Everyone says AI can “catch fraud.” Almost nobody explains what that actually means. Let’s open the black box.
Naked Market breaks down macro finance, blockchain infrastructure, AI systems, and automated trading to help you understand the future of global finance before the mainstream catches up.
Picture this. You’re a junior auditor, and it’s late.
In front of you: a general ledger with four million line items in it. Behind you: a manager who needs your section signed off by Monday. In your hand: a sampling table that tells you, officially and scientifically, that checking 120 of those four million transactions is enough to “reasonably assure” the whole file is clean.
So you pick your 120. You go through them line by line. They’re fine. You sign off.
Somewhere in the other 3,999,880 transactions you never opened, a vendor that doesn’t actually exist has been quietly billing the company for “consulting services” every month for two years.
That’s not a made-up scenario. It’s close to how most audits, everywhere, still actually work. And once you sit with that for a second, something strange happens: you stop being surprised that fraud gets caught late, and start being surprised it gets caught at all. The numbers back this up in an almost embarrassing way. A typical fraud scheme runs for about a year before anyone notices it. And when it’s finally caught, it’s usually not the audit that catches it — it’s a tip. A coworker who got suspicious. A vendor who let something slip. Plain office gossip catches more fraud than the entire system built specifically to catch it.
I’ve written before about AI acting like a “watchdog that never sleeps” reading every contract, every invoice, every payment, at a scale no human team ever could. I said that and moved on quickly, because there was a lot of other ground to cover. This week, I want to go back and actually open the watchdog up. Not “AI catches fraud” but what is it doing, mechanically, all day? What does it actually mean to “read” four million transactions? What is it looking for? And because I always promise you the honest version, not the sales pitch where does it still fall apart?
Here’s the whole idea in one sentence, before we go step by step: an AI auditor doesn’t spot-check a small sample and hope for the best. It checks everything, all the time, and it has to explain exactly what it finds. Let’s see what that actually looks like.
The old audit was never really looking
Here’s something nobody says out loud: a traditional audit was never really built to find fraud. It was built to give “reasonable assurance” which, in plain words, means “we checked enough of it to feel comfortable putting our name on it.” Sampling isn’t a flaw in the system. It is the system, and it has been since the days when checking every single transaction by hand simply wasn’t possible. There weren’t enough hours in a year, let alone enough auditors.
Which means someone committing fraud doesn’t need to be clever. They just need to be smaller than the sample. Keep the fake invoices small. Keep them regular. Keep each one just under whatever amount would trigger a second signature. Spread them thin across a few thousand line items out of millions and you’re not outsmarting the auditor. You’re just betting they’ll never check your corner of the file. For a long time, that’s been a remarkably safe bet.
Think of it like a teacher who grades only 3 out of 40 exam papers and assumes the other 37 are just as good. If you copied your answers and you’re not one of the 3 she happened to pick, you’re safe not because you were clever, but because she simply never opened your paper.
Open the watchdog up, and here’s what’s inside
So what does an AI auditor actually do differently? Strip away the buzzwords, and it comes down to four things.
1. It reads the whole file, not a sample of it
This sounds almost too simple to matter, which is exactly why it matters so much. An AI system built for auditing doesn’t pick 120 transactions out of four million. It reads all four million. Then it reads next month’s four million too. Some modern platforms can handle hundreds of millions of transactions even billions in a single pass. That’s not a future promise. That’s the starting point. There’s no dice roll anymore over whether the fraud happened to land inside the sample, because there is no sample. There’s just the whole file, every single time.
That one change checking everyone instead of checking a few does more of the real work here than anything you’d actually call “intelligence.” Before the system even starts looking for clever patterns, it’s already closed the exact gap our fake vendor was hiding in.
2. It hunts for the fingerprints a liar leaves behind
Okay, so it checks everything. But checking everything is only useful if you know what you’re looking for. This is the part where people’s imaginations tend to run wild, picturing something almost magical. In reality, it’s a handful of clever tricks, stacked one on top of another.
Trick one is the closest thing to an actual magic trick here. Take any large set of real world numbers — city populations, invoice amounts, electricity bills, company revenues, anything and look at what digit each one starts with. You’d expect 1 through 9 to show up roughly equally often. They don’t. Numbers that start with 1 show up about 30% of the time. Numbers that start with 9 show up only about 5% of the time. This holds true, almost eerily, across nearly any large set of real financial numbers. It’s called Benford’s Law.
Here’s why that matters for catching a liar: nobody knows this pattern exists, so nobody can fake it. When a person invents numbers for a fake invoice, a cooked expense report they tend to spread their made-up digits out roughly evenly, because that’s what “random” feels like to a human brain. Real life doesn’t work that way, but fake numbers usually do. An AI auditor runs this exact check across an entire ledger, instantly. An account can get flagged simply because its numbers are too evenly spread out to be real which sounds backwards, but is exactly the giveaway.
Trick two is learning from past liars. Feed the system thousands of already-confirmed fraud cases, and it learns the general shape fraud tends to take. Not one single rule more like a fingerprint made up of dozens of small warning signs, all showing up together. An invoice that lands just barely under the amount that would need a manager’s approval. A brand-new vendor that gets paid within days of being added, and never again after. Suspiciously round numbers, when real invoices are almost always messier and more specific. None of these prove anything on their own. Stack enough of them together, and the risk score climbs.
Trick three is something a plain spreadsheet formula could never do on its own: looking sideways, not just down a column. This is called relationship analysis — checking whether a “new” vendor’s bank account secretly matches an existing employee’s own account. Checking whether three supplier companies that look unrelated actually share the same office address, the same phone number, the same registration date.
This exact blind spot is what let “ghost worker” scandals happen around the world for years. Nigeria’s federal government, for instance, once discovered it had been paying full salaries to more than 23,000 workers who simply didn’t exist, invented on paper by whoever controlled the payroll. What made that possible for so long wasn’t a clever scheme. It was that nobody had ever built a system to compare every single record against every other record, all at once, looking for connections like this. That’s exactly what relationship analysis does and it’s not just a faster version of an old trick. It’s something genuinely new.
None of this is hypothetical, and none of it is years away. It’s already running today, inside the world’s biggest audit firms. EY has a system that started out catching unusual journal entries in a single Tokyo office and has since spread across the whole firm. KPMG runs an AI agent that decides which expenses need a closer look, pulls the paperwork on its own, and drafts most of the report before a human ever opens the file. Even tax authorities are doing this, one estimate found the number of AI tools used inside the IRS grew more than tenfold in about three years, mostly to help decide who gets audited in the first place.
3. It never closes the file
A traditional audit is like a single photograph: once a year, months after everything already happened, checking whether last year was clean. By the time anyone finds out it wasn’t, the money is usually gone. Often, so is the person who took it.
An AI auditor doesn’t wait for year-end. It watches the ledger the way a smoke detector watches a room quietly, constantly, in the background and it goes off the moment something breaks the normal pattern. A vendor’s bank details change right before an unusually large invoice goes out. A sudden run of expenses that all land just under the approval limit. Someone logging in at 3am from an account that’s never once done that before. None of these prove anything by themselves. But each one is exactly the kind of small, early warning sign that a once-a-year audit simply can’t catch in time to matter.
And this changes more than just how fast fraud gets caught, it changes how people behave in the first place. Once someone knows every transaction is being watched, all the time, not just a random few, the math of temptation shifts. “There’s a small chance anyone ever checks this” feels very different from “something is checking this right now, tonight.”
4. It has to show its work
Here’s the part that breaks the sci-fi image of “the algorithm decided, end of discussion.” A serious AI auditing system isn’t allowed to just whisper “fraud” and walk away. Every single flag comes with a risk score and a plain-language explanation of exactly what caused it, this invoice, that unusual digit pattern, that matching bank account. There are entire techniques built just to crack open a machine-learning model and show which factors actually drove its answer. If a system can’t explain itself this clearly, no human auditor is allowed to rely on it. Regulators have said, flatly, that “the computer said so” is not evidence of anything.
This is worth pausing on, because it’s the opposite of what you might expect. You might assume the whole point of AI is to remove the human being from the decision entirely. Here, regulators have drawn the line in exactly the opposite place, on purpose. Rule-makers in both the US and Europe have said, in effect: the human auditor is still the one legally responsible for the final opinion, no matter how sophisticated the tool underneath them gets. The AI’s entire job is to point at something, explain why, and step back. The human’s job is to look at what it’s pointing at, and decide.
Here’s the part that should give you pause
So far, I’ve shown you the tidy version. A system that reads everything, spots hidden fingerprints, watches around the clock, and explains itself clearly that sounds almost unbeatable. It isn’t. There are three reasons why, and each one is uncomfortable in its own way.
Reason one: the machine can only be as honest as what you feed it. A system can be brilliant at protecting a record, while having no way of knowing whether that record was ever true to begin with. An AI auditor is extremely good at spotting a number that looks statistically off. It’s much less good at spotting a document that’s simply, convincingly made up from nothing and AI tools have made that dramatically easier to do. One auditor recently described a routine document review that almost sailed straight through: professional formatting, believable signatures, every field lined up neatly. Something just felt a little too perfect. A closer look revealed the entire document signatures and all had been generated by an AI tool, built carefully enough to even fool the technical metadata behind it. The tools built to catch a liar, and the tools available to a liar, are increasingly close cousins of the exact same technology.
Reason two: it’s still a game of cat and mouse, just a much faster one. Rule-based fraud detection has always had the same weakness. The moment fraudsters figure out where the line sits, they simply learn to stand just behind it. Machine-learning models are harder to reverse-engineer than a fixed rule, but the same basic instinct still applies. An employee who realizes unusually round numbers get flagged will simply stop using round numbers. The chase doesn’t end. It just moves up a level, again and again.
Reason three: nobody has fully figured out who’s accountable when the watchdog itself is wrong or quietly rigged. The regulators who oversee public company audits have openly admitted there’s no finished rulebook yet for exactly how much independent judgment an AI system is allowed before a human has to step in. The rules are being written in real time, while the tools are already in daily use across the profession. This gap matters twice over. It matters if the system is simply wrong by accident. It matters even more if someone quietly sets it up to look away from one particular vendor, one particular account, one particular name. A rigged AI auditor might be worse than having no AI auditor at all because it shows up wearing the costume of objectivity, and almost nobody thinks to double-check the very thing they were just told is the double-checker.
So does an AI auditor actually stop fraud?
Let’s answer that honestly. No. Not by itself, and not completely. It can’t stop a determined, well-resourced person from lying convincingly at the exact moment the data first enters the system nothing downstream can fully undo a lie once it’s already in.
But “not completely” is doing a lot of quiet work in that sentence. What an AI auditor can do is change the math of getting away with it. Right now, fraud runs for about a year, on average, before anyone notices and it’s usually found by luck, not by design. Now shrink that window from a year down to days. Replace a small chance of ever being checked with a near-certainty of being seen. Do that, and you haven’t made fraud impossible. You’ve made it a dramatically worse bet than it used to be. Most people who commit fraud at work aren’t master criminals. They’re ordinary employees who, in one weak moment, convinced themselves that nobody would ever look closely enough to notice. Take away the “nobody’s looking” part, and a lot of those weak moments never turn into an actual decision at all.
Who audits the auditor?
Which leaves the real question sitting underneath all of this. It isn’t “does the technology work?” it clearly does, more of it, every quarter. It’s this: who gets to look at how the AI auditor itself was built, trained, and configured and who checks that nobody quietly tuned it to look the other way?
Nobody, anywhere in the world, has a clean answer to that yet. A detection system that’s a black box built and controlled by one party, with zero outside visibility is only ever as trustworthy as that party’s own incentives. An open, inspectable process that someone else can independently check is the real difference between an auditor you can actually trust, and an auditor you’ve simply been told to trust.
The watchdog is real, and it’s already working today, inside major audit firms, tax authorities, and government procurement offices around the world. Just remember to ask, every single time: who trained the dog and whose hand is it actually watching?
Four things worth remembering
1. Sampling was never really built to catch fraud. It was built to make an impossible workload possible. Fraud didn’t need to be clever, it just needed to be smaller than whatever slice actually got checked.
2. An AI auditor’s real advantage isn’t “intelligence” it’s coverage plus persistence. Reading everything, all the time, is a bigger shift by itself than any clever algorithm sitting on top of it.
3. Explainability isn’t a nice bonus feature. It’s the entire reason a human is legally allowed to rely on the output at all. A flag with no reasoning behind it is just a rumor wearing a risk score.
4. The fight doesn’t end at detection, it just moves one level up, to whoever configured the detector. Ask who trained it, on what data, checked by whom exactly as skeptically as you’d ask about a human auditor’s own independence.
When most people hear “AI caught the fraud,” they picture something almost magical, a machine that simply knows. Once you open it up, it turns out to be a much more human story than that: patient, unglamorous statistics run at a scale no person could ever sustain, combined with an old-fashioned insistence that a human still has to look at the result and be willing to put their own name on it.
That combination — relentless machine coverage, plus a human genuinely accountable for the final call is a far better anti-fraud system than either half alone. It’s also a fragile one. It only holds together for as long as both halves stay real, instead of becoming decoration on a compliance report nobody actually reads. And it’s worth remembering: the same always-on watching that catches a fake vendor can, if pointed at ordinary employees instead of the fraud itself, quietly turn into something closer to surveillance. The technology itself doesn’t know the difference. Only the people who configure it do.
The rich react to the headline. The wealthy understand the machine. This time, the machine is doing some of the reacting for you which makes it even more important to know exactly what it’s reacting to, and why.
If you want to keep reading finance this way, the machinery underneath the headline, before it gets obvious — subscribe.One clear breakdown at a time, for readers all over the world.Subscribe to Naked Market →
Keep going
How Blockchain + AI Could End Corruption — the piece this one continues: same two tools, aimed at a government office instead of a general ledgerWhy a Blockchain Can’t Be Secretly Rewritten — what a tamper-evident record can and can’t actually promise youAI Agents Now Have Their Own Bank Accounts — the automation that’s quietly removing the middleman elsewhere too
-More Soon
Can You Trust AI to Catch Fraud? was originally published in Coinmonks on Medium, where people are continuing the conversation by highlighting and responding to this story.
