How to Measure AI Compliance Coverage with SWT3 Witness Anchors

Who this is for: You instrument AI systems with the SWT3 SDK. A coverage report shows which procedures you have instrumented and which remain uncovered, mapped to the regulatory framework your auditor evaluates against. This guide explains how to read a coverage report and act on the gaps.
Universal framing
SWT3 is an industry-agnostic cryptographic witness protocol. Coverage requirements depend on your auditor's framework, not your industry. The same anchors satisfy EU AI Act, NIST AI RMF, CMMC, and SR 11-7 through framework crosswalks.

1. Know Your Gaps Before Your Auditor Does

The worst audit outcome is discovering gaps during the assessment. A coverage report is like a pre-flight checklist: it shows you what is instrumented and what is missing before your auditor arrives.

Every green cell is a procedure with verified anchors. Every red cell is a gap your auditor will flag. The report turns abstract compliance requirements into a concrete engineering task list.

Gaps found before the assessment are fixable. Gaps found during the assessment become findings. The difference between those two outcomes is a coverage report.

2. What a Coverage Report Shows

Static Mockup: EU AI Act Coverage
73% Coverage
58 / 80 procedures covered
EU AI Act
NIST AI RMF
SR 11-7

Procedure Grid

AI-INF.1AI-INF.2AI-INF.3 AI-MDL.1AI-MDL.5AI-MDL.6 AI-MDL.7AI-GRD.1AI-GRD.2 AI-GRD.3AI-ID.1AI-TOOL.1 AI-ACC.1AI-RAG.1AI-RAG.2 AI-REV.1AI-SEC.1AI-SEC.2 AI-HITL.1AI-CHAIN.1AI-CHR.1 AI-SAFE.1AI-HW.1AI-TRUST.1 AI-TRUST.2AI-MARK.1AI-BASE.1 AI-LIC.1AI-SKILL.1AI-SKILL.2 AI-SKILL.3AI-VIO.1AI-MULTI.1 AI-SBOM.1AI-AUDIT.1AI-AUDIT.2 AI-TRANS.1AI-PERF.1AI-CYBER.1 AI-ROBUST.1AI-CONSENT.1AI-PMM.1 AI-INCIDENT.1AI-SUPPLY.1AI-WATERMARK.1 AI-AUTO.1AI-AUTO.2AI-DATA.2 AI-DATA.3AI-DATA.4AI-REDTEAM.1 AI-INF.4AI-INF.5AI-MDL.2 AI-MDL.3AI-MDL.4AI-GRD.4 AI-SEC.3AI-DRIFT.1 AI-FAIR.1AI-FAIR.2AI-FAIR.3 AI-DATA.1AI-DPIA.1AI-EXPL.1 AI-DUALUSE.1AI-EXPL.2AI-EXPL.3 AI-FAIR.4AI-DATA.5AI-DATA.6 AI-DRIFT.2AI-DRIFT.3AI-PERF.2 AI-PERF.3AI-ROBUST.2AI-ROBUST.3 AI-CYBER.2AI-CYBER.3AI-TRANS.2

This is a static mockup. The live coverage report is generated by the SWT3 SDK demo or the Axiom platform.

3. Reading the Gap List

Each uncovered procedure appears as a gap card. The card tells you what is missing, why it matters, and where to find instrumentation guidance.

AI-DRIFT.1 Model Drift Detection

Not Observed

No drift monitoring anchors found in the assessment window. Your auditor checks this under EU AI Act Art. 9(2)(b) and NIST AI RMF MEASURE 2.6.

How to instrument Auditor's view

AI-FAIR.1 Bias Detection

Not Observed

No fairness testing anchors found. Your auditor checks this under EU AI Act Art. 10(2)(f) and NIST AI RMF MEASURE 2.5.

How to instrument Auditor's view

AI-DPIA.1 Data Protection Impact Assessment

Not Observed

No DPIA anchors found. Your auditor checks this under EU AI Act Art. 27 and GDPR Art. 35.

How to instrument FRIA/DPIA mapping guide

AI-EXPL.1 Explanation Generation

Partial

2 anchors found, but none in the last 30 days. Your auditor may flag this as stale evidence.

How to instrument Auditor's view

4. Coverage by Framework

Framework Total Procedures After Client Wrapping After Full SDK Integration
EU AI Act (Regulation 2024/1689) 80 ~5 covered ~58 covered
NIST AI RMF (AI 100-1) 80 ~5 covered ~58 covered
CMMC / NIST 800-53 30 ~5 covered ~22 covered
SR 11-7 (OCC 2011-12) 19 ~3 covered ~15 covered

Coverage depth depends on which integration patterns you adopt. Client wrapping alone covers inference witnessing. Full SDK integration adds RAG, tool, identity, access control, drift, fairness, and model metadata witnessing.

5. From Coverage Report to Auditor Checklist

Every green cell in your coverage report corresponds to a checked row in your auditor's assessment checklist at /registry/checklist.html. Every red cell is a procedure your auditor will mark as a gap.

The coverage report and the checklist are two views of the same data. Yours shows what you have built. Theirs shows what they need to verify. Closing the gap between these two views before the assessment is the purpose of the coverage report.

See the assessment mapping guide for a full walkthrough of how procedures map to assessment objectives.

6. Generating Your Coverage Report

The SWT3 SDK demo generates a local HTML coverage report showing which procedures have been demonstrated and which need production data. Run the demo locally to see your starting position. Connect to the Axiom platform to track coverage across your full inference history over time.

See the SDK documentation for quickstart instructions and the before and after guide for integration patterns.