How to Add Independent Compliance Attestation to Cisco AI Defense

Audience: Security architects, SOC managers, compliance officers, and AI platform teams deploying Cisco AI Defense alongside independent compliance evidence requirements.

Key distinction: Cisco AI Defense enforces security policies. SWT3 provides independent proof that those policies were active and functioning. Defense is the bodyguard. SWT3 is the notary.

1. What Cisco AI Defense Is

Cisco AI Defense is a runtime AI security platform. It operates at the network and application layer to protect AI workloads from adversarial inputs, unauthorized access, and policy violations. Its capabilities include:

Guardrails: Input and output content filtering to enforce acceptable use policies on AI models.
Prompt injection detection: Classification and blocking of adversarial prompt patterns before they reach the model.
Content filtering: Output scanning to prevent generation of harmful, biased, or policy-violating content.
Model access controls: Authentication and authorization for model endpoints, restricting which users, applications, and agents can invoke inference.

These are enforcement capabilities. They actively block threats and enforce organizational policy at runtime.

The attestation gap

AI Defense blocks threats but produces no independent, cryptographic proof that protections were active at the time of each inference. Its logs are internal to the Cisco platform. Auditors cannot independently verify that defenses were running without trusting Cisco's own telemetry. For regulatory frameworks that require independent evidence -- EU AI Act Article 9, NIST AI RMF Govern 1.7, CMMC AC-3 -- vendor self-reporting is insufficient. A separate, architecturally independent witness is required.

2. The Defense-in-Depth Gap

Security products enforce. Compliance requires proof of enforcement. These are structurally different functions, and conflating them creates a gap that auditors and regulators increasingly identify as a control deficiency.

Without independent attestation, an organization must rely on vendor self-reporting to demonstrate that its AI security controls were operational. This creates three problems:

Single point of trust: If the security layer is compromised, its own logs are compromised with it. Evidence generated by the system under evaluation cannot independently prove the system was functioning.
Audit independence: Regulatory bodies under the EU AI Act, NIST AI RMF, and CMMC require evidence from a system that is architecturally independent of the enforcement mechanism. A firewall's own logs do not prove the firewall was running -- an external witness does.
Temporal coverage: Point-in-time security reports do not prove that controls were active during every inference. Continuous attestation requires per-event witnessing.

SWT3 closes this gap by witnessing the security layer from outside the security layer. It does not inspect, filter, or modify inference. It records what happened, whether it matched declared policy, and produces tamper-evident evidence that survives a compromise of the enforcement layer itself.

3. What SWT3 Witnesses

The following table maps Cisco AI Defense capabilities to SWT3 witness procedures. Each row describes what the enforcement layer does and what the witness layer records as independent evidence.

AI Defense Capability	SWT3 Procedure	What SWT3 Records
Prompt injection detection	`AI-SEC.1`	Detection event hash, classifier output, action taken (block/allow/flag)
Input guardrails	`AI-GRD.1`	Guardrail name, threshold configuration, evaluation result
Output guardrails	`AI-GRD.2`	Output filter state, content classification, pass/fail decision
Model access control	`AI-ACC.1`	Authorization decision, requester identity, resource accessed
Behavioral violations	`AI-VIO.1`	Violation type, severity classification, response action taken
Model identity	`AI-MDL.1`	Model hash, version identifier, expected vs. actual model verification

Each witness record is a SWT3 Witness Anchor -- a cryptographic fingerprint that is immutable, timestamped, and independently verifiable without access to the Cisco platform.

4. Procedure Detail

AI-SEC.1

Security Scan Attestation

Witnesses the output of prompt injection classifiers and adversarial input detectors. Records the detection event as a hashed fingerprint, the classifier's confidence score, and the enforcement action (block, flag, or allow). Produces an independent record that the detection mechanism was active and rendered a decision at the time of inference.

Factor A: Detection event hash. Factor B: Classifier output and confidence. Factor C: Enforcement action taken.

Assessor tip: Request the AI-SEC.1 anchor trail for a specific time window. Compare the count of witnessed detection events against Cisco AI Defense's internal detection log for the same period. A matching count with independent fingerprints proves the detector was active and processing inputs continuously -- not just at the time of a compliance snapshot.

AI-GRD.1

Input Guardrail Attestation

Witnesses the presence and evaluation of input guardrails before inference. Records which guardrail was applied, the configured threshold, and the evaluation result (pass or reject). Produces evidence that the guardrail existed, was configured to the declared policy, and rendered a decision on the specific input.

Factor A: Guardrail identifier and version. Factor B: Threshold configuration. Factor C: Evaluation result (pass/reject).

Assessor tip: Compare the policy_version hash in the AI-GRD.1 anchor against the organization's declared guardrail policy. If the hashes diverge, the guardrail configuration was changed between policy approval and runtime enforcement -- a finding that warrants investigation.

AI-VIO.1

Behavioral Violation Attestation

Witnesses behavioral policy violations detected by AI Defense. Records the violation type (content policy, safety threshold, usage policy), severity classification, and the response action taken by the enforcement layer (block, degrade, alert). Produces evidence that the violation was detected, classified, and responded to in real time.

Factor A: Violation type and category. Factor B: Severity classification. Factor C: Response action taken.

Assessor tip: For EU AI Act Article 9 compliance, verify that AI-VIO.1 anchors exist for every severity classification in the organization's risk management policy. The absence of any violation-class anchors over an extended period may indicate that the detection mechanism was disabled or misconfigured, not that no violations occurred.

AI-ACC.1

Access Control Attestation

Witnesses model access control decisions. Records the requester identity, the resource (model endpoint) accessed, the authorization method, and the decision (permit or deny). Produces evidence that access controls were evaluated and enforced at the time of each inference request.

Factor A: Requester identity hash. Factor B: Resource and authorization method. Factor C: Access decision (permit/deny).

Assessor tip: Cross-reference AI-ACC.1 deny anchors against the organization's access control policy. Every deny decision should correspond to an unauthorized requester or an out-of-scope resource. Deny anchors with no matching policy rule suggest the access control configuration has drifted from the approved baseline.

5. Quick Reference

Procedure	Name	Enforcement Layer	Witness Layer	Coverage
`AI-SEC.1`	Security Scan	Cisco AI Defense detects and blocks prompt injection	SWT3 records detection event, classifier output, action	Full
`AI-GRD.1`	Input Guardrail	Cisco AI Defense filters input content	SWT3 records guardrail config, threshold, result	Full
`AI-GRD.2`	Output Guardrail	Cisco AI Defense filters output content	SWT3 records filter state, classification, decision	Full
`AI-ACC.1`	Access Control	Cisco AI Defense enforces model access	SWT3 records requester, resource, decision	Full
`AI-VIO.1`	Violation Response	Cisco AI Defense classifies and responds to violations	SWT3 records violation type, severity, action	Full
`AI-MDL.1`	Model Identity	Cisco AI Defense verifies model endpoints	SWT3 records model hash, version, integrity check	Partial

Coverage key: Full = SWT3 directly witnesses the control and produces independent auditable evidence. Partial = SWT3 provides supporting attestation; the primary verification mechanism requires additional tooling or vendor cooperation.

6. Quick Start

The following examples demonstrate how to add SWT3 witnessing alongside Cisco AI Defense. The witness layer wraps the inference client. It does not replace or interfere with AI Defense's enforcement -- it records independent proof that the enforcement was active.

Python

pip install swt3-ai

from swt3_ai import SWT3Witness

witness = SWT3Witness(
    tenant_id="YOUR_TENANT",
    agent_id="cisco-ai-defense-proxy"
)

# AI Defense enforces guardrails at the network layer.
# SWT3 witnesses the guardrail state independently.

# Record that input guardrails were evaluated
witness.witness_guardrail(
    guardrail_name="cisco-prompt-injection-v2",
    threshold=0.85,
    evaluation_result="pass",
    model="gpt-4o"
)

# Record the access control decision
witness.witness_access(
    resource="model/gpt-4o",
    decision="permit",
    requester="app-service-account-12",
    method="oauth2-client-credentials"
)

# Flush anchors to the compliance ledger
witness.flush()

TypeScript

npm install @tenova/swt3-ai

import { SWT3Witness } from "@tenova/swt3-ai";

const witness = new SWT3Witness({
  tenantId: "YOUR_TENANT",
  agentId: "cisco-ai-defense-proxy",
});

// AI Defense enforces guardrails at the network layer.
// SWT3 witnesses the guardrail state independently.

// Record that input guardrails were evaluated
witness.witnessGuardrail({
  guardrailName: "cisco-prompt-injection-v2",
  threshold: 0.85,
  evaluationResult: "pass",
  model: "gpt-4o",
});

// Record the access control decision
witness.witnessAccess({
  resource: "model/gpt-4o",
  decision: "permit",
  requester: "app-service-account-12",
  method: "oauth2-client-credentials",
});

// Flush anchors to the compliance ledger
await witness.flush();

For connected mode (cloud ledger), set the SWT3_DSN environment variable and anchors will stream to the compliance ledger automatically. In local mode, anchors are stored locally and can be verified offline.

7. References

SWT3 SDK Documentation -- Python and TypeScript API reference
UCT Registry -- browse all compliance procedures
Verify Anchor -- independent anchor verification
Threat Model -- security architecture for the witness layer
Integration Patterns -- common deployment architectures
CI/CD Guide -- automated attestation in deployment pipelines

This guide is provided for informational purposes only and does not constitute legal, regulatory, or compliance advice. Regulatory mappings and crosswalk interpretations reflect the publisher's analysis and may not address all obligations applicable to your organization. Consult qualified legal counsel before making compliance decisions based on this content.

Patent Pending. SWT3 and Sovereign Witness Traceability are trademarks of Tenable Nova LLC.

Cisco and Cisco AI Defense are trademarks of Cisco Systems, Inc. TeNova is not affiliated with Cisco Systems, Inc. All third-party trademarks are the property of their respective owners.

Clearing Addendum · SDK Docs · Verify Anchor · Registry · Home