What They Bother to Look At: Attention as a Scarce Resource

The previous article in this series established what the surveillance and reporting infrastructure can see. The answer, honestly, is quite a lot. But seeing is not the same as looking, and looking is not the same as acting. The enforcement apparatus of the United States — the IRS, the SEC, the FBI, FinCEN, state regulatory agencies — operates under the same constraint that governs every organization on earth: it has finite resources and infinite demands on those resources. Snowden documented in Permanent Record that the collection architecture is vast. What he also made clear, and what the data confirms, is that the gap between collection and analysis is where the enforcement landscape becomes intelligible.

This article is about attention allocation. Every enforcement agency must decide, every day, where to point its limited human and computational resources. Understanding those decisions — what triggers attention, what doesn’t, and why — is more useful than fearing the surveillance infrastructure itself.

The IRS: An Agency With More Returns Than Reviewers

The IRS processes over 150 million individual tax returns annually. It employs approximately 75,000 to 80,000 people in total — not all of whom are auditors or enforcement personnel. Many are customer service representatives, IT staff, administrative workers, and managers. The number of revenue agents who actually conduct field audits — the kind where someone reviews your records in detail — has declined significantly over the past two decades, falling from roughly 14,000 in the early 2000s to fewer than 9,000 by the early 2020s.

The audit rate tells the story most clearly. For individual returns with total positive income under $200,000, the audit rate has fallen below 0.5% and in some recent years has been closer to 0.25%. For returns with income between $200,000 and $1 million, the rate is modestly higher but still low. The rate increases meaningfully only for returns reporting income over $1 million, and even there, the audit rate has declined from historical levels. For returns claiming the Earned Income Tax Credit, the audit rate is disproportionately high relative to the income level — a policy choice that has drawn significant criticism, but which reflects the relative simplicity of conducting correspondence audits on EITC claims.

What triggers IRS attention is not random and not mysterious. The IRS uses a scoring system called the Discriminant Information Function — the DIF score — which is a statistical model that compares your return to similar returns and flags those that deviate significantly from expected patterns. If your deductions are dramatically higher than those of comparable taxpayers, your DIF score goes up. If your reported income is inconsistent with the information returns (1099s, W-2s) the IRS has received, the automated matching system flags the discrepancy. The most common form of IRS contact — by a wide margin — is the CP2000 notice, which is simply a letter stating that the income on your return does not match the income reported to the IRS by third parties. This is not an audit. It is a computer matching program.

The honest conclusion: the IRS is primarily a matching machine for ordinary taxpayers. It looks for discrepancies between what you report and what others report about you. If those numbers match, you are statistically invisible to the agency. This is not a secret. It is the agency’s own published operational reality.

The SEC: Even More Outnumbered

The Securities and Exchange Commission regulates the securities markets — a domain that includes every publicly traded company, every broker-dealer, every investment adviser, every mutual fund, and every securities transaction in the United States. The total number of market participants is in the tens of millions. The SEC employs approximately 4,500 to 5,000 people. The Division of Enforcement, which is the part of the SEC that actually investigates and prosecutes violations, has a staff of roughly 1,200 to 1,500.

The math is unfavorable for comprehensive enforcement. The SEC must prioritize, and its priorities are publicly stated: insider trading, accounting fraud at public companies, Ponzi schemes and other investor protection cases, and market manipulation. A small business owner issuing a private placement to accredited investors under Regulation D, or a person managing their own cryptocurrency portfolio, is not the SEC’s priority — not because these activities are unregulated, but because the agency’s limited staff must focus on cases with the greatest investor harm and public impact.

This does not mean the SEC is toothless. When the agency does act, it acts with considerable force. SEC enforcement actions regularly result in substantial fines, disgorgement of profits, and referrals to the Department of Justice for criminal prosecution. The point is not that the SEC cannot reach you. The point is that the agency must choose where to reach, and the vast majority of market participants never come within its investigative focus.

The FBI: A Priority Stack That Starts Elsewhere

The FBI’s priority list is illuminating for anyone who imagines that federal law enforcement is focused on their business structure or tax optimization strategy. The Bureau’s stated priorities, in order, are: protecting the United States from terrorist attacks, protecting against foreign intelligence operations and espionage, protecting against cyber-based attacks, combating public corruption, protecting civil rights, combating transnational organized crime, combating major white-collar crime, and combating significant violent crime.

Note where ordinary financial activity falls on that list. It doesn’t. The FBI’s white-collar crime focus is directed at major fraud — corporate fraud, securities fraud, health care fraud schemes, and public corruption. An individual operating a legal business, managing legal investments, and filing accurate tax returns is so far below the FBI’s attention threshold that it would be comic to worry about it.

The honest framing: federal law enforcement is resource-constrained and priority-driven. The priorities are terrorism, counterintelligence, cyber threats, and large-scale fraud. Everything else is handled opportunistically, through tips, referrals, and the occasional case that falls into an agent’s lap. The notion that the FBI is monitoring your LLC formation or your modest cryptocurrency holdings is not just wrong — it reflects a misunderstanding of how the institution allocates its finite investigative hours.

State-Level Enforcement: Even Less Capacity

If federal agencies are resource-constrained, state regulatory agencies are dramatically more so. State tax departments, securities regulators, environmental agencies, zoning enforcement offices, and business licensing bureaus operate with budgets and staffing levels that make the IRS look lavishly funded by comparison.

Most state-level regulatory enforcement — particularly in areas like zoning, code compliance, and business licensing — is complaint-driven. This means the agency does not proactively inspect or monitor. It waits for someone to file a complaint, and then it investigates the complaint. If no one complains, the agency has neither the staff nor the mandate to go looking for violations. This is true across most jurisdictions for most categories of local regulation.

The implication is not that state regulations can be ignored. It is that the enforcement mechanism is reactive rather than proactive, and understanding this helps you allocate your compliance effort rationally. Accuracy in state tax filings matters because those systems increasingly share data with federal systems. Compliance with business licensing requirements matters because a competitor or disgruntled customer can file a complaint that triggers investigation. But the notion that state regulators are actively monitoring your home-based business or scrutinizing your small LLC is, in most states, not supported by the staffing reality.

The Algorithmic Filter: Machines Flag, Humans Decide

The trend across all enforcement agencies is toward automated flagging systems. The IRS DIF score is one example. FinCEN’s analytical systems process millions of SARs and CTRs using pattern-matching algorithms. The SEC uses market surveillance tools to detect unusual trading patterns. These systems are increasingly sophisticated, and they are the primary mechanism by which the enforcement apparatus extends its reach beyond what its human staff could accomplish alone.

But automated flagging is not automated enforcement. When an algorithm flags a return, a transaction, or a trading pattern, that flag enters a queue. A human being must review the flag, determine whether it warrants further investigation, and decide how to proceed. That human review is the true bottleneck. Agencies are staffed to review a fraction of what their algorithms flag, which means that even items flagged as anomalous are often never examined.

Snowden’s insight about the NSA applies broadly across the enforcement landscape: the capacity to collect data has outstripped the capacity to analyze it by orders of magnitude. The algorithms narrow the gap, but they do not close it. The enforcement apparatus is not a single eye that sees all. It is millions of sensors feeding data into analytical systems that generate thousands of flags that are reviewed by hundreds of humans who take action on dozens of cases. The funnel is steep, and the conversion rate from data point to enforcement action is very low.

The Key Insight: Optimization, Not Omniscience

Agencies optimize. They do not monitor comprehensively. The IRS optimizes for the highest-return audits — those most likely to yield additional revenue. The SEC optimizes for the highest-impact cases — those most likely to protect investors and deter future fraud. The FBI optimizes for its stated priorities — those most likely to protect national security and public safety. State agencies optimize for complaint resolution — those cases where a citizen has raised a concern that demands a response.

In every case, the optimization function points away from ordinary people doing ordinary things. If you file an accurate tax return, your DIF score stays low and you stay out of the audit queue. If you operate a legal business within its regulatory framework, no regulator is scanning for you. If you manage your investments without committing fraud, the SEC has no mechanism to notice your existence. If you are not involved in terrorism, espionage, or major criminal enterprise, the FBI is not thinking about you.

This is not complacency. This is the math. And understanding the math is the beginning of rational sovereignty — the kind that allocates effort proportionally rather than performing compliance theater in areas where no one is watching, or performing paranoia about agencies that have never heard of you.

The surveillance infrastructure is vast, as we documented in the previous article. But attention is scarce, and agencies spend it where the expected return is highest. For the sovereign who files accurately, operates legally, and maintains proportional privacy practices, the enforcement gap is wide — not because the system is broken, but because the system is triaging. You are not that interesting to them. That is not an insult. It is the most liberating fact in this entire series.

This article is part of the Enforcement Gap series at SovereignCML.

Related reading: What They Can See: The Actual Surveillance Landscape, What They Actually Enforce: The Gap Between Law and Action, The IRS Through the Numbers: What the Data Actually Shows