RedFlag AI

AI-powered export compliance screening that catches what sanctions lists miss — shell companies, owner violations, and behavioral red flags grounded in BIS, OFAC, and ITAR frameworks.

Comment

Inspiration

Every mid-market exporter faces the same compliance gap: name-match screening catches the obvious bad actors, but misses the sophisticated ones. Shell companies —recently incorporated entities with no web presence, payments routed through third countries, and owners with individual sanctions exposure—none of these trigger a standard OCR or fuzzy-match screen.

I work in trade compliance at a defense-adjacent company that manufactures security screening equipment for global export. I've seen firsthand how the human clearance step — the analyst sitting with a reason matrix deciding whether to clear a flagged hit is slow, inconsistent, and undocumented. I also know that BIS enforcement is escalating: 2026 has already seen a $252 million penalty, criminal indictments reaching into corporate boardrooms, and proposals to double the statute of limitations on violations to ten years. The cost of missing a bad actor is no longer manageable. The problem isn't the screening tools. It's that they only answer: " Is this name on a list? Nobody built a tool that asks, "Does this transaction make sense?"

What it does

RedFlag AI performs deep behavioral risk analysis on export end-users — the kind of analysis a senior compliance analyst would do manually, delivered in seconds. You enter the company name, destination country, owner names, product, stated end-use, payment routing, and transaction history. RedFlag AI then:

Verifies entity existence — assessing whether the company actually exists with verifiable operations, registration, employees, and physical presence Detects shell company indicators — registered agent addresses, no employees, no web presence, mismatched business purpose, circular ownership Screens the company's violation history — known BIS denied party status, OFAC SDN listings, and prior enforcement actions. Screens owner and principal names individually — personal sanctions, denied party listings, criminal history related to export violations Scores behavioral red flags — payment routing anomalies, quantity vs. stated need, end-use consistency, transshipment risk, urgency signals Generates a structured risk report — risk score 0–100, HIGH/MEDIUM/LOW rating, four signal cards, compliance analyst reasoning, regulatory citations, and a specific recommended action

The output is auditable, consistent, and grounded in real BIS red-flag indicators and OFAC guidance—not a black-box score.

How I built it

Frontend: Vanilla HTML, CSS, and JavaScript — zero dependencies, loads instantly in any browser, mobile responsive. Backend: Node.js serverless function deployed on Vercel, sitting between the frontend and the Anthropic API, so the API key is never exposed client-side. AI Engine: Claude Sonnet via the Anthropic API. The system prompt encodes the full behavioral risk framework — shell company indicators, BIS red flag guidance, OFAC screening logic, and ITAR end-use consistency checks — as structured compliance reasoning. The model outputs a strict JSON schema covering eight risk dimensions, four signal cards, detailed reasoning, and regulatory basis citations. Deployment: GitHub + Vercel, fully serverless, zero infrastructure to manage. The architecture is intentionally simple so any compliance team can self-host it, audit the logic, and extend the signal library.

Challenges I ran into

The hardest challenge was getting the AI to produce consistently structured, parseable JSON at the depth and specificity required by the compliance use case — without truncation or formatting drift. Getting the system prompt tight enough to reliably produce eight nested risk dimensions every time required significant iteration on prompt architecture and token budget. The second challenge was the deployment pipeline. Keeping the API key server-side while making the tool publicly accessible required a serverless proxy layer—straightforward in concept but with real friction in a hackathon timeline. The deeper challenge was domain-specific: most AI compliance tools are built by engineers who have never worked inside an export compliance operation. The behavioral signal library in RedFlag AI — what actually makes a human analyst suspicious beyond a name match — comes from lived operational experience inside a defense-adjacent manufacturer. That domain knowledge is what makes the reasoning credible rather than generic.

Accomplishments I'm proud of

Built a genuinely novel compliance tool that addresses a gap the $2B+ trade compliance software market has not solved for mid-market exporters Grounded every risk dimension in real regulatory frameworks — BIS red flag indicators, OFAC guidance, EAR and ITAR end-use requirements — not invented heuristics. Delivered a working, publicly accessible prototype in a hackathon timeline with zero infrastructure cost The tool reasons like a compliance analyst, not a database — it explains why something is risky, not just that it matched a pattern.n

What I learned

Building for a regulated domain requires a different discipline than general AI application development. The model is only as good as the compliance logic embedded in the prompt — and that logic has to survive adversarial inputs, edge cases, and jurisdictional complexity. Every signal in the behavioral framework had to be defensible against a real BIS red flag indicator or against OFAC guidance. We also learned that the mid-market compliance gap is bigger than we expected. Enterprise tools like SAP GTS and Amber Road solve this problem for Fortune 500 companies for $500K+ per implementation. Nothing accessible exists for the 300,000+ US exporters operating below that threshold. RedFlag AI is designed for that gap.

What's next for RedFlag AI

Live entity lookup — integrating real company registration databases, WHOIS, and public records to verify existence with actual data rather than AI inference Sanctions list API integration — direct queries to OFAC SDN, BIS Entity List, and UN Security Council lists for each screening. Audit trail and case management — persistent screening history, analyst notes, decision logging for regulatory defensibility License lifecycle management — extending into export license tracking, decrement management, and closeout automation API for ERP integration — so compliance teams can embed RedFlag AI screening directly into their order management workflows

The long-term vision is a full-stack compliance intelligence platform for mid-market exporters — the compliance infrastructure that currently exists only within large defense contractors, made accessible to every manufacturer, distributor, and technology company that ships products internationally.

Built With

Share this project:

Updates