Audience: CISOs, ISSMs, C3PAOs, and security architects deploying autonomous AI agents in Five Eyes jurisdictions (US, UK, CA, AU, NZ). This overlay maps each requirement from the May 1, 2026 joint publication to specific SWT3 procedures that produce cryptographic evidence satisfying the requirement.
Contents
Quick Reference Table 1. Privilege Containment 2. Behavioral Monitoring 3. Identity Verification 4. Continuous Logging 5. Human Oversight 6. Reversibility 7. Context Injection Protection 8. Hardware Root of Trust 9. Tool Use Oversight Clearing Level Selection GRC IntegrationQuick Reference: Five Eyes Requirements to SWT3 Procedures
| Five Eyes Requirement | SWT3 Procedures | Evidence Produced |
|---|---|---|
| Privilege Containment | AI-ACC.1 | Access target, grant/deny decision, scope |
| Behavioral Monitoring | AI-VIO.1 AI-INF.1 AI-INF.2 | Violation severity/category, inference provenance, latency compliance |
| Identity Verification | AI-ID.1 AI-TRUST.1 AI-TRUST.2 | Agent identity binding, mutual trust verification, HMAC-signed credentials |
| Continuous Logging | AI-INF.1 AI-MDL.2 | Immutable cryptographic anchors, daily Merkle roots |
| Human Oversight | AI-HITL.1 AI-HITL.2 AI-CHR.1 | Human-in-the-loop attestation, agent charter manifest |
| Reversibility | AI-REV.1 AI-CHAIN.1 | Anchor revocation with reason codes, chain-of-custody records |
| Context Injection Protection | AI-GRD.1 AI-GRD.2 AI-GRD.3 | Guardrail enforcement, refusal detection, policy version binding |
| Hardware Root of Trust | AI-HW.1 AI-ENV.1 AI-ENV.2 | GPU inventory hash, thermal integrity, power integrity |
| Tool Use Oversight | AI-TOOL.1 | Tool name, input hash, output hash, latency, success/failure |
| Model Integrity | AI-MDL.1 AI-MDL.5 AI-MDL.6 | Model weight hash, adapter stack, quantization attestation |
| Data Governance | AI-DATA.1 AI-DATA.2 AI-DATA.3 AI-DATA.4 | PII access, retention compliance, training stats, PII lifecycle |
| Bias and Fairness | AI-FAIR.1 AI-FAIR.2 AI-FAIR.3 | Fairness metrics, demographic parity, bias assessment |
1. Privilege Containment
Over-privileged agents accessing sensitive data or critical systems without proper authorization boundaries
SWT3 Procedure: AI-ACC.1 Access Control Witnessing
Mints a cryptographic anchor every time an agent accesses a resource. Records the access target, whether access was granted or denied, and the authorization scope. The wrapAccess() convenience method makes integration a single function call.
The sequence of AI-ACC.1 anchors for a given agent, filtered by access_granted: false to demonstrate that unauthorized access attempts are both detected and recorded. The anchor is immutable and timestamped.
2. Behavioral Monitoring
Goal misalignment, deceptive behavior, or agents that report "complete" but actually did nothing
SWT3 Procedures: AI-VIO.1 Violation Witnessing AI-INF.1 Inference Provenance AI-INF.2 Latency Compliance
AI-VIO.1 records policy violations with structured severity (1-4), auto-detection flags, and policy category taxonomy. AI-INF.1 captures a cryptographic receipt for every inference. If an agent claims completion but no AI-INF.1 anchor exists for that time window, the "silent failure" is detectable.
The ratio of AI-VIO.1 anchors to AI-INF.1 anchors per agent per time period (the "violation rate"). A gap in AI-INF.1 anchors indicates silent failure. A spike in violations indicates behavioral drift.
3. Identity Verification
Agents using shared API keys instead of unique, verifiable identities in multi-agent systems
SWT3 Procedures: AI-ID.1 Agent Identity AI-TRUST.1 AI-TRUST.2 Mutual Trust Verification
AI-ID.1 binds a unique agent_id to every anchor. AI-TRUST.1/2 implements mutual verification: before two agents exchange data, each presents an HMAC-signed credential and verifies the counterpart's compliance posture. Unsigned credentials are capped at the lowest trust level. Tampered credentials are rejected.
The AI-TRUST.1 anchor for a specific agent handshake, showing checks_performed, checks_passed, trust_level, and granted status. Both successful and denied handshakes produce immutable evidence.
4. Continuous Logging
Immutable, parseable logs that cannot be falsified by the agent
SWT3 Procedures: AI-INF.1 + Merkle Rollups
Every SWT3 anchor is a structured, cryptographically fingerprinted record with exactly three factors plus operational metadata. Unlike text logs, anchors are machine-readable, fixed-schema, and verifiable. Daily Merkle rollups provide tamper detection: if a single anchor is modified after the fact, the Merkle root changes.
The daily Merkle root chain for the assessment period. One root hash per day plus total anchor count. An assessor can verify that the count matches the ledger query.
5. Human Oversight
Human sign-off for high-impact actions; preventing irreversible operations without authorization
SWT3 Procedures: AI-HITL.1 AI-HITL.2 Human-in-the-Loop AI-CHR.1 Agent Charter
AI-HITL.1/2 attest human oversight events. AI-CHR.1 witnesses the agent's policy manifest -- the declared boundaries of what the agent is authorized to do. Any tool call outside the charter scope is detectable.
The AI-CHR.1 anchor showing the agent's authorized scope, paired with AI-TOOL.1 anchors showing actual activity. Any tool call not in the charter is a finding.
6. Reversibility
Prioritize reversibility over efficiency; maintain records for undo capability
SWT3 Procedures: AI-REV.1 Anchor Revocation AI-CHAIN.1 Chain of Custody
AI-REV.1 mints a revocation anchor targeting a specific prior anchor's fingerprint. Seven reason codes: model_recall, policy_violation, data_contamination, consent_withdrawal, regulatory_order, error_correction, unspecified. AI-CHAIN.1 records multi-agent handoffs with depth tracking, providing the "undo map."
Revocation history filtered by reason code. Demonstrate that revocations were timely (within the remediation window defined in the POA&M).
7. Context Injection Protection
Agents being tricked by malicious prompts, poisoned RAG contexts, or adversarial inputs
SWT3 Procedures: AI-GRD.1 Guardrail Enforcement AI-GRD.2 Refusal Detection AI-GRD.3 Policy Version Binding
AI-GRD.1 witnesses that required safety filters were active. AI-GRD.2 detects and records model refusals. AI-GRD.3 binds guardrail configuration to a specific policy version hash, proving the guardrails in effect were the approved ones.
The AI-GRD.3 policy version hash chain over time. Any hash change indicates a guardrail policy update traceable to a change management record.
8. Hardware Root of Trust
Hardware-based security; ensuring the compute environment is genuine and untampered
SWT3 Procedures: AI-HW.1 Hardware Inventory AI-ENV.1 Thermal Integrity AI-ENV.2 Power Integrity
AI-HW.1 records GPU count, topology, interconnect, and driver version (all identifiers SHA-256 hashed). AI-ENV.1 witnesses thermal bounds. AI-ENV.2 witnesses power draw and headroom. Physical tampering that alters thermal or power signatures is detectable.
AI-HW.1 anchor at service startup showing expected GPU topology, followed by periodic AI-ENV.1/AI-ENV.2 anchors showing the node remained within safe operating bounds.
9. Tool Use Oversight
Monitoring agent invocations of external tools, APIs, or system commands
SWT3 Procedures: AI-TOOL.1 Tool Use Witnessing
The wrapTool() method wraps any function as a witnessed tool call. Every invocation mints an anchor with tool name, input hash, output hash, latency, and success/failure. Zero code changes to the tool itself.
Complete AI-TOOL.1 history for an agent, showing every tool called, when, duration, and result. Cross-reference with AI-CHR.1 to verify all calls were within authorized scope.
Clearing Level Selection for Five Eyes Environments
| Environment | Recommended Level | Rationale |
|---|---|---|
| Unclassified development | Level 0 (Analytics) | Full metadata for debugging and testing |
| CUI / FOUO production | Level 2 (Sensitive) | Redacts model names and context; preserves compliance factors |
| Classified / air-gapped | Level 3 (Classified) | Zero-knowledge proof; only cryptographic factors survive |
| Cross-jurisdiction multi-agent | Level 1 (Standard) | Balances auditability with operational metadata |
Integration with Governance Platforms
This overlay provides the technical evidence layer. Organizations using governance platforms (GRC tools, risk engines, policy frameworks) can consume SWT3 anchors via:
- Regulatory Webhooks: Real-time HMAC-signed event delivery to SIEM/GRC tools (Enclave tier)
- OSCAL Export: NIST-validated Assessment Results in machine-readable format
- Compliance Passport: One-page HTML/JSON summary with Sovereign Score
- Auditor Portal: Read-only web interface for assessors with evidence sampling
The SWT3 protocol produces the evidence. Governance platforms consume and present it. The two layers are complementary, not competing.