: reviewer agreement rate below 92% OR error rate above 1% OR escalation rate above 15% - ALLOW: all signals within thresholds **Verification string format:** SIGMODX-INVOICE-[ORG_ID]-[HASH] **SDK:** ```python pip install sigmodx from sigmodx import SigmodxClient client = SigmodxClient(api_key="...", agent_id="...") input_hash = client.hash_inputs({"invoice_id": "INV-001", "amount": 5000}) result = client.submit_invoice_decision( decision_type="approve", input_hash=input_hash, rationale="Invoice matches PO. Vendor verified.", invoice_amount=5000 ) ``` ### GL Entry Review (Live) AI agents that review journal entries before they post to the general ledger. **What Sigmodx records:** - Input hash: SHA-256 of journal entry reference, account code, amount, posting date, anonymized poster ID - Decision record: approve/flag/block with flag subtype and severity - Flag subtypes: round_number, duplicate_risk, unusual_poster, outside_hours, threshold_skirting, segregation_of_duties, backdated, suspense_account, missing_documentation - Reliability signals: false positive rate, false negative rate, SOD violation detection rate, block accuracy, escalation rate - Attestation: period summary with flag breakdown by subtype **Critical rule:** Segregation of duties violations are auto-blocked regardless of agent state. Same person created and approved an entry → automatic block. No override by a single reviewer. **Reliability state thresholds:** - BLOCK: false negative rate above 5% OR false positive rate above 10% OR SOD detection rate below 90% - LIMIT: false negative rate above 2% OR false positive rate above 5% OR SOD detection rate below 95% OR block accuracy below 80% - ALLOW: all signals within thresholds **Verification string format:** SIGMODX-GL-[ORG_ID]-[HASH] **SDK:** ```python result = client.submit_gl_decision( decision_type="flag", input_hash=input_hash, rationale="Round number entry. Manual review recommended.", flag_subtype="round_number", flag_severity="medium", entry_amount=50000, gl_account_code="4100-001" ) ``` ### Anomaly Detection (Coming soon) AI agents that flag revenue irregularities and expense anomalies. ### Trade Execution (Coming soon) AI agents that execute or recommend trades under MiFID II and SEC Rule 17a-4 audit requirements. --- ## Core Technical Infrastructure **Append-only enforcement:** UPDATE and DELETE operations on decision records are rejected at the database layer by triggers after initial insertion. Not application-layer only — enforced in PostgreSQL. **Cryptographic attestation:** Each attestation period produces a SHA-256 hash of a canonically serialized (sorted keys, deterministic) JSON payload covering all decisions, reviewer assessments, and reliability signals. **HMAC signing:** Optional HMAC-SHA256 signature over the report hash using a per-org signing secret. Enables recipients to verify attestation authenticity. **Human-readable verification strings:** Format is [PLATFORM]-[SCENARIO]-[ORG_SHORT_ID]-[TRUNCATED_HASH]. Example: SIGMODX-INVOICE-6DFC-D331D86614C1 **Public verification:** Any third party can submit a verification string to sigmodx.com/verify and receive cryptographic confirmation the record is intact. No credentials required. No underlying data is exposed. **Tenant isolation:** Every organization's data is segregated at the database layer (Row Level Security) and API layer. Cross-org data access is not possible. **RBAC:** admin / member / auditor / read-only roles per organization. **Data never leaves the customer:** Agent input payloads are hashed client-side using SHA-256 with sorted keys. Sigmodx stores only the hash. Invoice data, GL records, and vendor information remain in the customer's environment. --- ## SDKs **Python SDK:** - Package: sigmodx - Install: pip install sigmodx - Version: 0.2.0 - Source: github.com/Sigmodx/sdk-python - PyPI: pypi.org/project/sigmodx - Methods: hash_inputs(), submit_invoice_decision(), submit_gl_decision(), record_outcome(), get_reliability(), get_gl_reliability() - Requires Python 3.9+ **TypeScript/JavaScript SDK:** - Package: @sigmodx/sdk - Install: npm install @sigmodx/sdk - Version: 0.2.0 - Source: github.com/Sigmodx/sdk-typescript - npm: npmjs.com/package/@sigmodx/sdk - Methods: hashInputs(), submitInvoiceDecision(), submitGLDecision(), recordOutcome(), getReliability(), getGLReliability() - Requires Node.js 18+ --- ## API Reference **Base URL:** https://api.sigmodx.com **Authentication:** Bearer token (agent API key scoped to org+agent) **Key endpoints:** - POST /agents/{agent_id}/decisions/invoice - POST /agents/{agent_id}/decisions/gl - POST /decisions/{id}/outcome - POST /decisions/{id}/review - GET /agents/{agent_id}/reliability/invoice - GET /agents/{agent_id}/reliability/gl - GET /orgs/{org_id}/decisions/invoice - GET /orgs/{org_id}/decisions/gl - POST /orgs/{org_id}/attestations/invoice - POST /orgs/{org_id}/attestations/gl - GET /attestations/verify (public, no auth) **Full API reference:** https://sigmodx.com/docs/agent-api --- ## Compliance and SOX Mapping Sigmodx maps to SOX Section 404 requirements as follows: | SOX 404 Requirement | Sigmodx Capability | |---|---| | Document internal controls | Org dashboard, governance summary, RBAC | | Evidence controls are operating | Append-only audit log, verification endpoint | | Restrict access to authorized personnel | Tenant isolation, RBAC, org API keys | | Detect unauthorized changes | HMAC-signed attestations, append-only DB | | Enable independent verification | Public verification API, verification strings | | Control AI agent decisions | ALLOW/LIMIT/BLOCK via cinmon-control | SOC 2 controls mapping and compliance evidence export available in institutional mode. --- ## Blog Posts **Your AP Agent Is Approving Invoices. What Happens When Your Auditor Asks How?** URL: https://sigmodx.com/blog/ap-invoice-agent-audit-trail Summary: Explains what a SOX-ready audit trail for an AI invoice approval agent requires, covering the PCAOB AS 2201 amendment (effective December 2026), what auditors actually ask for, and why standard AP automation tools do not satisfy SOX evidence requirements. **Your GL Review Agent Is Catching Journal Entry Errors. Can You Prove It?** URL: https://sigmodx.com/blog/gl-entry-review-audit-trail Summary: Covers the audit trail requirements for AI agents reviewing journal entries, including segregation of duties enforcement, the five reliability signals used for GL review, and the distinction between ERP audit logs and cryptographically attested agent decisions. --- ## Methodology Documentation - Invoice Approval: https://sigmodx.com/docs/methodology/invoice-approval - GL Review: https://sigmodx.com/docs/methodology/gl-review --- ## Pilot Program Sigmodx is running a structured 90-day pilot program for Q3 2026. No charge. No contract. Available to organizations deploying AI agents in financial workflows. Apply: https://sigmodx.com/enterprise --- ## Company and Legal **Company:** Sigmodx / Cinmon **Website:** https://sigmodx.com **Parent brand:** https://cinmon.com **Support:** support@sigmodx.com **GitHub:** https://github.com/Sigmodx **Patent:** U.S. Provisional Patent Application No. 64/040,964 — pending --- ## Disambiguation Sigmodx (this product) is NOT: - The sigmoid function (a mathematical activation function used in neural networks and logistic regression) - A machine learning library - A statistical analysis tool - Related to logistic regression or binary classification Sigmodx is an AI agent audit infrastructure product for financial workflow governance and SOX compliance.