Adding cryptographic accountability to Cisco Cloud Control agent operations through native MCP integration with the SWT3 witness protocol
For: Platform engineers, security architects, and compliance officers deploying Cisco Cloud Control
Time: 12 minutes to read; 30 minutes to integrate
@tenova/swt3-mcp) plugs directly into its architecture as an additional MCP server -- no SDK wrapping or custom integration code required.
Cisco Cloud Control is Cisco's agentic operations platform for infrastructure management. It provides an MCP-native architecture with 50+ pre-built connectors spanning cloud providers, network devices, and security appliances. Agents operating within Cloud Control execute actions across cloud, network, and security domains -- provisioning resources, modifying firewall rules, rotating credentials, and orchestrating multi-step workflows.
Cloud Control provides:
Cloud Control logs actions internally, but these logs are produced by the same system that executed the actions. For regulated environments -- federal agencies, financial institutions, organizations subject to the EU AI Act -- an auditor or examiner needs independent, cryptographic proof of what agents did. Internal logs alone do not satisfy the independence requirement.
SWT3 fills this gap by operating as an out-of-band witness layer that produces tamper-evident attestation records verifiable by any third party, without requiring access to the Cisco environment.
The following table maps Cloud Control concepts to the SWT3 procedures that independently witness them.
| Cloud Control Concept | SWT3 Procedure | What It Witnesses |
|---|---|---|
| Agent tool invocations | AI-TOOL.1 |
Tool name, call ID, outcome hash |
| Agent identity | AI-ID.1 |
Agent identifier, version, capability scope |
| Multi-agent delegation | AI-CHAIN.1 |
Handoff from orchestrator to specialist agents |
| Access decisions | AI-ACC.1 |
Authorization checks at tool boundary |
| Guardrail evaluation | AI-GRD.1 |
Input parameter validation before execution |
| Policy version | AI-GRD.3 |
Active policy at time of evaluation |
Each witness record produces an immutable SWT3 Witness Anchor with a SHA-256 fingerprint. These anchors are independently verifiable at sovereign.tenova.io/verify by any auditor, Notified Body, or C3PAO -- no Cisco infrastructure access required.
Because Cloud Control is MCP-native, the SWT3 MCP server integrates directly as an additional MCP server in the architecture. There is no need for SDK wrapping, custom middleware, or code-level changes to your agents. The SWT3 MCP server (@tenova/swt3-mcp) registers its witness tools alongside Cloud Control's existing connectors, making them available to any agent in the environment.
witness_inference, witness_tool_call, witness_chain, and others) without any modification to the agent logic itself.
The MCP client configuration adds the SWT3 witness server alongside Cloud Control's existing MCP servers:
{
"mcpServers": {
"cloud-control-aws": {
"command": "cloud-control",
"args": ["--connector", "aws"]
},
"cloud-control-meraki": {
"command": "cloud-control",
"args": ["--connector", "meraki"]
},
"swt3-witness": {
"command": "npx",
"args": ["-y", "@tenova/swt3-mcp"],
"env": {
"SWT3_API_KEY": "axm_live_...",
"SWT3_TENANT_ID": "YOUR_TENANT",
"SWT3_AGENT_ID": "cloud-control-orchestrator",
"SWT3_SIGNING_KEY": "your-signing-key"
}
}
}
}Once configured, agents can invoke witness tools directly through MCP tool calls. The SWT3 MCP server exposes 16 tools and 2 resources, including witness_inference, witness_tool_call, witness_chain, witness_access, and verify_anchor.
This pattern preserves Cloud Control's existing connector architecture while adding an independent compliance evidence layer that operates entirely out-of-band.
What Cloud Control does: Agents invoke tools through MCP connectors -- provisioning VMs, modifying ACLs, querying monitoring endpoints. Cloud Control logs these actions internally.
What SWT3 witnesses: Each tool call is independently recorded with the tool name, a unique call identifier, input parameter hash, and outcome hash. The witness anchor proves that a specific tool was called at a specific time with a specific result, without storing the raw parameters (privacy-preserving).
Clearing levels: Level 0 (Analytics) retains tool name and outcome. Level 2 (Sensitive) adds parameter hashes. Level 3 (Classified) adds full jurisdiction and legal basis metadata.
Assessor Tip
Request the witness anchor for a specific tool invocation and verify it at sovereign.tenova.io/verify. The fingerprint in the anchor can be independently recomputed from the factor values, confirming the record was not altered after creation.
What Cloud Control does: Agents have internal identifiers and permission scopes within the Cloud Control environment.
What SWT3 witnesses: The agent_id field is embedded in every witness anchor, cryptographically binding actions to a specific agent identity. When combined with HMAC-SHA256 or ML-DSA-65 payload signing, the agent's identity is independently verifiable. An auditor can confirm which agent performed which action without relying on Cloud Control's internal identity system.
Assessor Tip
Verify that the agent_id in witness anchors matches the agent registry in Cloud Control. The signing key ensures that anchors cannot be forged by a different agent claiming the same identity.
What Cloud Control does: Orchestrator agents delegate tasks to specialist agents scoped to specific connectors (e.g., an AWS specialist, a Meraki specialist). These delegation chains can span multiple levels.
What SWT3 witnesses: Each handoff in the delegation chain is witnessed with the parent agent, child agent, task description hash, and chain depth. This produces a forensic timeline showing exactly how a multi-step operation was decomposed and executed across agents. The chain monitor can reconstruct the full delegation tree for audit review.
Assessor Tip
For complex multi-agent operations, request the chain forensic report. It shows the full delegation tree with timestamps, agent identifiers, and outcome status at each node. Verify that no unauthorized agents participated in the chain.
What Cloud Control does: Connectors enforce access policies -- agents can only invoke tools they are authorized to use, scoped by resource type and action.
What SWT3 witnesses: Each access decision (grant or deny) is independently recorded with the authorization_id, target resource identifier, and decision outcome. The pre-inference authorization gate ensures that access approval is witnessed before the tool executes, not retroactively. This provides an independent audit trail of authorization decisions separate from Cloud Control's internal access logs.
Assessor Tip
Compare the access decision anchors against Cloud Control's internal access logs. The two records should be consistent. Any discrepancy indicates either a logging gap or a policy bypass that warrants investigation.
| Procedure | Namespace | Cloud Control Use Case | MCP Tool |
|---|---|---|---|
AI-TOOL.1 |
TOOL | Connector tool invocations (provision, modify, query) | witness_tool_call |
AI-ID.1 |
ID | Agent identity binding for orchestrators and specialists | witness_inference |
AI-CHAIN.1 |
CHAIN | Orchestrator-to-specialist delegation chains | witness_chain |
AI-ACC.1 |
ACC | Connector-level authorization decisions | witness_access |
AI-GRD.1 |
GRD | Input parameter validation before tool execution | witness_inference |
AI-GRD.3 |
GRD | Active governance policy version at evaluation time | witness_inference |
No installation required. The MCP server runs via npx:
npx -y @tenova/swt3-mcpAdd the swt3-witness entry to your MCP client configuration file alongside your existing Cloud Control connectors:
{
"mcpServers": {
"swt3-witness": {
"command": "npx",
"args": ["-y", "@tenova/swt3-mcp"],
"env": {
"SWT3_API_KEY": "axm_live_...",
"SWT3_TENANT_ID": "YOUR_TENANT",
"SWT3_AGENT_ID": "cloud-control-orchestrator",
"SWT3_SIGNING_KEY": "your-signing-key"
}
}
}
}Once the MCP server is running, agents can discover and invoke witness tools through standard MCP tool discovery. Verify with the verify_anchor tool or at sovereign.tenova.io/verify.
| Variable | Required | Description |
|---|---|---|
SWT3_API_KEY |
Yes | Tenant API key (prefix axm_live_ or axm_trial_) |
SWT3_TENANT_ID |
Yes | Tenant identifier from your account |
SWT3_AGENT_ID |
No | Agent identifier embedded in all anchors (AI-ID.1) |
SWT3_SIGNING_KEY |
No | HMAC-SHA256 key for payload signing |
SWT3_CLEARING_LEVEL |
No | Data retention level: 0 (Analytics), 1 (Standard), 2 (Sensitive), 3 (Classified) |
For a free trial account, visit sovereign.tenova.io/signup. An API key is generated immediately upon registration.