Entity resolution is the process of deciding whether two or more records describe the same real-world entity. It is the answer to a question that sounds trivial and is not: are these the same person, the same company, the same vessel - or two different ones that happen to look alike? Get it right and a thousand fragments of data collapse into a coherent picture of who is actually out there. Get it wrong and you either miss the connection that mattered or invent one that was never real.
The discipline travels under many names. Statisticians call it record linkage. Database and computer-science literature calls it entity resolution or object identification. Identity and fraud teams call it identity resolution. Data-quality work calls it deduplication or data matching. They are the same problem viewed from different rooms. A dataset that has been reconciled this way is described as cross-linked.
For anyone working illicit finance, intelligence, or operational decision-making, entity resolution is not a back-office convenience. It is the load-bearing capability. The companion wiki on Counter Threat Finance describes the mission; entity resolution is the machinery that makes the mission possible, because every adversary network is, at bottom, a set of identities scattered across sources that were never designed to agree with each other.
For quick-reference answers, see the Entity Resolution FAQ.
The Problem Entity Resolution Solves
Data about the same entity almost never arrives in matching form. The hard cases - which are most of the real ones - share a set of recurring obstacles.
There is usually no shared unique identifier. A vessel might appear with an IMO number in one registry, a call sign in an AIS feed, and a name in a sanctions list, with nothing common to join on. People and companies are worse: most records carry only quasi-identifiers - name, address, date of birth, jurisdiction - that are individually weak and only become distinguishing in combination.
Names are unstable. The same person appears as "William," "Bill," and "Wm." The same company appears with and without "LLC," "Ltd," or "Holdings." Transliteration multiplies the problem across scripts - a single Arabic, Cyrillic, or Chinese name can romanize a dozen ways, none of them wrong. Aliases are sometimes innocent and sometimes deliberate.
And in the threat-finance world, the obstacle is frequently adversarial by design. Shell companies, nominee directors, and rotating registered agents exist precisely to defeat naive matching. The data is not just messy; some of it is messy on purpose, because someone is being paid to keep two records from joining.
Entity resolution is the set of techniques that decide, under all that uncertainty, which records refer to the same entity and which do not - and, crucially, how confident the system is in each decision.
The Methods
There is no single algorithm. Mature entity resolution layers several approaches, each with known strengths and failure modes.
Deterministic matching links records when specified identifiers agree exactly, or agree above a fixed bar - names match exactly, an identifier is identical. It produces the highest-confidence matches because it infers nothing, and it is the right tool when strong identifiers exist and the data is clean. It breaks down the moment the data is dirty or the strong identifier is missing - which, with adversarial data, is most of the time.
Probabilistic matching is the foundation of the field. The Fellegi-Sunter model (Fellegi and Sunter, 1969), building on the likelihood-ratio approach introduced by the geneticist Howard Newcombe in 1959, reframes the question. Not "do these records match," but "given the evidence in front of me, how likely is it that they refer to the same entity." Each field is weighted by how much agreement or disagreement on it should move the needle, the evidence is combined into a score, and explicit thresholds sort pairs into match, non-match, and a middle band for human review. The model has been shown to be mathematically equivalent to naive Bayes under independence assumptions, and despite half a century of newer tooling, most modern matching systems still rest on its logic - often without acknowledging it. Its great virtue is that it produces interpretable scores and explicit decision thresholds rather than the false certainty of treating messy evidence as clean truth.
Machine-learning matching trains classifiers on labeled match and non-match pairs and can outperform classic methods when good training data exists. Active-learning variants reduce the labeling burden by asking a human to adjudicate only the pairs the model finds hardest - valuable in a domain that, like this one, rarely has a clean ground-truth set.
Graph-based resolution treats each pairwise match as an edge and finds clusters of connected records, where a cluster represents one entity. This is also where resolution stops being about single pairs and starts revealing structure - the non-obvious relationships between entities that no single record contains. The intelligence community's interest in entity resolution has always been as much about these hidden links as about deduplication.
Blocking is the practical glue. Comparing every record against every other record is computationally impossible at scale, so blocking first groups plausibly related records - by a name fragment, a shared attribute, a probabilistic signature - so that expensive comparison only runs within blocks. Good blocking is the difference between an engine that runs in seconds and one that never finishes.
Real systems combine these. A hybrid pipeline uses deterministic matching where strong identifiers exist, probabilistic and ML matching for the fuzzy remainder, and graph clustering to assemble the resolved entities into a network - with confidence scoring throughout, so an analyst can tell a near-certain link from a plausible one.
Entity Resolution in Intelligence and Threat Finance
The methods above are general. Their application to intelligence and counter-threat-finance is where they earn their keep, and where the requirements get sharper.
Entity resolution sits at the core of national-security data work. Australia's financial-intelligence unit, AUSTRAC, has framed entity resolution as central to a whole-of-government approach to its most pressing problems - terrorism and welfare fraud among them - precisely because the answer to those problems lives in combining and reconciling datasets from many agencies of differing quality. That is the canonical intelligence use case: many sources, no common key, high stakes on getting the identity right.
Sanctions screening is entity resolution. Matching a track, a customer, or a counterparty against the OFAC SDN List, the EU and UK lists, and the UN Consolidated List is a record-linkage problem with adversarial data - which is why naive exact-match screening produces both misses and a flood of false positives on common names, and why credible screening uses the deterministic-plus-probabilistic, confidence-scored approach with common-name suppression that the field has converged on.
Beneficial-ownership resolution is entity resolution across registries. Tracing the natural person behind a chain of holding companies means resolving the same entity across corporate registries, beneficial-ownership registers, leak datasets, and court records - sources that disagree on spelling, format, and structure, and were never built to be joined.
And network discovery is graph-based entity resolution. JP 3-25's call for social network analysis is, mechanically, the construction and reading of a resolved entity graph. The non-obvious relationship between a sanctioned individual, a shell company, a vessel, and a financier is exactly the kind of cluster a graph-based resolver surfaces and a list-based screen never will.
Ontology and Normalization: Why Schema Comes First
Matching algorithms get the attention, but they are not where the work starts. Before any record can be resolved against any other, the records have to describe the world in the same terms. That is an ontology-and-normalization problem, and it is the part that quietly decides whether everything downstream works.
An ontology is the canonical model of what entities exist and how they relate - persons, organizations, vessels, aircraft, addresses, identifiers, and the ownership, control, and association links among them. Normalization is the unglamorous, decisive work of mapping every incompatible source into that model: parsing names into components, standardizing addresses, reconciling identifier formats, collapsing aliases, and stripping the corporate-suffix noise that defeats matching. Sanctions lists, corporate registries, beneficial-ownership registers, maritime and aviation records, and leak datasets each arrive in their own schema; normalization is what makes them speak to each other.
Adopting an open ontology rather than inventing a private one is a force multiplier. The FollowTheMoney (FtM) schema, used across the open investigative-data ecosystem, defines a shared vocabulary of entity types and relationships. A platform built on it can read the bulk exports of the open-data world - sanctions data, offshore-leaks data, legal-entity-identifier data - directly, and export its own resolved investigations in a format partners and downstream systems can consume without a custom integration. Interoperability with a published standard, including the ISO 17442 Legal Entity Identifier (LEI) maintained by the Global Legal Entity Identifier Foundation, is the difference between a closed silo and a node in a larger intelligence ecosystem.
The discipline's oldest lesson holds: the quality of entity resolution is set long before the matcher runs. Schema comes first.
High-Performance Analytics at the Edge
Entity resolution at useful scale - hundreds of millions of records across dozens of sources - is a serious computational problem, and where the engine runs matters as much as how well it matches.
The operational requirement is unforgiving. A counter-threat-finance cell on a disconnected network, an analyst aboard a vessel, or a forward node cannot wait on a cloud round-trip to resolve an entity. The resolution and screening engines have to run locally, cold-start quickly, and operate air-gapped when the link is down. That favors columnar, in-memory analytical processing over the records - the class of high-performance local analytics that can union dozens of normalized sources and resolve against them in milliseconds, on the same hardware that is carrying the operational picture, without phoning home.
This is not a styling choice. It is what separates a tool that works in a clean enterprise data center from one that works where the mission actually happens.
From Static Records to a Live Operational Picture
Most entity-resolution systems resolve identities in a static dataset and produce a report. The operational value appears when the resolved entity is joined to something moving.
Resolve the registered and beneficial owner behind a vessel, and you have a fact. Tie that resolved owner to the vessel's live AIS track crossing a chokepoint right now, and you have a decision. Resolve the trust behind a trust-held aircraft, screen it, and surface it on the live ADS-B picture as it files a flight plan that does not match its stated operator, and the entity resolution has become operational intelligence. The same logic extends to the device in the field and the infrastructure behind a domain.
This is the cyber-physical-financial-operational convergence that the Counter Threat Finance wiki describes from the mission side. From the entity-resolution side, it is a specific technical demand: the resolved entity model cannot live in a separate analytical world from the live sensor feeds. It has to be joined to them, on the same picture, at the edge, in time for an operator to act. Entity resolution that ends in a PDF is a research tool. Entity resolution that feeds the operational picture is a weapon.
What Entity-Resolution Software Actually Requires
Pulling the requirements together, an entity-resolution capability built for intelligence and operational use has to do all of the following, not some of them.
Schema and normalization first. A canonical ontology, ideally an open one for interoperability, and disciplined normalization of every source into it before any matching runs.
Layered matching with calibrated confidence. Deterministic matching on strong identifiers, probabilistic matching for the fuzzy remainder, graph clustering for structure, and explicit confidence scores and review thresholds so a near-certain link is never confused with a plausible one - the Fellegi-Sunter discipline of evidence over false certainty.
Adversarial robustness. Handling of transliteration, aliasing, common-name collisions, and deliberate obfuscation, because in this domain the data fights back.
Graph-native network discovery. Surfacing the non-obvious relationships across resolved entities, because the link that matters is rarely in any single record.
Provenance and explainability. Every resolved link traceable to the source and evidence that produced it, because an unexplainable match is useless in a referral, a designation package, or a court.
High-performance, edge-deployable execution. Local, fast-starting, air-gap-capable analytics that resolve at scale without a cloud dependency.
A join to the live operational picture. The resolved entity model tied, in real time, to the streaming sensor feeds - the requirement that turns entity resolution from a desk function into an operational one, and the one most tools were never built to meet.
Glossary
- Active Learning: A machine-learning approach that asks a human to label only the hardest cases, reducing the training burden in domains without clean ground truth.
- Alias: An alternate name for an entity, sometimes innocent, sometimes used deliberately to evade matching.
- Blocking: The technique of grouping plausibly related records before comparison so that expensive matching runs only within groups, making resolution tractable at scale.
- Cross-Linked: Describes a dataset that has been reconciled through record linkage.
- Deduplication: Identifying and merging records that refer to the same entity within a single dataset.
- Deterministic Matching: Linking records when specified identifiers agree exactly or above a fixed bar; high confidence, brittle on dirty data.
- Entity Resolution (ER): The process of determining whether different records refer to the same real-world entity.
- Fellegi-Sunter Model: The foundational 1969 probabilistic framework for record linkage, treating matching as evidence-weighted classification under uncertainty.
- FtM (FollowTheMoney): An open ontology for persons, organizations, and their relationships, used across the open investigative-data ecosystem.
- Graph-Based Resolution: Treating pairwise matches as edges and resolving entities as clusters of connected records, surfacing non-obvious relationships.
- Identity Resolution: Entity resolution applied specifically to people and their identities.
- LEI (Legal Entity Identifier): The ISO 17442 standard global identifier for legal entities, maintained by GLEIF.
- Non-Obvious Relationship: A connection between entities that no single record states, surfaced by resolving and graphing across sources.
- Normalization: Mapping heterogeneous source data into a canonical model - parsing names, standardizing addresses, reconciling identifiers.
- Ontology: The canonical model of which entity types exist and how they relate.
- Probabilistic Matching: Scoring the likelihood that records refer to the same entity using weighted field agreement; the Fellegi-Sunter approach.
- Quasi-Identifier: A weak identifier (name, address, date of birth) that becomes distinguishing only in combination with others.
- Record Linkage: The statistician's term for entity resolution - matching records across or within datasets.
- Transliteration: Rendering a name from one script into another, a major source of legitimate name variation across sources.
Related: What is Counter Threat Finance? | Threat Finance & Entity Resolution capability | Entity Resolution FAQ