Cryptographic attestation for on-device AI inference. Hashes only, raw data never leaves the device. Works offline, syncs when ready.
Who this is for: iOS/macOS/visionOS developers deploying on-device AI models, edge Kubernetes operators, compliance teams responsible for AI systems that run outside traditional cloud infrastructure, and auditors evaluating edge AI deployments.
AI inference is moving to the edge. Core ML models run on iPhones. LLMs run on local GPUs. Vision models run on drones, vehicles, and industrial sensors. The EU AI Act does not exempt on-device inference from transparency obligations.
Article 12 requires high-risk AI systems to have logging capabilities that enable traceability. Article 9 requires risk management across the full lifecycle, including deployment environments. Article 53 requires GPAI model providers to maintain technical documentation. None of these carve out edge deployments.
The challenge: how do you prove what an AI system did when it runs on hardware you do not control, in locations you cannot access, potentially without network connectivity?
SWT3 solves this by hashing inference inputs and outputs locally, minting a cryptographic fingerprint on-device, and transmitting only irreversible hashes. The raw prompts, responses, model weights, and sensor data never leave the device. The attestation is verifiable by any auditor, in any language, without access to the original data.
The SWT3 Swift SDK provides native attestation for Apple platforms. Zero external dependencies on iOS, macOS, watchOS, tvOS, and visionOS. Uses Apple's CryptoKit for all cryptographic operations.
// Package.swift
dependencies: [
.package(url: "https://github.com/tenova-labs/swt3-ai-swift.git", from: "0.5.8"),
],
targets: [
.target(dependencies: [
.product(name: "SWT3", package: "swt3-ai-swift"),
]),
]
import SWT3
// Hash locally -- raw text never leaves the device
let promptHash = SWT3.sha256Truncated("Analyze this medical image...")
let responseHash = SWT3.sha256Truncated("No abnormalities detected.")
// Mint the attestation fingerprint
let fp = SWT3.mintFingerprint(
tenant: "MY_CLINIC",
procedure: "AI-INF.1",
factorA: 1, factorB: 42, factorC: 0,
timestampMs: SWT3.timestampMs().ms
)
// Sign for non-repudiation
let sig = SWT3.signPayload(
key: "swt3_sk_clinic_key",
fingerprint: fp,
agentId: "radiology-assistant"
)
Privacy guarantee: The SHA-256 hash is a one-way function. sha256Truncated("Analyze this medical image...") produces a3b7c9d1e2f4. The original text cannot be recovered from the hash. Only the 12-character digest is transmitted.
The Swift SDK includes a dedicated Core ML integration that witnesses predictions without inspecting the raw tensor data. Available on iOS, macOS, and visionOS.
import SWT3
import CoreML
// Load your compiled model
let model = try MLModel(contentsOf: modelURL)
// Run prediction as normal
let prediction = try model.prediction(from: inputProvider)
// Witness the prediction (AI-INF.1)
let payload = SWT3.witnessPrediction(
model: model,
input: inputProvider,
output: prediction,
latencyMs: 42,
tenant: "MY_TENANT",
clearingLevel: 1,
agentId: "fraud-detector-v3"
)
// payload.anchorFingerprint -- ready to store or transmit
// payload.aiModelId -- extracted from model metadata
// payload.aiLatencyMs -- inference latency for drift detection
| Field | Source | What Leaves the Device |
|---|---|---|
| Model ID | MLModel.modelDescription metadata | Model name (or hash at Clearing Level 3) |
| Input Hash | Feature provider names and types, sorted | 12-char hex digest |
| Output Hash | Feature provider names and types, sorted | 12-char hex digest |
| Latency | Measured by caller | Integer milliseconds |
The SDK hashes the feature provider descriptions (field names and data types), not the raw tensor values. This produces a stable digest that proves the model was invoked with a specific schema without revealing the actual input data.
For AI systems making decisions in physical space, SWT3 can prove WHERE a decision was made, not just WHAT was decided. This is critical for navigation systems, object recognition on Vision Pro, industrial inspection, and autonomous systems.
import SWT3
// worldTransform from ARKit, RealityKit, or any spatial framework
// that provides a 4x4 world-space transform matrix
let payload = SWT3.witnessSpatialInference(
procedure: "AI-INF.1",
factorA: 1,
factorB: 35,
factorC: 0,
worldTransform: anchor.transform, // simd_float4x4
tenant: "MY_WAREHOUSE",
clearingLevel: 2,
agentId: "forklift-nav-agent"
)
The 4x4 world transform matrix (16 floats, column-major) is serialized with 6 decimal places of precision and hashed into a 12-character digest. The physical coordinates are not recoverable from the hash. An auditor can verify that two decisions were made at the same location by comparing digests, without knowing the actual coordinates.
Warehouse navigation: Prove the forklift AI made a routing decision at a specific location. Industrial inspection: Prove a defect detection model was invoked at a specific position on the assembly line. Vision Pro: Prove a spatial reasoning model processed an anchor at a specific world-space coordinate.
Core ML models compile to .mlmodelc bundles. The Swift SDK can hash these bundles to detect tampering or unintended updates.
import SWT3
import CoreML
let model = try MLModel(contentsOf: modelURL)
// Witness model integrity (AI-MDL.1)
let integrity = try SWT3.witnessModelIntegrity(
model: model,
bundleURL: modelURL,
tenant: "MY_TENANT",
clearingLevel: 1
)
// integrity.aiResponseHash -- hash of the .mlmodelc bundle
// Compare across deployments to detect model drift
For standalone model files (ONNX, TensorFlow, PyTorch), use the general-purpose hash utilities:
// Hash a single model file
let fileHash = try SWT3.hashFile(at: modelFileURL)
// Hash an entire model directory
let dirHash = try SWT3.hashDirectory(at: modelDirectoryURL)
For edge Kubernetes deployments (K3s, MicroK8s, KubeEdge, AWS Outposts), the SWT3 DaemonSet provides zero-config hardware attestation across every node. See the Cross-Silicon K8s Attestation Guide for full details.
helm install swt3-witness oci://ghcr.io/tenova-labs/charts/swt3-witness \
--set config.endpoint="https://sovereign.tenova.io" \
--set config.apiKey="axm_live_..." \
--set config.tenantId="MY_EDGE_CLUSTER"
The DaemonSet automatically discovers accelerator hardware (NVIDIA GPU, Google TPU, AMD MI, AWS Trainium, Intel Gaudi, or PCI fallback) and mints AI-HW.1 attestation anchors at configurable intervals. No application code changes required.
Intermittent connectivity: The DaemonSet buffers anchors locally and flushes on reconnection. Resource constraints: The witness container uses minimal memory (~32MB). Mixed silicon: A single Helm install covers heterogeneous node pools with different accelerators.
Edge devices are often offline. SWT3 is designed for this reality.
All SDK functions (fingerprint minting, signing, hashing) work entirely offline. No network calls are required to produce attestation evidence. Anchors can be accumulated in local storage and batch-transmitted when connectivity is restored.
import SWT3
// Mint fingerprints offline -- no network required
var localAnchors: [WitnessPayload] = []
let payload = SWT3.witnessPrediction(
model: model,
input: inputProvider,
output: prediction,
latencyMs: 42,
tenant: "MY_TENANT"
)
localAnchors.append(payload)
// When connectivity is restored, serialize and POST to /api/v1/witness/batch
let encoder = JSONEncoder()
let data = try encoder.encode(localAnchors)
The Python and TypeScript SDKs include a built-in Write-Ahead Log (WAL) that persists anchors to disk and auto-flushes on reconnection:
# Python
from swt3_ai import Witness
witness = Witness(
endpoint="https://sovereign.tenova.io",
api_key="axm_live_...",
tenant_id="MY_TENANT",
wal_path="/var/lib/swt3/wal.jsonl" # Persist to disk
)
# Records are written to WAL immediately, flushed to server when available
client = witness.wrap(openai_client)
For environments with no outbound connectivity, the Axiom CLI can generate self-contained .pulse bundles that are transferred via removable media:
axiom pulse --generate --output /media/usb/enclave.pulse
# Transfer to connected environment
axiom pulse --load /media/usb/enclave.pulse
SWT3 edge attestation is privacy-by-design. The witness endpoint is a blind registrar: it stores cryptographic proofs, not your data.
| Data | On Device | Transmitted |
|---|---|---|
| Prompt text | Hashed locally (SHA-256) | 12-char hex digest only |
| Response text | Hashed locally (SHA-256) | 12-char hex digest only |
| Model weights | Hashed locally | 12-char hex digest only |
| Sensor data | Never accessed by SDK | Nothing |
| Camera/microphone | Never accessed by SDK | Nothing |
| Spatial coordinates | Hashed locally (4x4 matrix) | 12-char hex digest only |
| Model name | Plaintext at CL 0-2 | Hashed at Clearing Level 3 |
| Latency | Measured locally | Integer milliseconds |
| Token counts | Extracted from response | Integer counts |
At Clearing Level 3 (Classified), even the model name is replaced with its SHA-256 hash. The witness endpoint receives only numeric factors and irreversible digests.
GDPR / HIPAA note: Since only one-way hashes are transmitted, the attestation data does not constitute personal data or PHI under standard interpretations. The hash cannot be reversed to recover the original input. Consult your DPO for jurisdiction-specific guidance.
Edge AI attestation maps to the same regulatory controls as cloud AI attestation. The SWT3 protocol is deployment-agnostic.
| Regulation | Article / Control | Edge Relevance |
|---|---|---|
| EU AI Act | Art. 9 (Risk Management) | Applies to all deployment environments, including on-device |
| EU AI Act | Art. 12 (Record-keeping) | Logging obligations apply regardless of where inference runs |
| EU AI Act | Art. 13 (Transparency) | Users must be informed of AI involvement, including edge AI |
| EU AI Act | Art. 53 (GPAI Obligations) | Model providers must document capabilities across deployment types |
| NIST AI RMF | MEASURE 2.6 | Continuous monitoring of deployed AI systems |
| NIST 800-53 | SI-7 (Integrity) | Software and firmware integrity verification |
| NIST 800-53 | AU-2 / AU-3 (Audit) | Auditable events and audit content |
| ISO 42001 | Annex A.7 | AI system lifecycle management |
| SR 11-7 | Model Deployment | Model risk management extends to all deployment environments |
Inference Provenance. Hash prompt and response, record latency. The core attestation primitive for any edge inference.
Model Integrity. Hash the deployed model binary (.mlmodelc, .onnx, .pt). Detect unauthorized changes or unintended updates.
Hardware Attestation. Record the compute environment (device type, accelerator, silicon vendor). Proves which hardware ran the model.
Agent Identity. Bind attestation to a specific agent or device identity. Critical for fleet deployments with multiple edge devices.