Audience: Enterprise architects implementing Anthropic's Zero Trust framework, CISOs evaluating independent compliance layers for Claude agent deployments, security engineers building agentic systems in regulated industries (healthcare, finance, defense), and auditors assessing AI governance controls.
1. What Anthropic's Framework Requires
On May 27, 2026, Anthropic published Zero Trust for AI Agents, a framework for deploying autonomous AI agents in enterprise environments. The paper argues that AI-accelerated offense has compressed attack timelines from months to hours, requiring a fundamental shift from traditional perimeter security to agent-level controls.
The framework defines a three-tier architecture:
- Foundation Tier: Basic identity and access controls. Cryptographic identity rooting. Entry-level Zero Trust.
- Advanced Tier: Task-scoped permissions. Enhanced memory protections. Strengthened input/output controls.
- Optimized Tier: AI-speed defensive operations. Comprehensive breach assumption. Full agentic SOAR integration.
The paper outlines an eight-phase implementation workflow covering identity, access scoping, sandboxing, input and output controls, and memory safeguards. It addresses five core threats: prompt injection, tool poisoning, identity and privilege abuse, memory poisoning, and supply chain attacks.
2. The Independent Witness Gap
Anthropic's framework mandates cryptographic identity, full traceability, and breach-assumption auditing. However, Anthropic is the model provider. If Claude experiences a reasoning failure, prompt injection, or tool misuse, the audit trail cannot credibly come from Anthropic's own infrastructure.
SWT3 fills this gap as an independent, out-of-band witness protocol. It does not inspect, filter, or modify inference. It records what happened, whether it matched declared policy, and produces tamper-evident evidence that survives model compromise.
3. Requirement-to-Procedure Mapping
| Anthropic Requirement | SWT3 Procedure | What SWT3 Witnesses | Coverage |
|---|---|---|---|
| Cryptographic agent identity | AI-ID.1 | Agent ID binding, HMAC-SHA256 signing per anchor | Full |
| Task-scoped permissions | AI-ACC.1, AI-TOOL.1 | Access control decisions, tool authorization records | Full |
| Prompt-to-action traceability | AI-INF.1, AI-CHAIN.1 | Inference fingerprints, chain-of-custody across agents | Full |
| Tool containment | AI-TOOL.1 | Tool name, input/output hashes, latency, success/failure | Full |
| Prompt injection defense | AI-GRD.1, AI-GRD.2 | Guardrail presence, threat scores, output classification | Partial |
| Supply chain security | AI-SUPPLY.1, AI-SBOM.1 | Dependency attestation, software bill of materials | Full |
| Memory poisoning defense | AI-SKILL.2 | Memory context state, persistence boundaries | Partial |
| Multi-agent coordination | AI-MULTI.1, AI-CHAIN.2 | Agent handoff records, chain trust verification | Full |
| Agentic SOAR | AI-INCIDENT.1 | Incident classification, response attestation | Partial |
| Breach assumption / audit | AI-AUDIT.1 | Audit trail integrity, tamper-evident logging | Full |
| Identity/privilege abuse | AI-ACC.1, AI-SEC.1 | Access decisions, security scan results | Full |
Coverage key: Full = SWT3 directly witnesses the control through procedures and produces auditable evidence. Partial = SWT3 provides supporting attestation; the primary defense mechanism requires additional tooling.
4. Cryptographic Agent Identity
Agent Identity Binding
Anthropic requires: Identities that are cryptographically rooted, with per-agent identity isolation.
How SWT3 addresses it: Every witness anchor includes an agent_id field that binds the anchor to a specific agent instance. The HMAC-SHA256 payload_signature cryptographically proves which SDK instance minted the anchor. The signing_key is unique per agent and never appears in any anchor payload. Combined with the deterministic fingerprint formula, this creates a non-repudiable identity chain for every inference.
agent_id and verify the payload_signature using the agent's signing key. Each anchor is independently verifiable without trusting the model provider's infrastructure.
5. Task-Scoped Permissions
Access Control and Tool Authorization Witnessing
Anthropic requires: Task-scoped access instead of standing permissions. Agents should only have the permissions they need for the current task.
How SWT3 addresses it: wrapAccess() records every access control decision with the resource accessed, the authorization result, and the authorization method. wrapTool() records every tool invocation with tool name, input hash, output hash, and whether the call was permitted by the declared .swt3.yaml policy. The authorization_id field links each inference to a pre-approved authorization token, creating evidence that the agent operated within its approved scope.
.swt3.yaml policy file alongside the witness anchors. The policy_version hash in each anchor proves which permission set was active at the time of execution.
6. Prompt-to-Action Traceability
Inference Witnessing and Chain of Custody
Anthropic requires: Full traceability from prompt to action to outcome. Every step in an agent's reasoning chain must be auditable.
How SWT3 addresses it: witness() records every inference with a deterministic fingerprint: SHA256("WITNESS:{tenant}:{proc}:{fa}:{fb}:{fc}:{ts_ms}").hex()[:12]. Factor A captures the model, Factor B captures the prompt hash, Factor C captures the response hash. For multi-step chains, cycle_id links related inferences into a single reasoning trace. The chain witnessing procedures (AI-CHAIN.1, AI-CHAIN.2) record handoffs between agents with trust level verification at each boundary.
cycle_id to reconstruct the full reasoning chain. Each step's fingerprint is independently verifiable via the /verify endpoint.
7. Tool Containment
Tool Call Witnessing
Anthropic requires: Sandboxed tool execution with explicit allow-listing.
How SWT3 addresses it: wrapTool() intercepts every tool call and records the tool name, input hash, output hash, execution latency, and success/failure status. The .swt3.yaml policy file declares mcp_policy.tool_allowlist and mcp_policy.tool_blocklist with glob pattern matching. Tools not on the allowlist produce witness anchors flagged as policy violations. Velocity limits (max_velocity) cap the rate of tool execution to prevent automated exploitation loops.
procedure_id = AI-TOOL.1. Each record shows exactly which tool was called, whether it was on the allowlist, and what the outcome was.
8. Prompt Injection Defense
Guardrail Presence and Output Classification
Anthropic requires: Defense against prompt injection and context spoofing attacks.
How SWT3 addresses it: SWT3 does not perform prompt filtering. That is the role of guardrail tools (Prompt Guard, NeMo Guardrails, Claude's native safety layer). What SWT3 does is witness whether guardrails were active and what they detected. AI-GRD.1 records whether required guardrails were present at inference time. AI-GRD.2 records output classification results. AI-SEC.1 records security scan scores and threat types. In gatekeeper mode (strict: true), the SDK will not proceed with inference if required guardrails are absent.
9. Supply Chain Security
Supply Chain Attestation
Anthropic requires: Resilience against supply chain attacks on agent components and dependencies.
How SWT3 addresses it: AI-SUPPLY.1 witnesses the supply chain attestation for the agent's deployment. AI-SBOM.1 records a software bill of materials with dependency hashes, versions, and license information. AI-SKILL.1 witnesses the loaded skill manifest at initialization, creating a cryptographic snapshot of what was loaded before any skill executes. AI-MDL.5 provides file-level model weight hashing to detect unauthorized model changes.
10. Memory Poisoning Defense
Memory Context Witnessing
Anthropic requires: Defense against memory poisoning -- adversarial inputs that persist in agent memory and alter future behavior.
How SWT3 addresses it: AI-SKILL.2 witnesses the memory context state, recording what the agent's persistent memory contained at the time of inference. This creates a forensic trail showing whether memory was altered between sessions. The clearing engine (Levels 1-3) strips sensitive content from memory attestation records before transmission, preventing the witness layer itself from becoming a memory exfiltration vector.
11. Multi-Agent Coordination
Multi-Agent Handoff and Chain Trust
Anthropic requires: Secure coordination between multiple agents with maintained security boundaries.
How SWT3 addresses it: AI-MULTI.1 records when an agent delegates work to another agent, capturing the source agent, destination agent, task description, and trust level at the handoff boundary. AI-CHAIN.2 verifies chain trust by recording the trust level, verification method, and peer credential at each inter-agent boundary. The Trust Mesh protocol (trust_mesh.mode: strict) requires bilateral credential exchange before any data crosses agent boundaries. The chainMinTrustLevel setting enforces a minimum trust floor for all chain handoffs.
12. Agentic SOAR and Incident Response
Incident Classification and Response Attestation
Anthropic requires: Defensive operations that match AI-accelerated attacker speed. Agentic SOAR capabilities.
How SWT3 addresses it: AI-INCIDENT.1 records incident classifications, severity levels, and response actions. Combined with the OTel exporter, witness anchors can feed directly into existing SIEM/SOAR platforms (Splunk, Datadog, Elastic) for automated response orchestration. The Regulatory Webhook API pushes compliance events to external GRC tools in real time. SWT3 provides the evidence layer for SOAR, not the orchestration engine itself.
13. Breach Assumption and Audit
Audit Trail Integrity
Anthropic requires: Comprehensive breach assumption posture. All actions auditable even after a compromise.
How SWT3 addresses it: The witness ledger is append-only and stored outside the model runtime. Even if the AI agent is fully compromised, the witness records have already been transmitted to an independent infrastructure. The Merkle accumulator computes daily rollup roots, allowing any historical anchor to be proven consistent with all others. The Write-Ahead Log (WAL) provides local forensic recovery with sequence numbers and checkpoint verification. The deterministic fingerprint formula means any anchor can be independently recomputed and verified without trusting the original minting system.
/verify endpoint to verify any anchor's fingerprint. Request the Merkle proof via /api/v1/merkle/proof?fingerprint=xxx to demonstrate tamper-evident consistency with the daily rollup.
14. Quick Start
Add SWT3 witnessing to an Anthropic Claude agent deployment:
# Python
pip install swt3-ai
from swt3_ai import SWT3Witness
witness = SWT3Witness(
tenant_id="YOUR_TENANT",
agent_id="claude-agent-prod",
signing_key_env="SWT3_SIGNING_KEY"
)
# Witness every inference
result = witness.witness(
model="claude-sonnet-4-6",
prompt_hash=sha256(prompt),
response_hash=sha256(response),
procedure="AI-INF.1"
)
# Witness tool calls
result = witness.wrap_tool("search_database", input_data, output_data)# TypeScript
npm install @tenova/swt3-ai
import { SWT3Witness } from '@tenova/swt3-ai';
const witness = new SWT3Witness({
tenantId: 'YOUR_TENANT',
agentId: 'claude-agent-prod',
signingKeyEnv: 'SWT3_SIGNING_KEY'
});
// Witness every inference
const result = await witness.witness({
model: 'claude-sonnet-4-6',
promptHash: sha256(prompt),
responseHash: sha256(response),
procedure: 'AI-INF.1'
});
// Witness tool calls
const result = await witness.wrapTool('search_database', inputData, outputData);15. Coverage Summary
| Anthropic Requirement | SWT3 Procedures | Coverage |
|---|---|---|
| Cryptographic agent identity | AI-ID.1 | Full |
| Task-scoped permissions | AI-ACC.1, AI-TOOL.1 | Full |
| Prompt-to-action traceability | AI-INF.1, AI-CHAIN.1 | Full |
| Tool containment | AI-TOOL.1 | Full |
| Prompt injection defense | AI-GRD.1, AI-GRD.2 | Partial |
| Supply chain security | AI-SUPPLY.1, AI-SBOM.1 | Full |
| Memory poisoning defense | AI-SKILL.2 | Partial |
| Multi-agent coordination | AI-MULTI.1, AI-CHAIN.2 | Full |
| Agentic SOAR | AI-INCIDENT.1 | Partial |
| Breach assumption / audit | AI-AUDIT.1 | Full |
| Identity/privilege abuse | AI-ACC.1, AI-SEC.1 | Full |
8 of 11 requirements: Full coverage through direct witnessing and evidence production.
3 of 11 requirements: Partial coverage. SWT3 witnesses the control state but the primary defense mechanism (prompt filtering, memory isolation, SOAR orchestration) requires additional tooling.