Dual-layer attestation for Azure AI Foundry agents. execute() witnesses reasoning. interceptToolCall() witnesses tool invocations. Independent evidence alongside AGT governance.
Who this is for: Azure AI Foundry developers, Microsoft platform architects, security teams implementing agent governance alongside the Agent Governance Toolkit (AGT), and compliance officers requiring independent evidence of Foundry agent behavior.
Available in SWT3 v0.5.5. The Foundry adapter provides dual-layer witnessing: execute() for agent reasoning and interceptToolCall() for tool invocations. Each layer produces separate Witness Anchors. Python and TypeScript. For the AGT governance crosswalk, see the AGT guide.
Azure AI Foundry is Microsoft's platform for building, deploying, and managing AI agents. The Foundry agent framework provides:
execute() method encapsulates the agent's reasoning, planning, and response generationThe SWT3 Foundry adapter wraps two methods, producing separate evidence streams for reasoning and tool execution:
| Foundry Method | SWT3 Procedure | What Is Captured | Evidence Purpose |
|---|---|---|---|
execute() | AI-INF.1 | Model identifier, prompt hash, response hash, latency, provider (microsoft-foundry) | Proves what reasoning the agent performed and what output it produced |
interceptToolCall() | AI-TOOL.1 | Tool name hash, tool input hash, tool output hash, latency | Proves which tools were invoked, with what inputs, and what they returned |
| Agent identity | AI-ID.1 | Agent ID hash, HMAC-SHA256 signature | Cryptographically binds the agent to its evidence chain |
| Guardrails (AGT) | AI-GRD.1 | Guardrail active flag, pass/fail status | Independently witnesses that AGT guardrails were active and enforced |
| Tool chain | AI-CHAIN.1 | Chain length, chain hash, completion status | Links multiple tool calls into a verifiable execution sequence |
The interceptToolCall() method captures the tool name as part of the prompt hash (formatted as {toolName}:{toolInputHash}), creating a distinct record per tool invocation within the agent's reasoning loop. This means an agent that calls three tools during a single execute() produces four anchors: one for the reasoning and one for each tool call.
Microsoft's Agent Governance Toolkit (AGT) and SWT3 serve complementary roles:
AGT answers: "Was this agent governed?" SWT3 answers: "Here is the cryptographic proof that governance was applied, verifiable by anyone."
For the full AGT governance crosswalk mapping 10 AGT runtime controls to 15 SWT3 witness procedures, see the Microsoft AGT Crosswalk Guide.
Foundry does: The agent's execute() method runs the reasoning loop: processing input, optionally invoking tools, and generating a response. The method encapsulates the full agent decision cycle.
SWT3 witnesses: Every execute() call produces a Witness Anchor recording the model identifier, SHA-256 hashes of the input and output, execution latency, and provider (microsoft-foundry). The anchor proves that a specific model produced a specific output from a specific input at a specific time.
AI-INF.1 anchors from execute() provide the top-level reasoning evidence. Each anchor's timestamp and model identifier establish which model was active. The prompt hash proves what input was processed. Compare against AI-TOOL.1 anchors from the same time window to see the complete reasoning + tool execution picture.
Foundry does: During execute(), the agent invokes registered tools from the Foundry tool registry. Each tool call has a name, structured input, and returned output.
SWT3 witnesses: The interceptToolCall() hook captures each tool invocation separately. The prompt hash includes the tool name and a hash of the tool input ({toolName}:{inputHash}). The response hash captures the tool output. This creates a distinct Witness Anchor per tool call.
AI-TOOL.1 anchors from interceptToolCall() document every tool the agent used during reasoning. The prompt hash format {toolName}:{inputHash} identifies which tool was called and with what arguments. Multiple AI-TOOL.1 anchors between two AI-INF.1 anchors show the tool calls within a single reasoning step.
Foundry does: Each Foundry agent has an identity within the Azure AI Foundry platform, tied to Azure Active Directory and the agent registration.
SWT3 witnesses: When agent_id is configured, every anchor includes a SHA-256 hash of the agent identity. With signing_key, each attestation is HMAC-SHA256 signed. Both execute() and interceptToolCall() anchors carry the same agent identity, linking reasoning and tool calls to a single authenticated agent.
AI-ID.1 evidence appears in every AI-INF.1 and AI-TOOL.1 anchor from the same agent. A consistent agent ID hash across all anchors proves that one agent performed all actions. Factor B = 1 confirms cryptographic signing was active.
Foundry + AGT does: The Agent Governance Toolkit enforces runtime policies: input validation, output filtering, content safety, and tool access control. AGT operates within the Microsoft trust boundary.
SWT3 witnesses: The InferenceRecord captures whether guardrails were active and whether they passed. This creates independent evidence that AGT governance was applied during agent execution. The evidence exists outside Microsoft's infrastructure.
Guardrail fields in the InferenceRecord (guardrailsActive, guardrailPassed) prove that AGT was running. Cross-reference with the AGT audit log for specific policy details. The SWT3 anchor provides the independent witness that the AGT audit log itself cannot.
| Examiner Question | Where to Look |
|---|---|
| What did the Foundry agent reason about? | AI-INF.1 anchors from execute(). Prompt hash = reasoning input, response hash = agent output. |
| Which tools did the agent invoke? | AI-TOOL.1 anchors from interceptToolCall(). Prompt hash format: {toolName}:{inputHash}. |
| Was AGT governance active? | guardrailsActive and guardrailPassed fields. Cross-reference with the AGT crosswalk for policy-level detail. |
| Can you prove agent identity? | AI-ID.1 in every anchor. Consistent agent ID hash + HMAC signature (Factor B = 1). |
| How many tool calls were in this reasoning step? | Count AI-TOOL.1 anchors between two consecutive AI-INF.1 anchors from the same agent. |
| Is this evidence independent of Microsoft? | Every SWT3 Witness Anchor is verifiable at sovereign.tenova.io/verify. Evidence exists outside Azure's trust boundary. |
Full SDK documentation: sovereign.tenova.io/docs
Create a free account: sovereign.tenova.io/signup