Why We Say No: Inside a Case-Acceptance Protocol for OSINT Investigators

2026-07-15 · Philip Choo · AI9OS

The most consequential decision in an investigation happens before any collection begins: whether to take the case at all — and in what shape. Most write-ups in this field cover tooling. Almost none cover refusal. This post describes the case-acceptance protocol we run on every referral, and why a disciplined no — or a reshaped yes — is usually worth more to the client than the engagement they first asked for. It is general information for practitioners, not legal advice.

Why intake is the highest-risk moment

Referrals rarely arrive as clean requirements. They arrive as distress: a family convinced of an outcome, an urgent deadline, a story with the inconvenient parts sanded off. Accept on emotion and three failure modes follow:

1. The unlawful engagement — the ask sounds like research but lands on harassment, unlawful access, or interference with a live proceeding.

2. The undeliverable engagement — the evidence cannot exist, so the fee buys disappointment and the practice's credibility pays for it.

3. The engagement that harms the client — the most dangerous one. Work that cuts against the strategy the client's own counsel has advised can cost them the position their lawyer secured. Sometimes the professional answer to "prove X" is that pursuing X would make the client's situation worse.

A scored, logged protocol converts those judgement calls from instinct into a record that can be defended later — to a client, to a regulator, to a court.

The structure: seven gates, eight red lines, one score

Our protocol runs in a fixed order, and every step carries the statute that makes it matter:

The seven gates. (1) The real ask — what does the client actually want beneath the stated request? (2) The referral chain — who brought this in, and what do they expect? (3) Lawfulness — is every proposed step open-source and legal, screened against the full statute checklist? (4) Conflicts — has the practice ever acted for the other side of this story? (5) Scope — precisely which subjects are in, and what is explicitly out? (6) Deliverability — can open sources realistically answer the question? (7) Authorisation — a named human signs the decision, with any conditions attached.

The eight red lines stop the assessment instantly, whatever the score: requests requiring covert or unlawful access; contact with protected persons; interference with live proceedings; harassment or stalking as method; undeliverable "prove innocence" mandates; unlicensed service perimeters; data-protection breaches without a lawful basis; and engagements whose real purpose diverges from the stated one.

The 30-point rubric scores six dimensions — legal exposure, deliverability, client alignment, evidential quality, operational risk and reputational risk. Below the acceptance band, the case is declined or escalated; the middle band accepts with written conditions.

The output is not a feeling. It is a signed decision — accept, accept-with-conditions, or decline — logged with its score, its conditions, and the laws that shaped it.

The reshaped yes

The most useful outcome in practice is rarely a flat refusal. It is a narrower, lawful engagement that actually serves the client. A request arriving as "prove the allegation wrong" often leaves screening as something else entirely: an evidence-backed support pack for the strategy the client's counsel already advised — sentencing-precedent benchmarking, role differentiation drawn from the public record, corroboration of a legitimate livelihood. Open-source only, delivered through the instructing solicitor so privilege holds, with a no-contact list covering anyone connected to the proceedings.

That reshaping is the protocol's real product. The red lines strip out what cannot lawfully be done; the gates identify what open sources can genuinely deliver; and what remains is an engagement that helps rather than harms.

Boundaries only count if they are enforced

A boundary that lives in the engagement letter is a promise. A boundary that lives in the platform is a control. When we commit to counsel that "a no-contact list is logged at onboarding and enforced throughout," our platform enforces it structurally: the scoped subject list and the no-contact list are locked as a tamper-evident, hash-chained record, and every collection task is checked against both before it can run — a task against a no-contact subject is refused by the system and the refused attempt is itself audited. That matters even more with automation in the loop: an autonomous pipeline that discovers a new name mid-case must not be able to profile a protected person, regardless of what an analyst remembers at 2 a.m.

The same record travels into the final evidence pack, so counsel can demonstrate not just what was collected, but what the system refused to collect.

What a screening record looks like

Whatever your practice's shape, the test of an intake protocol is that a stranger could reconstruct the decision: the referral chain, the instructing party, the lawful basis per statute, the conflict-check result, the locked subject scope and no-contact list, the score with its conditions, and the named human who signed it — all timestamped and tamper-evident. If your record can survive that reconstruction, your yes means something. And so does your no.


AI9OS is an AI-native open-source-intelligence platform built in Singapore for licensed investigators, agencies, law firms and corporate risk teams. The case-acceptance protocol described here ships in the platform as a scored, statute-cited gate logged to a hash-chained evidence locker. AI9OS does not itself provide private-investigation services; investigations are conducted solely by licensed agencies under the Private Security Industry Act.

AI9OS turns public information into verified, chain-of-custody findings for licensed investigation agencies, law firms and corporate risk teams.

Request a demo