Trace every agent-to-agent handoff in a multi-step workflow. Cycle ID threading, chain verification, trust degradation detection, and auditor-ready evidence reconstruction.
Who this is for: Platform engineers building multi-agent systems, compliance officers auditing autonomous workflows, and GRC architects who need to prove unbroken chain of custody across agent delegation boundaries.
Why this matters now. Multi-agent architectures are becoming standard in enterprise AI. A user request may traverse 5-15 agents before producing a result. EU AI Act Art. 12 requires record-keeping for high-risk AI systems. NIST AI RMF MANAGE 2.2 requires monitoring of AI system behavior in deployment. Without cryptographic chain evidence, the audit trail breaks at every agent-to-agent boundary.
Consider a typical enterprise workflow. A user asks a question. The system routes through a chain of specialized agents:
With traditional logging, each agent writes its own log. But the logs are not linked. If the Analytics Agent makes an unauthorized data access, the audit trail shows the access occurred -- but cannot trace whether the Manager Agent's routing logic was corrupted, whether the Data Fetcher passed contaminated context, or whether the Analytics Agent acted on its own.
The regulatory problem: EU AI Act Art. 12 requires that high-risk AI systems have "logging capabilities that enable the recording of events relevant to identifying risk." NIST AI RMF MANAGE 2.2 requires "mechanisms for tracking and responding to known and reasonably foreseeable AI risks." Neither obligation is satisfied by disconnected per-agent logs. Auditors need a single, verifiable chain of custody that spans the entire workflow.
The cycle_id is a UUID that links every witness anchor minted during a single multi-agent workflow. It is the thread that connects disconnected agent logs into a single auditable chain.
cycle_id (or receives one from the orchestrator)cycle_id in the anchor payloadcycle_id is passed along with the task contextcycle_idfrom swt3_ai import Witness
# Manager Agent starts the chain
manager = Witness(
tenant_id="ACME_CORP",
agent_id="manager-agent",
model="gpt-4o",
)
# Generate a cycle_id for the entire workflow
cycle_id = manager.start_cycle()
# Witness the routing decision
response = manager.witness(
prompt="Route this request to the appropriate agent",
response="Routing to data-fetcher-agent",
cycle_id=cycle_id,
)
# Hand off to the Data Fetcher with the same cycle_id
fetcher = Witness(
tenant_id="ACME_CORP",
agent_id="data-fetcher-agent",
model="gpt-4o",
)
# Witness the chain handoff
manager.witness_chain_handoff(
depth=1,
from_agent="manager-agent",
to_agent="data-fetcher-agent",
trust_level=2,
)
# Fetcher continues with the same cycle_id
fetcher_response = fetcher.witness(
prompt="Fetch quarterly revenue data",
response="Revenue: $4.2M",
cycle_id=cycle_id, # Same cycle_id threads through
)
import { Witness } from "@tenova/swt3-ai";
// Manager Agent starts the chain
const manager = new Witness({
tenantId: "ACME_CORP",
agentId: "manager-agent",
model: "gpt-4o",
});
// Generate a cycle_id
const cycleId = manager.startCycle();
// Witness and hand off
await manager.witness({
prompt: "Route this request",
response: "Routing to data-fetcher-agent",
cycleId,
});
// Record the chain handoff
manager.witnessChainHandoff(1, "manager-agent", "data-fetcher-agent", 2);
// Data Fetcher continues with the same cycleId
const fetcher = new Witness({
tenantId: "ACME_CORP",
agentId: "data-fetcher-agent",
model: "gpt-4o",
});
await fetcher.witness({
prompt: "Fetch quarterly revenue data",
response: "Revenue: $4.2M",
cycleId, // Same cycle threads through
});
For MCP-based agent architectures, two tools handle chain management:
start_chain -- generates a cycle_id UUID and stores it in the MCP session state. Idempotent: calling it twice returns the same ID.chain_handoff -- witnesses an AI-CHAIN.1 anchor recording the handoff from one agent to another, with the cycle_id embedded in the payload.The chain verifier validates that an agent's anchor chain is unbroken, unrevoked, and compliant with the deployment's density policy. It operates on a dual-path architecture:
| Path | Latency | Source | Use Case |
|---|---|---|---|
| Fast Path | Sub-millisecond | Redis in-memory index | Real-time gating during agent execution |
| Cold Path | 50-200ms | Authoritative ledger | Fallback when Redis misses; post-incident forensics |
The verifier tries the fast path first. If Redis has no entries for the agent or cycle, it falls back to the cold path. If neither returns anchors, the chain is invalid.
For each anchor in the chain, the verifier evaluates:
max_chain_gap_seconds of each other (default: 60 seconds). A gap indicates a period where the agent was operating without attestation.The verifier returns a structured result that auditors can directly reference:
valid: boolean -- did the chain pass all checks?anchorCount: total anchors in the chaingaps: array of temporal gaps exceeding the limit (fromEpoch, toEpoch, gapSeconds)revoked: array of revoked anchor fingerprints found in the chainpolicyViolations: array of density policy failures (rule, actual, required)source: "redis" (fast path) or "ledger" (cold path)When agents delegate to other agents, trust does not automatically propagate. A SOVEREIGN-level manager agent delegating to an unverified sub-agent creates a trust gap that could compromise the entire chain.
Every time Agent A hands work to Agent B, an AI-CHAIN.1 anchor is minted. This records:
The SDK tracks the effective trust level across the entire chain. This is the minimum trust level observed at any handoff point. When the effective trust drops below a configured threshold (chainMinTrustLevel), an AI-CHAIN.2 anchor is automatically minted:
AI-CHAIN.2 anchors are warning signals. They do not block execution (that is the deployment's policy decision), but they create immutable evidence that trust degraded during the chain. An auditor reviewing the chain can see exactly where trust dropped and whether the deployment's policy allowed the chain to continue.
For explicit multi-agent delegation (where Agent A grants specific permissions to Agent B), AI-MULTI.1 captures:
The observations field records the parent agent ID, child agent ID, and the specific tools delegated. This creates a complete record of who delegated what to whom, with what scope, and for how long.
The density policy engine enforces minimum attestation standards across agent chains. These policies are configurable per deployment and evaluated after chain verification.
| Rule | Default | What It Enforces |
|---|---|---|
min_anchors_per_1000_tokens | 1 | Minimum witness density relative to token output. A chain producing 10,000 tokens must have at least 10 anchors. |
required_providers | [] | All specified infrastructure providers must appear in the chain. Use this to enforce multi-cloud attestation. |
max_chain_gap_seconds | 60 | Maximum gap between consecutive anchors. Shorter gaps mean tighter attestation coverage. |
require_signing_key | false | Every anchor in the chain must have a payload signature. Prevents unsigned anchors from diluting chain integrity. |
min_trust_level | 1 | Floor trust level for all agents in the chain. Set to 2 (VERIFIED) or higher for regulated workloads. |
Density policies are loaded from environment variables (SWT3_DENSITY_POLICY), a policy file (SWT3_DENSITY_POLICY_FILE), or built-in defaults. Any violation results in tool execution denial and an AI-TRUST.1 FAIL anchor recording the violation.
This policy requires signed anchors every 30 seconds from VERIFIED or higher agents, with at least 2 anchors per 1,000 tokens generated. A 5-agent chain producing 8,000 tokens must produce at least 16 anchors to satisfy density requirements.
When an auditor or regulator requests evidence for a specific workflow, the entire chain can be reconstructed from a single cycle_id.
To satisfy EU AI Act Art. 12 record-keeping or NIST AI RMF MANAGE 2.2 monitoring requirements, export the following for each workflow:
cycle_id, sorted chronologicallyThis evidence package is independently verifiable. An auditor can recompute every anchor fingerprint, verify every signature, and validate the chain without access to the original agents, models, or infrastructure.
Minted every time one agent delegates work to another agent within a chain. Creates an immutable record of the handoff including delegation depth, policy compliance, and the receiving agent's trust level.
Filter the witness ledger by cycle_id and procedure AI-CHAIN.1. Each anchor represents one agent-to-agent handoff. Factor A shows delegation depth (1 = direct, 2+ = sub-delegation). Factor C shows the trust level of the receiving agent. If Factor B is 0, the handoff violated the deployment's trust policy but was allowed to proceed.
Automatically minted when the effective trust level across the chain drops below the configured minimum threshold. Serves as an early warning that the chain's trust integrity is degrading.
AI-CHAIN.2 anchors are warning signals, not failures. Factor A shows the previous effective trust level; Factor B shows the new level. If Factor B is below Factor C (the configured minimum), the chain continued operating below the trust floor. The absence of AI-CHAIN.2 anchors in a chain proves trust remained above the threshold throughout.
Minted when an agent explicitly delegates specific permissions to a child agent. Records the delegation depth, the number of permissions granted, and the time bound. The observations field captures the parent/child agent IDs and the specific tools delegated.
AI-MULTI.1 anchors prove that delegation was scoped and time-bounded. Factor B (permissions granted) should be minimal (principle of least privilege). Factor C (time bound) should be proportionate to the task. If the time bound is 0 (unlimited), the examiner should ask why. Cross-reference with AI-TOOL.1 anchors to verify the child agent only used the delegated tools.
The foundational anchor in every chain. Each inference call by each agent in the chain generates an AI-INF.1 anchor with the cycle_id linking it to the workflow. The density of AI-INF.1 anchors determines whether the chain meets attestation requirements.
Count AI-INF.1 anchors per cycle_id to verify attestation density. Factor A identifies the model used at each step. If different agents use different models, the chain shows which model processed which data. Gaps between AI-INF.1 anchors indicate periods without attestation coverage.
Minted at each agent-to-agent boundary when the receiving agent verifies the presenting agent's Trust Mesh credential. Records the verification outcome, trust level assigned, and number of checks performed.
AI-TRUST.1 anchors at each handoff boundary prove that trust was verified, not assumed. Factor A records checks performed. Factor B records checks passed. Factor C records the trust level assigned. If Factor B < Factor A, some checks failed but the interaction was allowed (the trust level assigned should reflect this).
| Examiner Question | Where to Look |
|---|---|
| Can you trace a decision back through all agents involved? | Query by cycle_id. All anchors in the chain share this UUID. Sort by epoch for chronological reconstruction. AI-CHAIN.1 anchors mark each handoff boundary. |
| How do you know trust was maintained across the chain? | AI-TRUST.1 anchors at each boundary. AI-CHAIN.2 anchors (or their absence) prove trust level stability. The effective trust level is the minimum of all handoff trust levels. |
| What happens if an agent in the middle of the chain is compromised? | AI-REV.1 revocation targets the compromised agent's anchors. Chain verification marks all subsequent anchors as tainted. Trust Mesh v1.1 revocation notification alerts all trusted counterparties. |
| How do you prevent unauthorized delegation? | AI-MULTI.1 anchors record delegated permissions and time bounds. Density policy min_trust_level prevents untrusted agents from participating. Tool policy toolAllowlist restricts what delegated agents can invoke. |
| Is there a gap in the audit trail? | Chain verification reports gaps exceeding max_chain_gap_seconds. Each gap includes fromEpoch and toEpoch. Gaps represent periods where agents operated without attestation coverage. |
| How many agents touched this data? | Count unique agent_id values across anchors sharing the cycle_id. AI-CHAIN.1 anchors show the handoff sequence. AI-MULTI.1 observations show parent-child relationships. |
| Does this chain meet your attestation density requirements? | Chain verification evaluates the density policy. min_anchors_per_1000_tokens ensures proportionate attestation. Policy violations are returned as structured objects with the rule name, actual value, and required value. |