SWT3 Compliance Binding for MCP

Cryptographic Accountability for AI Tool Use via the Model Context Protocol

Version:

1.0.0

Status:

Proposed Standard

Date:

2026-04-24

License:

Apache 2.0

MCP Version:

2025-03-26 (latest stable)

SWT3 Spec:

v1.3.0

For decision-makers. The Model Context Protocol (MCP) lets AI models use external tools. It does not record what they did, when, or whether safety controls were active. This document defines how SWT3 fills that gap: every tool call produces a tamper-evident cryptographic anchor that auditors can verify independently. No raw data is stored. The proof survives; the sensitive inputs do not. If your AI system uses MCP and must comply with the EU AI Act, NIST AI RMF, GDPR, or HIPAA, this binding shows you exactly which requirements are satisfied and how.

High-risk enforcement begins

December 2, 2027

GPAI transparency obligations are enforceable now. Art. 12 requires tamper-evident logging.

MCP alone does not satisfy this. SWT3 does.

585

days remaining

The Accountability Gap in MCP
Architecture: Transport vs. Accountability
Standard Tool Definitions
Standard Resource URIs
Tool Witnessing Pattern
Integration Levels
Regulatory Mapping
Multi-Agent Chains
Clearing in MCP Context
Conformance

1. The Accountability Gap in MCP

The Model Context Protocol (MCP) defines a standard interface for AI models to discover, invoke, and interact with external tools and data sources. It solves the integration problem: any MCP-compliant model can use any MCP-compliant server. This is a significant advance for AI interoperability.

However, MCP has no accountability primitives.

What MCP does not provide:

No cryptographic proof that a tool was invoked, by which model, or at what time
No audit trail linking tool inputs and outputs to a tamper-evident record
No mechanism for clearing sensitive data (prompts, tool responses) after use
No standard way for an auditor to verify what an AI agent did with a tool
No compliance mapping between tool use and regulatory requirements

This gap is not theoretical. The EU AI Act (Regulation 2024/1689) requires automatic logging of AI system operations (Art. 12), human oversight of high-risk decisions (Art. 14), and risk management measures that are operational, not merely documented (Art. 9). When an AI model invokes a tool via MCP, none of these requirements are satisfied by the protocol itself.

Core Principle: MCP is the transport layer. SWT3 is the accountability layer. Together, they provide a complete model: the model invokes tools through MCP, and SWT3 produces cryptographic proof of what was invoked, when, and under what conditions.

2. Architecture: Transport vs. Accountability

SWT3 operates alongside MCP, not inside it. The protocol does not modify MCP's tool discovery, invocation, or response handling. Instead, it wraps tool calls with a witnessing layer that produces anchors as a side effect of normal operation.

Model → MCP Tool Call → [SWT3 Witness Layer] → Tool Execution → Response
↓
SWT3 Anchor + Factor Matrix → Witness Ledger

This separation provides three guarantees:

No performance impact on MCP. Witnessing happens asynchronously. Tool execution is not blocked by anchor computation or ledger writes.
No modification to existing MCP servers. The witness layer wraps the tool call at the SDK level. Existing MCP servers do not need to be rewritten.
Independent verification. Anchors can be verified by any party with SHA-256 support, with no access to the MCP server or model required.

3. Standard Tool Definitions

An SWT3-compliant MCP server SHOULD expose the following tools. These names are canonical: adopting them ensures interoperability across implementations and allows compliance tooling to discover witnessing capabilities automatically.

Tool Name	Purpose	Read-Only
`witness_inference`	Mint a cryptographic SWT3 anchor for an AI inference. Records model identity, prompt/response hashes, and latency as compliance evidence. Raw text is hashed locally and never sent to the server.	No
`verify_anchor`	Verify the cryptographic integrity of an existing SWT3 anchor. Recomputes the fingerprint from original factors and compares against the claimed value.	Yes
`list_procedures`	List available UCT (Universal Control Taxonomy) procedures from the SWT3 registry. Each procedure maps to a specific compliance control. Supports namespace filtering.	Yes
`check_posture`	Check the current AI witness compliance posture for the tenant. Returns model activity summary, pass/fail counts, and overall compliance status.	Yes

3.1 witness_inference Parameters

Parameter	Type	Required	Description
`model_id`	string	Yes	AI model identifier (e.g., `gpt-4o`, `claude-sonnet-4`)
`prompt`	string	No*	Raw prompt text (hashed locally, never sent to server)
`prompt_hash`	string	No*	Pre-computed SHA-256 hash of prompt (16 hex chars)
`response`	string	No*	Raw response text (hashed locally, never sent to server)
`response_hash`	string	No*	Pre-computed SHA-256 hash of response (16 hex chars)
`latency_ms`	number	No	Inference latency in milliseconds
`input_tokens`	number	No	Number of input tokens
`output_tokens`	number	No	Number of output tokens
`clearing_level`	0-3	No	Data clearing level (0=analytics, 1=standard, 2=sensitive, 3=classified)
`procedure`	string	No	UCT procedure ID (default: `AI-INF.1`)
`provider`	string	No	AI provider name (openai, anthropic, bedrock, etc.)

* Either prompt or prompt_hash SHOULD be provided. If raw text is provided, it is hashed locally before transmission. The raw text never leaves the client.

4. Standard Resource URIs

MCP resources provide read-only data that models can reference. SWT3-compliant servers SHOULD expose the following resources using these canonical URIs:

URI	MIME Type	Description
`swt3://registry/procedures`	application/json	Full catalog of UCT procedures with factor schemas, evaluation logic, and framework mappings
`swt3://health`	application/json	Service health status including database connectivity, last scan timestamp, and version

The swt3:// URI scheme is used as a namespace convention within MCP resource discovery. It does not imply a custom protocol handler. MCP servers resolve these URIs internally.

5. Tool Witnessing Pattern

Beyond the explicit witness_inference tool, SWT3 defines a pattern for witnessing any MCP tool call. This is the mechanism by which AI tool use becomes auditable without modifying the tools themselves.

5.1 The Wrap Pattern

An SWT3-compliant SDK provides a wrap_tool (Python) or wrapTool (TypeScript) function that intercepts a tool call, executes the original function, and mints an anchor recording the invocation.

Python (runnable)

# pip install swt3-ai openai
from openai import OpenAI
from swt3_ai import witness

# Wrap your OpenAI client. All calls are now witnessed.
client = witness(OpenAI(), clearing_level=1)

# This call works exactly like normal OpenAI.
# Behind the scenes, an SWT3 anchor is minted:
#   - Prompt and response are SHA-256 hashed (never stored raw)
#   - Factor matrix records model, latency, and token counts
#   - Anchor is printed to console (or sent to your witness endpoint)
response = client.chat.completions.create(
    model="gpt-4o",
    messages=[{"role": "user", "content": "Summarize Q3 revenue"}]
)

# Output includes:
# SWT3-S-LOCAL-AI-AIINF1-PASS-1774800000-c059eb5938c0
# Clearing Level 1: prompt/response destroyed, factors + anchor persist

TypeScript (runnable)

// npm install @tenova/swt3-ai openai
import OpenAI from "openai";
import { witness } from "@tenova/swt3-ai";

const client = witness(new OpenAI(), { clearingLevel: 1 });

// Every call is witnessed. Same API, same types, same behavior.
const response = await client.chat.completions.create({
  model: "gpt-4o",
  messages: [{ role: "user", content: "Summarize Q3 revenue" }],
});

MCP Server (zero-config demo)

# Run the SWT3 MCP server in demo mode. No API keys needed.
npx @tenova/swt3-mcp

# Or with live persistence:
SWT3_API_KEY=axm_live_... npx @tenova/swt3-mcp

5.2 What Gets Recorded

Field	Source	Stored As
Tool name	MCP tool invocation	Procedure ID (e.g., `AI-TOOL.1`)
Tool arguments	MCP tool input	SHA-256 hash (raw arguments never stored)
Tool result	MCP tool output	SHA-256 hash (raw result never stored)
Timestamp	System clock at invocation	Millisecond Unix epoch
Agent identity	Configuration	`agent_id` field in anchor metadata
Model identity	Configuration	`model_id` in witness payload

5.3 Privacy Guarantee

The wrap pattern is designed around a fundamental constraint: raw data never enters the witness system. Tool arguments and results are SHA-256 hashed at the point of observation. The hash is irreversible. An auditor can verify that a specific tool call produced a specific result (by re-hashing the original data), but cannot reconstruct the data from the anchor alone.

This satisfies the dual requirement of traceability (EU AI Act Art. 12: "logs shall enable the tracing of the AI system's operation") and data minimization (GDPR Art. 5(1)(c): "adequate, relevant and limited to what is necessary").

6. Integration Levels

MCP servers can adopt SWT3 witnessing at three levels of depth. Each level adds accountability without removing functionality from the previous level.

Level 1: Passive (Log-Only)

Anchors are minted as a side effect of normal tool invocation. Tool execution is not affected. Anchors are written to a local ledger or transmitted to a remote witness endpoint.

Use case: Observability. "We can prove what happened."

Regulatory value: EU AI Act Art. 12 (automatic logging), NIST AI RMF MEASURE 2.6 (traceability).

Level 2: Active (Anchor-Gated)

Anchors are minted before tool execution. If the anchor cannot be minted (ledger unavailable, configuration error), the tool call is blocked. This ensures that every tool invocation has a corresponding accountability record.

Use case: Compliance enforcement. "No tool call proceeds without a witness record."

Regulatory value: EU AI Act Art. 9 (risk management operational), Art. 14 (oversight measures active).

Level 3: Sovereign (Clearing-Enforced)

Anchors are minted and clearing is enforced per the SWT3 Clearing Protocol. After the anchor is sealed, raw tool inputs and outputs are purged from memory and storage. Only the anchor, factor matrix, and hashes persist.

Use case: Data sovereignty. "We can prove what happened, and the raw data no longer exists."

Regulatory value: GDPR Art. 17 (right to erasure), HIPAA minimum necessary principle, national sovereignty mandates.

7. Regulatory Mapping

SWT3-witnessed MCP tool calls map directly to regulatory requirements across multiple frameworks. This mapping demonstrates that the combination of MCP (transport) and SWT3 (accountability) satisfies obligations that neither protocol addresses alone.

Regulation	Article / Section	Requirement	How SWT3 + MCP Satisfies It
EU AI Act	Art. 12(1)	Automatic logging capability throughout lifecycle	Every MCP tool call produces a timestamped, tamper-evident SWT3 anchor. Logs cannot be altered without breaking the fingerprint.
EU AI Act	Art. 12(2)(a)	Logs identify period and input/output data	Anchor contains epoch timestamp. Input/output hashes are recorded as factors. Period is deterministic from anchor sequence.
EU AI Act	Art. 14	Human oversight measures operational	`AI-HITL.1` procedure witnesses human review events. Wrap pattern records when a human overrides an AI tool decision.
EU AI Act	Art. 9(4)(a)	Risk management measures active, not just documented	`AI-GRD.1` witnesses guardrail state at inference time. The anchor proves the guardrail was running, not just configured.
NIST AI RMF	MEASURE 2.6	AI system outputs are traceable	SHA-256 hashes of tool inputs and outputs are sealed into the anchor. Any party can re-hash original data and verify.
NIST AI RMF	MANAGE 4.1	Risk controls are monitored continuously	Continuous witnessing via MCP tool wrapping produces an unbroken chain of anchors. Gaps in the chain are themselves evidence of control failure.
GDPR	Art. 5(1)(c)	Data minimization	SWT3 Clearing Protocol destroys raw data after anchoring. Only cryptographic proof persists.
HIPAA	§164.312(b)	Audit controls for information systems	SWT3 anchors serve as tamper-evident audit records. Enclave verification provides aggregate integrity proof.

8. Multi-Agent Chains

When multiple AI agents collaborate through MCP, each agent's tool calls can be witnessed independently while maintaining a verifiable chain of accountability across the full workflow.

8.1 Chain Witnessing

Each agent in a multi-agent system is assigned a unique agent_id. When Agent A delegates work to Agent B via MCP tool calls, both agents produce anchors. The chain is reconstructable from the anchor sequence:

# Agent A: orchestrator
SWT3-S-AWS-AI-AIINF1-PASS-1773900000-a4c7e2f91b03  agent_id=orchestrator-v1

# Agent B: research agent (invoked by A via MCP)
SWT3-S-AWS-AI-AITOOL1-PASS-1773900001-b5d8f3a02c14  agent_id=research-agent-v2

# Agent A: synthesizes research output
SWT3-S-AWS-AI-AIINF1-PASS-1773900005-c6e9g4b13d25  agent_id=orchestrator-v1

8.2 Accountability Properties

Attribution: Every anchor records which agent produced it via agent_id
Ordering: Millisecond timestamps establish causal sequence
Delegation: When Agent A invokes Agent B's MCP tools, both the invocation and execution are witnessed
Integrity: Tampering with any anchor in the chain breaks its fingerprint without affecting other anchors (no cascading failure)

9. Clearing in MCP Context

MCP tool calls frequently involve sensitive data: database queries, API credentials, file contents, user information. The SWT3 Clearing Protocol ensures that this data does not persist in the witness system after the tool call completes.

9.1 Clearing Sequence for MCP Tool Calls

1. MCP client invokes tool with arguments
2. SWT3 witness layer captures:
   - SHA-256(tool_arguments) as factor_a component
   - SHA-256(tool_result) as factor_b component
   - Timestamp at invocation
3. SWT3 anchor is minted with factor matrix
4. Clearing level determines what persists:
   Level 0: Raw arguments and results retained
   Level 1: Only hashes and factors retained (RECOMMENDED)
   Level 2: Only anchor token retained
   Level 3: Anchor transmitted to verifier, nothing retained locally

9.2 MCP-Specific Clearing Guidance

MCP Tool Type	Recommended Level	Rationale
Public API queries	Level 0 or 1	Data is not sensitive; forensic value outweighs risk
Database queries with PII	Level 2	Query results may contain user data; only anchor persists
File system operations	Level 1	File paths and metadata retained; file contents cleared
Authentication or credential tools	Level 3	Credentials must not persist in any system
Healthcare / clinical tools	Level 2 or 3	PHI must not persist outside the clinical system

10. Conformance

An MCP server claiming SWT3 compliance MUST satisfy the following requirements:

10.1 Minimum Requirements (all levels)

Expose the witness_inference and verify_anchor tools using the names defined in Section 3
Expose the swt3://registry/procedures resource using the URI defined in Section 4
Compute fingerprints using the SWT3 canonical formula
Document the clearing level in the server's configuration or health resource
Never transmit raw prompt or response text to the witness endpoint (hash locally)

10.2 Level 2 (Active) Additional Requirements

Block tool execution if anchor minting fails
Include agent_id in all anchors when configured
Support HMAC-SHA256 payload signing when a signing_key is provided

10.3 Level 3 (Sovereign) Additional Requirements

Implement clearing at Level 1 or higher as default behavior
Ensure clearing irreversibility per the SWT3 Clearing Protocol
Support per-tool clearing level configuration

10.4 Interoperability

An anchor minted by any SWT3-compliant MCP server MUST be verifiable by any SWT3-compliant verifier, regardless of implementation language, hosting provider, or MCP version. This is the fundamental portability guarantee: the anchor is the evidence, not the system that produced it.

Try it now. No API keys, no signup.

Runs the SWT3 MCP server in demo mode. Mints anchors locally.

npx @tenova/swt3-mcp

Verify any anchor.

Paste an SWT3 anchor token and independently verify its fingerprint.

sovereign.tenova.io/verify

Full protocol specification: SWT3 Protocol Specification v1.3. Source code and test vectors: github.com/tenova-labs/swt3-ai.

SDKs available in 5 languages: Python (pip install swt3-ai), TypeScript (npm install @tenova/swt3-ai), Rust (cargo add swt3-ai), C# (dotnet add package swt3-ai), Ruby (gem install swt3-ai). All produce identical fingerprints. Cross-language parity verified by shared test vectors.