How to build cryptographic evidence for regulatory compliance using the SWT3 AI Witness protocol. Covers hashing, signing, clearing levels, SIEM integration, and framework mapping across EU AI Act, NIST AI RMF, CMMC, and SR 11-7.
Audience: Developers, compliance officers, auditors, and architects implementing audit trails for AI agent systems. Applicable to EU AI Act (GPAI + high-risk), NIST AI RMF, CMMC, SR 11-7, and NSA AISC environments.
The SWT3 (Sovereign Witness Traceability) protocol provides a cryptographic audit trail for AI agents -- every inference hashed, every tool call recorded, every resource access checked against scope. This guide explains what an AI agent audit trail requires, why it must be cryptographic, and how to implement one using SWT3's open-source SDK.
An AI agent is not a stateless API call. It selects tools, accesses resources, chains multi-step decisions, and operates with varying degrees of autonomy. When an agent makes a consequential decision -- approving a loan, triaging a patient, executing a trade, or modifying infrastructure -- regulators, auditors, and internal governance teams need to answer one question: what happened, and can you prove it?
Traditional application logging captures HTTP requests and responses. That is insufficient for AI agents because it misses the compliance-relevant factors: which model version was deployed, whether guardrails were active, how many tokens were consumed, whether a human-in-the-loop checkpoint was reached, and whether the agent's behavior drifted from its baseline.
Regulatory frameworks now explicitly require this evidence:
A cryptographic audit trail differs from a log file in four properties: the evidence is hashed, signed, timestamped, and tamper-evident. Together, these properties produce non-repudiation -- the record cannot be retroactively altered without detection, and the producer of the record can be verified.
| Property | Traditional Log | Cryptographic Audit Trail |
|---|---|---|
| Integrity | Text file, editable | SHA-256 hash of evidence factors; any modification changes the fingerprint |
| Attribution | Process ID, hostname | HMAC-SHA256 signature proving which agent or system produced the record |
| Timestamp | System clock, adjustable | Millisecond epoch embedded in the hash; post-hoc changes are detectable |
| Tamper evidence | None (log rotation can destroy) | Merkle accumulator rolls individual records into a session-level root hash |
| Verification | Trust the log source | Any party can recompute the hash independently; no vendor trust required |
In the SWT3 protocol, every witnessed action produces a fingerprint computed as:
SHA256("WITNESS:{tenant}:{procedure}:{factor_a}:{factor_b}:{factor_c}:{timestamp_ms}").hex()[:12]
This formula is deterministic, cross-language (identical output in Python, TypeScript, Rust, C#, and Ruby), and verified by 40 shared test vectors at build time. The fingerprint is embedded in a self-describing SWT3 Witness Anchor:
SWT3-E-AWS-AI-INF.1-PASS-1779799599-22e18a5910f9
The anchor encodes the deployment tier, provider, procedure, verdict, epoch, and fingerprint in a single string that is human-readable, machine-parseable, and independently verifiable.
A complete AI agent audit trail records five categories of evidence. Each category maps to specific regulatory requirements and is implemented as a set of SWT3 procedures.
What to record: Which model was called, the request latency, token consumption (prompt + completion), and hashes of the prompt and response. This is the foundational audit record -- proof that an inference occurred, when, and with what resource consumption.
AI-INF.1 (inference trace), AI-INF.2 (latency and model swap detection), AI-INF.3 (volume and usage logging)What to record: The deployed model's hash (does it match the approved version?), adapter stack, quantization parameters, and version lineage. This category detects unauthorized model changes, shadow deployments, and configuration drift.
AI-MDL.1 (model hash), AI-MDL.2 (version tracking), AI-MDL.5 (weight integrity), AI-MDL.6 (adapter stack), AI-MDL.7 (quantization)What to record: Whether content filters, PII scanners, and injection detectors were active at inference time; whether they triggered; whether a gatekeeper pre-call check passed or halted the request; and any policy violations.
AI-GRD.1 (guardrail presence), AI-GRD.2 (guardrail efficacy), AI-GRD.3 (gatekeeper mode), AI-VIO.1 (violation recording), AI-SAFE.1 (safety constraints)What to record: Every tool call (name, parameters, result), every resource access (scope, authorization), the agent's identity, and chain links between agents in multi-step pipelines. This category answers "what did the agent do?" with specificity.
AI-TOOL.1 (tool witnessing), AI-ACC.1 (access control), AI-ID.1 (agent identity), AI-CHAIN.1 (chain monitoring), AI-CHAIN.2 (chain integrity)What to record: Human-in-the-loop checkpoint completions, explainability records (how the system arrived at its output), fairness metrics (demographic parity, equalized odds), and content provenance (C2PA, watermarks).
AI-HITL.1 / AI-HITL.2 (human oversight), AI-EXPL.1 / AI-EXPL.2 (explainability), AI-FAIR.1 / AI-FAIR.2 (fairness), AI-MARK.1 (content provenance)Audit trails contain evidence, but some evidence is sensitive. A prompt may contain PII. A response may contain classified information. An inference record may reveal proprietary model architecture. The challenge is: how do you prove compliance without exposing the data that was being protected?
SWT3 addresses this with a clearing engine that runs inside the SDK process before any evidence leaves the local environment. Four clearing levels control what data survives:
| Level | Name | What Gets Purged | What Survives |
|---|---|---|---|
| 0 | Analytics | Nothing purged | Full telemetry including raw prompt/response hashes |
| 1 | Standard | Raw prompt and response text | Hashes, factors, verdict, procedure, fingerprint |
| 2 | Sensitive | AI context metadata | Procedure, verdict, fingerprint, timestamp |
| 3 | Classified | All operational data | Cryptographic proof only. The anchor proves the action was witnessed without revealing what was witnessed. |
Jurisdiction (jurisdiction), legal basis (legal_basis), and purpose class (purpose_class) survive all clearing levels. These CJT fields maintain regulatory traceability even at Classified, ensuring an auditor can determine which regulatory framework applies without accessing the underlying data.
# .swt3.yaml clearing_level: 2 # Sensitive: hashes and factors retained, AI context purged
SWT3 operates as an SDK wrapper around your existing AI client. The wrapper intercepts inference calls, extracts compliance factors, computes the fingerprint, and writes the anchor to the witness ledger. The application code requires minimal modification.
from swt3_ai import Witness
from openai import OpenAI
witness = Witness(
endpoint="https://sovereign.tenova.io",
api_key="axm_...",
tenant_id="YOUR_TENANT",
)
client = witness.wrap(OpenAI())
# Every inference through this client is automatically witnessed.
# Anchors are minted for AI-INF.1 (inference), AI-GRD.1 (guardrails),
# and any other configured procedures.
response = client.chat.completions.create(
model="gpt-4o",
messages=[{"role": "user", "content": "Summarize Q3 results"}],
)
import { Witness } from "@tenova/swt3-ai";
import OpenAI from "openai";
const witness = new Witness({
endpoint: "https://sovereign.tenova.io",
apiKey: "axm_...",
tenantId: "YOUR_TENANT",
});
const client = witness.wrap(new OpenAI()) as OpenAI;
const response = await client.chat.completions.create({
model: "gpt-4o",
messages: [{ role: "user", content: "Summarize Q3 results" }],
});
# Python pip install swt3-ai && python -m swt3_ai.demo # TypeScript npm install @tenova/swt3-ai && npx swt3-demo
The demo runs entirely locally with no network calls. It simulates 5 inference witnesses, generates anchors, and produces a coverage report. No API key required.
Audit trail configuration is declarative via .swt3.yaml. Seven built-in profiles ship with the SDK:
| Profile | Use Case |
|---|---|
eu-ai-act-high-risk | EU AI Act high-risk: clearing 2, signing required, jurisdiction required |
nist-ai-rmf | NIST AI RMF: full procedure coverage, moderate policy |
cost-conscious | Token budget governance: 25K/session ceiling, cost attribution |
owasp-agentic-top10 | OWASP Agentic Top 10: fail-closed, 100K tokens, depth 8 |
mythos-defense | Exploit chain containment: clearing 3, strict trust, depth 5 |
granite-sovereign | IBM Granite on-prem: air-gap ready, hardware attestation |
minimal | Development: clearing 0, no policy enforcement |
Audit trail data is only useful if it reaches the systems where compliance teams work. SWT3 provides four export paths:
| Method | Format | Use Case | Air-Gap |
|---|---|---|---|
| OpenTelemetry | OTLP spans | Jaeger, Datadog, Splunk, Elastic, Grafana | No |
| Regulatory webhooks | HMAC-signed JSON | SIEM, GRC tools, ServiceNow, custom endpoints | No |
| Write-ahead log (WAL) | JSONL append-only | Air-gapped environments, offline analysis | Yes |
swt3 audit CLI | HTML or JSON | Self-contained reports from WAL data | Yes |
OpenTelemetry spans include standard attributes: swt3.procedure_id, swt3.verdict, swt3.fingerprint, swt3.model_id, swt3.clearing_level. These attributes integrate with existing observability pipelines without custom parsing.
Regulatory webhooks deliver HMAC-signed events on verdict changes, drift detection, and attestation lapses. The receiving system verifies the HMAC signature to confirm the event originated from the witness pipeline.
Each audit trail requirement maps to specific articles, sections, or practices across regulatory frameworks:
| Requirement | EU AI Act | NIST AI RMF | CMMC | SR 11-7 | NSA AISC |
|---|---|---|---|---|---|
| Automatic event logging | Art. 12 | MEASURE 2.6 | AU-2 | II.B.3 | Rec 6 |
| Risk management evidence | Art. 9 | GOVERN 1.5 | RA-3 | II.A | -- |
| Post-market monitoring | Art. 72 | MANAGE 4.1 | CA-7 | II.C | -- |
| Audit trail integrity | Art. 12(3) | MANAGE 2.4 | AU-10 | II.B.5 | Rec 3 |
| Data protection in logs | Art. 10(5) | MANAGE 3.2 | SC-28 | -- | Rec 1, 4 |
| Human oversight records | Art. 14 | GOVERN 1.3 | -- | II.D | -- |
| Independent verification | Art. 43 | MEASURE 3.3 | CA-2 | II.E | Rec 7 |
SWT3 OSCAL exports (SSP, Assessment Results, POA&M) are validated against the NIST oscal-cli. These artifacts integrate directly into eMASS, XACTA, and other authorization management systems.
A cryptographic audit trail is only as credible as the independence of the system maintaining it. If the agent being audited also controls the audit log, the evidence is self-reported. SWT3 addresses this through two mechanisms.
The chain enforcer evaluates every tool call against the organization's declared policy: velocity limits, chain depth, token budgets, tool blocklists. When a call violates policy, the enforcer halts the action and mints a violation anchor recording what was attempted and which rule applied. The halt is a side effect. The anchor -- the proof that policy was active and enforced -- is the product.
The sentinel daemon is a separate process that maintains the write-ahead log outside the agent's trust boundary. The signing key lives in the daemon, not the agent. The WAL is owned by the daemon process. Token budgets are enforced in shared daemon state. If the agent stops sending witness requests, the gap in the evidence chain is itself evidence that witnessing was interrupted.
This architecture follows the same principle that requires financial audits to be conducted by an independent firm. The sentinel is the independent custodian of the witness record. For the full design rationale, see Section 9: Evidence Custody and Policy Witnessing.
An audit trail that requires trust in the vendor is not independently verifiable. SWT3 anchors can be verified by any party using client-side SHA-256:
SHA256("WITNESS:{tenant}:{proc}:{fa}:{fb}:{fc}:{ts_ms}").hex()[:12]If they match, the evidence is intact. If they don't, the anchor has been tampered with. No API call, no vendor trust, no network connection required. The formula is public, the test vectors are published, and the verification is pure math.
A browser-based public verifier is available at sovereign.tenova.io/verify for single or bulk anchor verification. All computation runs client-side.
40 cross-language test vectors ensure that Python, TypeScript, Rust, C#, and Ruby SDKs produce identical fingerprints for identical inputs. An auditor can verify evidence produced by any SDK using any other SDK, or using sha256sum in a terminal.