Step 5: Draw Tentative Conclusions

Read Inconsistencies, Not Support

With the refined matrix in front of you, count the inconsistencies for each hypothesis. The hypothesis with the fewest serious inconsistencies is the strongest surviving explanation. Hypotheses that carry multiple serious inconsistencies — items marked I that cannot be easily explained away — are weakened or eliminated. The tentative conclusion is drawn from this count, not from an assessment of which hypothesis has the most evidence appearing to support it.

The word tentative is deliberate. At Step 5 you have a working conclusion. You have not yet tested how fragile it is. Two hypotheses may survive with similar inconsistency counts, in which case both remain credible and should be treated that way. A conclusion that two explanations remain viable is itself an analytically valid output. The pressure to produce a single definitive conclusion before the testing in Step 6 is complete is the most common failure mode at this stage.

Resist the pull toward the most dramatic or operationally convenient conclusion. A hypothesis that points toward active threat requires a response and creates urgency. That urgency can cause analysts to downplay the inconsistencies against the threat hypothesis and overweight the inconsistencies against the innocent one. The matrix is your check against this. If the threat hypothesis carries more inconsistencies than the innocent one, the evidence is telling you something, and the analytical discipline is to follow the evidence rather than the convenience of the conclusion.

Step 6: Test Sensitivity

What Happens When You Pull a Thread

Sensitivity testing identifies the specific evidence items that are actually driving the conclusion and then asks what happens to the conclusion if each of those items is wrong, misinterpreted, or deliberately fabricated. This step is the structural protection against two specific risks: analytical conclusions that rest on fragile evidence, and analytical conclusions that rest on planted evidence.

The procedure is systematic. For each item that is marked Inconsistent for the leading hypothesis — the items that are its primary vulnerabilities — ask: what if this item is false? What if it has an alternative innocent explanation we have not considered? What if it was constructed by someone who anticipated our analysis and wanted to point us toward this conclusion? Change the marking from Inconsistent to Consistent and observe what happens to the inconsistency count. If the conclusion shifts substantially when one item is removed, that item deserves explicit scrutiny before the conclusion is finalized.

Sensitivity testing also applies to the assumptions you included in the evidence list at Step 2. For each assumption, ask: if this assumption is wrong, which cell markings change, and how does the conclusion shift? The assumptions that, if false, would substantially change the conclusion are the ones that most need verification or at minimum explicit acknowledgment in the reported judgment.

The output of Step 6 is twofold: a more confident conclusion if the sensitive items hold up under scrutiny, and an explicit list of the conditions under which the conclusion would change. Both are necessary parts of a complete analytical product. A conclusion that cannot describe the conditions under which it would be wrong is not a conclusion — it is a preference.

Step 7: Report Conclusions

What a Complete Analytical Product Contains

The reported conclusion is not just the leading hypothesis. A complete ACH output reports the relative likelihood of all surviving hypotheses, states a confidence level, identifies the key assumptions the judgment rests on, describes the evidence items that are driving the conclusion, and notes the conditions under which the conclusion would change. Every one of these elements is required. Each of them has a specific function in the report, and omitting any of them degrades the product in a specific way.

Reporting only the leading hypothesis omits information the decision-maker needs to calibrate their response. If H3 (directed collector) and H2 (poor judgment, genuine member) are both surviving hypotheses with similar evidence bases, the decision-maker needs to know that both remain credible — because the response to H3 is substantially different from the response to H2, and acting on H3 when H2 is equally supported is a costly error in the other direction from the confirmation bias the analysis was designed to prevent.

Stating a confidence level requires using consistent language. The intelligence community standard under ICD 203 uses probabilistic language: “likely,” “probably,” “almost certainly,” with defined probability ranges behind each term. At the community level, what matters is consistency: use the same language for the same level of confidence across analyses so that a reader can calibrate over time. “We assess with moderate confidence that H3 is the most likely explanation, with H2 remaining a viable alternative” is a complete confidence statement. “It’s probably H3” is not, because it provides no basis for understanding how strong the evidence base is or how much margin the conclusion has.

The matrix itself, or a documented summary of the evidence and cell markings, should accompany the conclusion. This is the auditable record. It allows another analyst to review the work, challenge specific markings, and understand why the conclusion was reached. Without it, the conclusion cannot be checked and cannot be updated cleanly when new evidence arrives.

Step 8: Identify Indicators for Future Observation

ACH Is Iterative, Not Static

The final step converts a static analytical product into a monitoring framework. For each surviving hypothesis, identify the specific observable events that would strengthen or weaken it if observed. These are your indicators. They define what you are looking for in the period after the analysis, and they direct future collection effort toward the evidence that has the highest diagnostic value.

Indicators should be specific and observable. “Signs of continued hostile behavior” is not an indicator. “Candidate approaches a second member independently and asks the same specific questions about cache locations within 30 days” is an indicator. It describes something that could be observed unambiguously, it has a clear logical relationship to the hypothesis it bears on, and it can be tracked across time by people who were not part of the original analysis.

The indicators for competing hypotheses will often look different in an important way. If H3 (directed collector) is true, you expect to see continued targeted questioning, potential contact between the candidate and unknown third parties, and possibly evidence of external coordination. If H2 (poor judgment, genuine member) is true, you expect to see no evidence of coordination and possibly a positive response to direct guidance about information security. Define the indicators for both before ending the analysis. Monitoring only for indicators that confirm the leading hypothesis is Step 8’s version of column-reading.

ACH is iterative. When significant new evidence arrives — when an indicator is observed, or when something occurs that was not anticipated by any of the current hypotheses — the analysis should be re-run. Not adjusted, not updated with a note in the margin. Re-run. The discipline of re-running the full process rather than amending a prior conclusion is what prevents the prior conclusion from functioning as a new anchor that the re-analysis then confirms.

↑ Back to Intelligence Analysis