Core Concepts

Understand the foundational building blocks of RiskOS™ — evaluations, workflows, decisions, enrichments, rules, signals, and how they work together to automate identity verification and risk decisioning.

RiskOS™ automates identity verification, fraud prevention, and compliance through six interconnected concepts. Understanding how these concepts relate to each other is essential for building effective integrations.

flowchart LR
    A[Input] --> B[Evaluation]
    B --> C[Workflow]

    C --> D[Enrichments]
    D --> E[Signals]

    E --> F[Rules]
    F --> G[Decision]

Concept	What it is
Evaluation	A single execution of a workflow — the runtime unit of work
Workflow	A configurable sequence of steps that processes an evaluation
Enrichment	A data service that adds risk, identity, or compliance signals
Signals & Attributes	The data taxonomy: inputs, enrichment outputs, reason codes, tags, and derived values
Rules & Conditions	The logic layer that evaluates signals and routes the workflow
Decision	The final outcome: `ACCEPT`, `REJECT`, or `REVIEW`

Evaluations

An evaluation is a single execution of a workflow in RiskOS™. When your application sends a POST request to the /api/evaluation endpoint with user, business, or device data, RiskOS™ runs the specified workflow and returns a decision along with enrichment data, risk scores, and reason codes.

Every interaction with the RiskOS™ decisioning engine — whether identity verification, fraud screening, or compliance check — is an evaluation.

Evaluation lifecycle

Phase	What happens	Output
Request	Your application sends a `POST` to `/api/evaluation` with a payload containing PII and a workflow name	`eval_id` assigned
Execution	RiskOS™ runs the workflow: Input → Enrichments → Conditions → Rules → Decision	Step-by-step processing
Decision	The workflow reaches a terminal step (Decision or Manual Review)	`ACCEPT`, `REJECT`, or `REVIEW`
Response	RiskOS™ returns the decision, enrichment data, tags, reason codes, and scores	JSON response or webhook
Case creation (conditional)	If the workflow routes to Manual Review, the evaluation creates a case in Case Management	Case record

Evaluation states

The eval_status field tracks where an evaluation is in execution. These states are distinct from decisions, which track what action to take.

`eval_status` value	Description	Trigger
`evaluation_in_progress`	The workflow is actively executing steps	`POST /api/evaluation` received and workflow starts
`evaluation_paused`	The workflow is waiting for user action (OTP, DocV, Wait step, Hosted Flow)	Asynchronous step reached
`evaluation_completed`	The workflow ran to completion and returned a decision	All steps executed

Webhook events such as workflow_execution_failed indicate additional terminal outcomes. You can also update a paused evaluation's state — including setting a final decision — via PUT /api/evaluation/{eval_id}/state.

For the full lifecycle model — including workflow states, case statuses, and state diagrams — see Statuses & Lifecycle.

Key fields in the evaluation response

Field	Type	Description
`eval_id`	string	Unique identifier for this evaluation
`workflow`	string	The workflow that processed the evaluation
`decision`	string	Final outcome: `ACCEPT`, `REJECT`, or `REVIEW`
`tags`	array	Metadata labels applied by Tag steps during execution
`data_enrichments`	array	Results from each enrichment called during execution
`computed`	object	Values calculated by Transformation and Rule Scorecard steps

Synchronous vs asynchronous evaluations

Evaluations follow one of two execution patterns depending on the workflow configuration:

Synchronous: The workflow completes all steps and returns a decision in the API response. This is the default for workflows without user-interaction steps.
Asynchronous: The workflow pauses at a step that requires user action (Document Verification, OTP, or a Wait step). RiskOS™ returns an evaluation_paused status. When the action completes, the workflow resumes and delivers the final result via webhook.

See Synchronous vs Asynchronous Evaluations for the full execution model.

Workflows

A workflow is a configurable sequence of steps that automates decision-making in RiskOS™. When an evaluation is triggered, RiskOS™ executes the specified workflow — processing data through input collection, enrichment calls, conditional logic, and rules — to reach a final decision.

You build workflows visually in the RiskOS™ Dashboard using the Workflow Editor.

Workflow categories

RiskOS™ supports two workflow delivery models. Both use the same evaluation runtime, enrichment pipeline, and decision model.

Aspect	Custom workflow	Hosted Flow
Definition	Built and managed by the customer in the Workflow Editor	Preconfigured workflow with a Socure-managed end-user UI
Configuration	Customer selects steps, enrichments, rules, and decision logic	Socure provides an opinionated, pre-built flow
End-user UI	Customer-built (API + SDK)	Socure-hosted (web-based)
Lifecycle management	Customer manages (Draft → Published → Live)	Socure manages the workflow; customer customizes branding
Extensibility	Full — any step type, any enrichment, any rule	Limited — template customization and branding

Both categories produce evaluations, return decisions, and follow the same lifecycle states. The distinction is operational — ownership and configuration model — not architectural.

For the full Hosted Flow ontology, see Hosted Flows.

What a workflow does

A workflow defines:

What data to accept — The Input step specifies required fields in the evaluation payload.
What data services to call — Enrichment steps call Socure products or third-party APIs for additional signals.
How to evaluate the data — Condition steps, Rule Scorecards, and Transformation steps apply logic to route and score data.
What decision to return — A Decision step or Manual Review step terminates the workflow with an outcome.

Step types

Every workflow consists of steps. Each step has a single purpose:

Step	Category	Purpose	Async capable
Input	Data	Defines the evaluation payload schema	No
Enrichment	Data	Calls a data service to add external signals	No
Transformation	Logic	Manipulates data with stateless functions	No
Condition	Logic	Branches the workflow based on boolean evaluation	No
Advanced Condition	Logic	Multi-group conditional logic with nested groups	No
Tag	Logic	Attaches metadata labels to the evaluation	No
Reason Code	Logic	Attaches explanatory codes to the evaluation outcome	No
Rule Scorecard	Logic	Assigns risk scores based on rule evaluations	No
Matrix Rule	Logic	Evaluates a tabular set of rules	No
Grouped Rules	Logic	Evaluates collections of related rules together	No
Decision Rules	Decision	Combines condition + decision in a single step with fallback	No
Decision	Decision	Assigns a final evaluation outcome (`ACCEPT`, `REJECT`, `REVIEW`)	No
Manual Review	Decision	Routes the evaluation to a human reviewer in Case Management	No
Wait	Pause	Pauses execution until an external API call resumes it	Yes
OTP	Pause	Sends a one-time passcode and pauses until the user verifies	Yes
Hosted Flow	Pause	Triggers a Socure-hosted end-user experience	Yes
Note	Documentation	Adds inline documentation to the workflow canvas	No

For step-level configuration and field definitions, see Workflow Steps Reference.

Workflow lifecycle

Workflows move through three states:

State	Description	Can be edited	Processes evaluations
Draft	Initial state after creation. Can be edited and tested.	Yes	No
Published	Frozen configuration. Can be tested but not edited directly.	No	No
Live	Actively processes evaluations via the Evaluation API.	No	Yes

A workflow must be Published before it can be set to Live. Only one version of a workflow can be Live at a time.

Versioning:

Major version: Duplicate a published workflow to create a new independent version.
Minor version: Edit a published workflow to create a patch (available only for certain changes).

For lifecycle management details, see Manage Workflow Lifecycle.

Workflow modes

Mode	Description
Live	Processes production evaluations and returns real decisions
Shadow	Processes evaluations in parallel without affecting the live decision (for testing)
A/B (Champion-Challenger)	Splits traffic between two workflow versions to compare performance

Terminal steps

Every workflow must end with one of:

A Decision step — assigns an automated outcome
A Manual Review step — routes to a human reviewer

A workflow without a terminal step can't be published.

Decisions

A decision is the final outcome of an evaluation. It represents the platform's determination — based on enrichment data, rules, and scoring logic — of whether to accept, reject, or flag an entity for further review.

Decisions are set by terminal workflow steps: a Decision step for automated outcomes, or a Manual Review step for human review.

Decision values

The Evaluation API returns three standard decision values:

Value	Meaning	Typical action
`ACCEPT`	The entity passed all checks	Proceed with onboarding, transaction, or access
`REJECT`	The entity failed one or more checks	Deny the request
`REVIEW`	The evaluation requires human assessment	Route to Case Management for manual review

Custom and step-level values: Decision Rules steps can also assign values such as RESUBMIT and CANCEL, or route to Manual Review. You can define additional custom decision values when configuring a Decision step or Decision Rules step. These values appear in the API response and Case Management alongside the standard values.

Two types of decisions

Automated decisions are set by a Decision step or Decision Rules step in the workflow. These are returned in the evaluation API response without human involvement.

Manual review decisions occur when a workflow routes to a Manual Review step. The evaluation enters Case Management. A human reviewer examines the case and makes a final decision — typically Accept or Reject. The reviewer's decision is communicated back to your system via webhook (decision_update event) or API polling.

Where decisions appear

Location	Field / event	Description
Evaluation API response	`decision`	The automated decision from the workflow
Webhook: `evaluation_completed`	`data.decision`	Final decision after an async workflow completes
Webhook: `decision_update`	`data.decision`	Updated decision after manual review
Case Management UI	Decision column	Visible in case queues and case detail views

Decision vs status vs evaluation state

Decisions, statuses, and evaluation states are three distinct runtime concepts:

Concept	Question it answers	Values	Set by
Decision	"What action should we take?"	`ACCEPT`, `REJECT`, `REVIEW`, custom	Workflow step or human reviewer
Case status	"Where is this case in the review process?"	Open, On Hold, Closed (with customizable sub-statuses)	Case Management system or reviewer
Evaluation state	"Where is this evaluation in execution?"	`evaluation_in_progress`, `evaluation_paused`, `evaluation_completed`	Runtime engine

A case can have a REVIEW decision, an Open status with an "In Review" sub-status, and an evaluation_completed evaluation state simultaneously — each tracks a different dimension.

For the full lifecycle model with state diagrams, see Statuses & Lifecycle.

Enrichments

An enrichment is a data service that supplements an evaluation with additional risk, identity, and compliance signals beyond the data provided in the initial API request. Enrichments are also referred to as products in the RiskOS™ platform.

During workflow execution, an Enrichment step calls a Socure product or third-party API to retrieve structured data — scores, reason codes, attributes, and validation results. The workflow then uses these signals in downstream rules and conditions to reach a decision.

How enrichments work

sequenceDiagram
    participant App as Your Application
    participant RiskOS as RiskOS™
    participant Svc as Data Service

    App->>RiskOS: POST /api/evaluation (PII + workflow)
    RiskOS->>RiskOS: Run Input step
    RiskOS->>Svc: Call enrichment (e.g., Phone Risk)
    Svc-->>RiskOS: Return scores, reason codes, attributes
    RiskOS->>RiskOS: Apply rules using enrichment signals
    RiskOS->>RiskOS: Reach decision
    RiskOS-->>App: Return decision + data_enrichments[]

The workflow reaches an Enrichment step.
RiskOS™ calls the configured data service with the relevant payload fields.
The service returns structured results (scores, codes, attributes).
Results are stored in the data_enrichments array of the evaluation response.
Downstream steps (Conditions, Rule Scorecards, Decisions) reference these results.

Where enrichment results appear in the API

Enrichment results are returned in the data_enrichments array of the evaluation response. Each entry represents a single enrichment call:

Field	Description
`enrichment_name`	Name of the enrichment/product
`enrichment_endpoint`	API endpoint called
`enrichment_provider`	Socure or partner service
`request`	Payload sent to the enrichment
`response`	Full response returned, including scores and reason codes

Enrichment categories

Category	Enrichments	What they provide
Identity verification	Verify, Verify Plus, Prefill, eCBSV, Deceased Check	KYC data, SSN verification, identity attributes
Document verification	Predictive DocV	Government ID capture and verification
Device & behavioral	Digital Intelligence, Account Intelligence	Device fingerprinting, behavioral signals, bank account verification
Fraud detection	Sigma Identity Fraud, Sigma Synthetic Fraud, Sigma First-Party Fraud	ML-based fraud scores and reason codes
Risk scoring	Address Risk, Email Risk, Phone Risk, Graph Intelligence	PII attribute risk scores and identity correlation
Compliance	Watchlist	Sanctions, PEP, and adverse media screening
User verification	OTP, CNAM	Contact information verification
Partner	Middesk, Experian, Thomson Reuters Clear, and others	Third-party data services

For the complete enrichment catalog with integration guides, see Enrichments Overview.

Enrichment error handling

If an enrichment call fails, RiskOS™ retries automatically. On final failure:

The enrichment output is set to null.
Downstream Condition steps referencing the failed enrichment evaluate to false.
You can configure fallback Enrichment steps to chain alternative providers.

For error handling details, see Enrichment Error Handling.

Enrichments vs signals

Concept	Scope	Example
Enrichment	The data service that is called	Sigma Identity Fraud
Signal	A discrete data point returned by an enrichment	`sigma_identity_fraud.score = 0.92`

An enrichment produces multiple signals. Signals are the inputs to rules and conditions.

Rules & Conditions

Rules and conditions are the logic layer in RiskOS™ workflows. They evaluate signals from enrichments, input data, and computed values to determine how an evaluation is routed and what decision is reached.

Conditions

A condition evaluates one or more expressions to true or false and branches the workflow accordingly.

Condition structure:

Each condition expression has three parts:

Part	Description	Example
Left operand	The value to evaluate	`sigma_identity_fraud.score`
Operator	The comparison logic	`greater than`
Right operand	The threshold or reference value	`0.85`

Operand sources:

Source	Description
Input data	Fields from the evaluation request payload
Enrichment data	Values returned by Enrichment steps
Output fields	Results from Transformation, Condition, Rule Scorecard, or Tag steps
Aggregation	Velocity counters and entity-level aggregations

Operators:

Category	Operators
Equality / comparison	equals, not equals, greater than, less than, greater or equal, less or equal
String	contains, not contains, starts with, ends with, matches regex, in, not in
Array	contains, not contains, has any of, has all of
List	in Allow List, in Deny List
Presence	is set, is not set
Reason code	has reason code, does not have reason code

Grouping:

Combine multiple conditions using:

AND — all conditions must be true
OR — at least one condition must be true

The workflow follows the True path if the condition group evaluates to true, and the False path otherwise.

Rule types

RiskOS™ uses the term "rule" in several workflow step contexts. Each serves a different purpose:

Rule type	Step	Purpose	Output
Condition rule	Condition	Routes the workflow based on boolean logic	True/False branch
Score rule	Rule Scorecard	Assigns a numeric risk score (-100 to 100) when a condition is met	Summed score value
Decision rule	Decision Rules	Combines a condition with a decision outcome in a single step	`ACCEPT`, `REJECT`, `REVIEW`, or step-level values (`RESUBMIT`, `CANCEL`), or Manual Review
Matrix rule	Matrix Rule	Evaluates a tabular set of conditions	Row-level match
Grouped rules	Grouped Rules	Evaluates collections of related rules together	Group-level outcome

Rule Scorecards

A Rule Scorecard assigns numeric risk scores based on rule evaluations:

Each score rule defines a condition and a score value (-100 to 100).
Rules that evaluate to true contribute their score.
The final output is the sum of all matching scores.
Downstream Condition or Decision steps reference the scorecard output to make routing decisions.

Decision Rules

A Decision Rules step combines condition evaluation with decision assignment in a single step:

Each rule maps a condition to an outcome — the standard API decision values (ACCEPT, REJECT, REVIEW), step-level values (RESUBMIT, CANCEL), or Manual Review routing.
Rules are evaluated top-to-bottom; the first matching rule applies.
A fallback (Else) path handles cases where no rule matches — it can either continue without a decision or assign a default decision.

This is the only workflow step that can both issue a final decision and continue execution via a fallback path.

How conditions and rules drive decisions

flowchart TD
    ENRICH["Enrichment signals"] --> COND["Condition step"]
    COND -->|True| SCORE["Rule Scorecard"]
    COND -->|False| DR["Decision Rules"]
    SCORE --> THRESHOLD{"Score > threshold?"}
    THRESHOLD -->|Yes| ACCEPT["Decision: ACCEPT"]
    THRESHOLD -->|No| REVIEW["Decision: REVIEW"]
    DR -->|Rule 1 match| REJECT["Decision: REJECT"]
    DR -->|No match| FALLBACK["Fallback: continue"]

Signals & Attributes

RiskOS™ workflows process five distinct types of data during an evaluation. Each has a precise definition, a distinct runtime role, and a specific location in the API response.

Data taxonomy

Term	Definition	Runtime role	Set by	API response location
Attribute	A normalized input field describing the entity being evaluated	Workflow input — defines what data enters the evaluation	Your application (via API request)	Request payload (`data.*`)
Signal	A discrete data point returned by an enrichment or external data service	Decision input — provides evidence for rules	Enrichment step	`data_enrichments[].response.*`
Reason code	A human-readable code explaining why a specific enrichment or decision outcome occurred	Explainability — traces the reasoning behind a decision	Enrichment response or Reason Code step	`data_enrichments[].response.reason_codes[]`
Tag	A metadata label conditionally attached to an evaluation	Operational grouping — classifies evaluations for filtering, routing, and reporting	Tag step (when its condition evaluates to `true`)	`tags[]`
Derived value	A value computed by a workflow step from attributes, signals, or other derived values	Intermediate computation — feeds downstream conditions and decisions	Transformation step or Rule Scorecard step	`computed.*` (requires feature flag)

Attributes

An attribute is an input data point about the entity being evaluated — the information your application sends in the POST /api/evaluation request.

Category	Example attributes	Payload path
Individual	`first_name`, `last_name`, `dob`, `ssn`, `email`, `phone_number`	`data.individual.*`
Address	`street`, `city`, `state`, `zip`, `country`	`data.individual.address.*`
Account	`account_id`, `account_type`, `account_creation_date`	`data.individual.account.*`
Business	`business_name`, `ein`, `business_address`	`data.business.*`
Device	`ip_address`, `user_agent`, `device_id`	`data.device.*`
Custom	Any key-value pairs in the `custom` object	`data.custom.`, `data.individual.custom.`

The Input step of a workflow defines which attributes are required and optional. Attributes are available to all downstream steps as operands in conditions and rules.

Signals

A signal is a discrete data point returned by an enrichment during workflow execution. Signals are the primary evidence used by rules and conditions to reach a decision.

Signal type	Example	Source
Risk score	`sigma_identity_fraud.score = 0.92`	Sigma Identity Fraud enrichment
Validation result	`phone_risk.phone_type = "mobile"`	Phone Risk enrichment
Match indicator	`verify.name_match = "exact"`	Verify enrichment
Fraud flag	`digital_intelligence.vpn_detected = true`	Digital Intelligence enrichment
Compliance result	`watchlist.match_count = 0`	Watchlist enrichment

Signals appear in data_enrichments[].response.* in the evaluation API response.

Reason codes

A reason code is a human-readable identifier explaining a specific factor in an enrichment result or decision outcome. Reason codes provide explainability — they answer "why did this evaluation receive this decision?"

Characteristic	Description
Format	Alphanumeric code (for example, `I805`, `R301`)
Source	Returned by enrichments or attached by a Reason Code workflow step
Purpose	Explain the factors behind a score or decision to reviewers and downstream systems
API location	Per-enrichment `data_enrichments[].response.reason_codes[]`

Reason codes are not decision inputs — they are decision explanations. Rules and conditions evaluate signals, not reason codes (though the has reason code operator enables reason-code-aware routing).

Characteristic	Description
Behavior	Set only when the Tag step's condition evaluates to `true`
Purpose	Operational grouping — filter cases, trigger automation, segment analytics
Boolean output	Each Tag step produces a boolean output field indicating whether the tag was set
API location	`tags[]` in the evaluation response

Derived values

A derived value is a value computed during workflow execution from attributes, signals, or other derived values. Derived values are intermediate computations used by downstream rules and conditions.

Source step	How it produces a derived value	Example
Transformation	Applies stateless functions (string, numeric, date, array) to input data	`$age_at_application = DATEDIFF(dob, NOW(), "years")`
Rule Scorecard	Sums numeric scores from matching rules	`$risk_score = 45`
Condition	Produces a boolean output indicating the branch taken	`$is_high_risk = true`

Derived values appear in the computed object of the API response (requires feature flag) and are referenced in downstream steps using the $output_field_name syntax.

Entities and aggregations

RiskOS™ tracks certain attributes as entities — core data elements that represent a real-world actor (email address, phone number, SSN, account UUID). Entities enable:

Aggregation features: Computations applied across evaluations sharing the same entity (count, average, sum, min, max, first seen, last seen, distinct count).
Time windows: Aggregations can be scoped to specific periods (minutes, hours, days, or lifetime).
Cross-journey linkage: The same entity connects evaluations across onboarding, authentication, and fraud review via SocureID.

For entity configuration and aggregation functions, see Entities and Aggregations.

How These Concepts Work Together

The six concepts above form a processing pipeline. Each concept feeds into the next, and together they transform raw input data into a risk decision.

End-to-end data flow

flowchart TD
    REQ["API Request"] --> ATTR["Attributes (input)"]
    ATTR --> INPUT["Input Step validates payload"]
    INPUT --> ENRICH["Enrichment Steps call data services"]
    ENRICH --> SIG["Signals returned"]
    ENRICH --> RC["Reason Codes returned"]
    INPUT --> TRANSFORM["Transformation Steps"]
    TRANSFORM --> DV["Derived Values"]
    SIG --> RULES["Rules & Conditions evaluate data"]
    DV --> RULES
    RULES --> TAG["Tag Steps classify evaluation"]
    TAG --> TAGS["Tags"]
    RULES --> DECISION["Decision Step assigns outcome"]
    SIG --> RESP["API Response"]
    RC --> RESP
    TAGS --> RESP
    DV --> RESP
    DECISION --> RESP

The processing sequence

Your application submits attributes. A POST /api/evaluation request sends PII (name, DOB, SSN, email, phone, device data) and specifies which workflow to run.
The evaluation starts. RiskOS™ assigns an eval_id and begins executing the workflow. The evaluation state is evaluation_in_progress.
The workflow processes data through steps. The Input step validates the payload. Enrichment steps call data services (Sigma Fraud, Phone Risk, Watchlist, DocV, and others) and return signals — scores, match results, and risk flags.
Rules and conditions evaluate the signals. Condition steps branch the workflow based on signal values. Rule Scorecards compute aggregate risk scores. Decision Rules map conditions to outcomes.
The workflow reaches a terminal step. A Decision step assigns ACCEPT, REJECT, or REVIEW. A Manual Review step routes the evaluation to Case Management for human assessment.
RiskOS™ returns the result. The API response (or webhook for async evaluations) includes the decision, all enrichment data, reason codes, tags, and computed values.

Concept relationships

From	To	Relationship
Evaluation	Workflow	An evaluation executes exactly one workflow
Workflow	Enrichment	A workflow contains zero or more Enrichment steps
Enrichment	Signal	Each enrichment produces one or more signals
Signal	Rules & Conditions	Rules evaluate signals to determine routing and scoring
Rules & Conditions	Decision	Rules drive the workflow toward a terminal Decision step
Attributes	Evaluation	Attributes are the input data that starts an evaluation
Tags	Evaluation	Tags are metadata labels attached during workflow execution
Reason codes	Decision	Reason codes explain why a decision was reached
Derived values	Rules & Conditions	Derived values feed into downstream rules as computed inputs