Audience: GRC architects, compliance automation engineers, IT audit managers.
Key concept: GRC platforms manage controls. SWT3 provides the runtime evidence those controls require. This guide covers three integration paths: regulatory webhooks, OSCAL export, and direct API.
1. The Evidence Gap in GRC
GRC platforms like Vanta, Drata, ServiceNow GRC, Archer, and OneTrust do an excellent job of tracking compliance controls. They define what your organization should be doing. They assign ownership, set deadlines, and generate reports.
What they cannot do is prove that your AI systems are actually behaving. They know you should be monitoring AI fairness. They cannot prove you are.
This is the evidence gap. Your GRC platform says "monitor model drift." Your AI model runs 10,000 inferences a day. Nothing connects those two worlds.
SWT3 bridges this gap by generating cryptographic compliance evidence at runtime and feeding it directly into your existing GRC workflows. No rip-and-replace. No new dashboards to watch. Just verifiable evidence flowing into the tools your compliance team already uses.
2. Three Integration Paths
Choose the path that fits your existing infrastructure. Many organizations use more than one.
| Path | How It Works | Best For |
|---|---|---|
| Regulatory Webhooks | HMAC-signed HTTP POST events triggered on verdict changes, drift detection, or anchor minting | Real-time compliance feeds, SIEM integration |
| OSCAL Export | NIST-validated JSON/XML packages (SSP, Assessment Results, POA&M) | Federal compliance, FedRAMP, auditor handoff |
| Direct API | REST endpoints returning posture snapshots, individual verdicts, and anchor records | Custom dashboards, automated workflows |
3. Webhook Integration
Regulatory webhooks push HMAC-SHA256-signed events to your endpoint whenever a compliance-relevant event occurs. Your GRC platform receives structured evidence without polling.
Subscribing to Events
Register a webhook subscription by calling the webhooks API. You provide the target URL and a list of event types you want to receive.
Verifying Signatures
Every webhook delivery includes an X-SWT3-Signature header. Compute HMAC-SHA256(secret, request_body) and compare. Reject any payload that does not match.
Sample Payload
Payloads are compact and self-contained. Each event includes the procedure, verdict, fingerprint, and timestamp -- everything your GRC platform needs to update its control status.
4. Platform-Specific Examples
Vanta
Vanta supports custom integrations through its evidence API. Configure a webhook subscription in SWT3 that points to your Vanta custom evidence endpoint. Each verdict change event maps to a Vanta evidence record, updating control status in real time.
Drata
Drata accepts custom control monitoring through its API. Point SWT3 webhooks at a lightweight middleware that transforms the payload into Drata's expected format. Verdict events update the corresponding control's evidence status automatically.
ServiceNow GRC
ServiceNow's risk module can import OSCAL packages directly. Use the SWT3 OSCAL export to generate NIST-validated assessment results, then import them into ServiceNow's risk module. This path is ideal for organizations already using ServiceNow for federal compliance workflows.
Archer
RSA Archer supports data feed connectors that pull from REST APIs. Configure an Archer data feed to query the SWT3 posture API on a schedule. Each poll returns the current verdict state for all procedures, which Archer maps to its internal control framework.
These examples illustrate integration patterns. Exact configuration steps vary by platform version. Consult your GRC vendor's API documentation for endpoint-specific requirements.
5. Procedure-to-Control Mapping
SWT3 procedures map cleanly to common GRC control families. The table below shows representative mappings. Your organization's specific framework determines the exact control IDs.
| SWT3 Procedure | Description | GRC Control Family |
|---|---|---|
| AI-INF.1 | Inference Provenance | Model monitoring, operational controls |
| AI-FAIR.1 | Demographic Parity | Bias and fairness controls |
| AI-AUDIT.1 | Audit Trail | Audit logging controls |
| AI-DATA.1 | Data Governance | Data management controls |
| AI-HITL.1 | Human Oversight | Human-in-the-loop controls |
The full SWT3 procedure catalog includes 80 procedures across 41 namespaces. Each procedure carries a UCT (Unified Control Taxonomy) identifier that enables bidirectional mapping to NIST AI RMF, EU AI Act, CMMC, and 13 other frameworks. See the UCT Registry for the complete list.
From Procedure to Control
When SWT3 mints an anchor for AI-FAIR.1, that anchor carries a cryptographic fingerprint, a verdict (PASS or FAIL), and a timestamp. Your GRC platform receives this as structured evidence and updates its fairness control status. The anchor is independently verifiable at any time -- no phone calls, no screenshots, no spreadsheets.
6. Quick Start
Install the Python SDK and subscribe to webhook events in two steps.
Step 1: Install
Step 2: Subscribe to Webhook Events
Once subscribed, every verdict change and drift detection event will be pushed to your GRC platform as an HMAC-signed payload. No polling required.
For OSCAL export, use the dashboard at /api/v1/oscal/export or generate packages programmatically through the CLI.
7. References
- SWT3 SDK Documentation -- Python, TypeScript, and 4 additional language SDKs
- UCT Registry -- Complete procedure catalog with framework mappings
- Bidirectional Crosswalk -- Machine-readable framework mappings (JSON)
- Anchor Verifier -- Public verification of any SWT3 Witness Anchor
- All Guides -- Integration guides, crosswalk overlays, and assessment walkthroughs
- NIST OSCAL -- Open Security Controls Assessment Language specification