SWT3 Specification Section 10 — Version 1.0.0
The Integrity Debt Score quantifies accountability risk for AI systems and regulated infrastructure. Like technical debt measures unaddressed code quality issues, integrity debt measures unwitnessed operations, stale attestations, and coverage gaps in your accountability posture.
A score of 0.0 means Zero Integrity Debt — every operation is witnessed, every attestation is current, and every control is covered. Higher scores indicate accumulating risk that compounds over time.
| Component | Formula | Range | Description |
|---|---|---|---|
| Coverage Gap | Unwitnessed / Total |
0.0 – 1.0 | Fraction of controls without a PASS or INHERITED verdict |
| Severity Weight | avg(family_weight) |
1.0 – 3.0 | Weighted average severity of unwitnessed control families |
| Staleness Factor | 1 + (stale / total) |
1.0 – 2.0 | Time decay based on controls with attestations older than 90 days |
| Weight | Families | Rationale |
|---|---|---|
| 3.0 (Critical) | AC, IA, SC | Access Control, Identity, and Communications — direct attack surface |
| 2.5 (High) | AU, SI, AI | Audit, System Integrity, AI Governance — detection and accountability |
| 2.0 (Standard) | CM, IR, RA, SA | Configuration, Incident Response, Risk Assessment, Acquisition |
| 1.5 (Lower) | AT, CP, MA, MP, PE, PL, PS | Training, Contingency, Maintenance, Physical — operational controls |
| Score Range | Rating | Meaning | Action |
|---|---|---|---|
| 0.00 | ZERO | Zero Integrity Debt | Maintain current posture |
| 0.01 – 0.50 | MINIMAL | Minor gaps, likely stale attestations | Routine maintenance, refresh attestations |
| 0.51 – 1.50 | MODERATE | Coverage gaps in standard controls | Remediation recommended within 30 days |
| 1.51 – 3.00 | ELEVATED | Significant gaps in critical controls | Immediate remediation required |
| 3.01+ | CRITICAL | Systemic accountability failure | Deployment risk — halt until remediated |
Organization: 120 total controls in scope
- 108 PASS or INHERITED
- 12 FAIL or UNKNOWN (unwitnessed)
- 4 in AC (weight 3.0)
- 3 in SI (weight 2.5)
- 5 in AT (weight 1.5)
Coverage Gap = 12 / 120 = 0.10
Severity Weight = (4 x 3.0 + 3 x 2.5 + 5 x 1.5) / 12
= (12 + 7.5 + 7.5) / 12
= 2.25
Staleness: 15 of 120 controls have attestations > 90 days old
Staleness Factor = 1 + (15 / 120) = 1.125
IDS = 0.10 x 2.25 x 1.125 = 0.25 (MINIMAL)
The IDS is returned in the following APIs:
GET /api/v1/posture — integrityDebt fieldGET /api/v1/evidence-package — sovereign_score.integrity_debtGET /api/v1/executive-summary — rendered in the Integrity section
{
"integrityDebt": {
"score": 0.25,
"rating": "MINIMAL",
"color": "#22c55e",
"components": {
"coverage_gap": 0.10,
"severity_weight": 2.25,
"staleness_factor": 1.13,
"unwitnessed_controls": 12,
"total_controls": 120,
"stale_attestations": 15,
"oldest_attestation_days": 97
},
"computed_at": "2026-04-08T14:30:00.000Z"
}
}
| Framework | Relevant Requirement | IDS Mapping |
|---|---|---|
| EU AI Act | Article 9 (Risk Management System) | IDS quantifies residual accountability risk |
| EU AI Act | Article 12 (Record-keeping) | Coverage gap measures record-keeping completeness |
| NIST AI RMF | GOVERN 1.1, MAP 3.1 | IDS tracks governance and mapping maturity |
| SR 11-7 | Section III (Model Risk Management) | IDS measures model governance completeness |
| NIST 800-53 | CA-7 (Continuous Monitoring) | Staleness factor enforces continuous assessment |
| CMMC v2.0 | Level 2+ Assessment Objectives | Coverage gap maps to objective satisfaction rate |