Audience: CISOs, AI RMF leads, critical infrastructure operators, federal agency AI governance teams, and third-party assessors evaluating AI risk management posture in sectors designated under Presidential Policy Directive 21 (PPD-21).
1. Overview
The NIST AI Risk Management Framework (AI RMF 1.0, NIST AI 100-1) provides voluntary guidance for managing risks across the AI lifecycle. The companion Profiles extend this framework to sector-specific contexts, including critical infrastructure where AI failures can have cascading effects on public safety, economic stability, and national security.
SWT3 is an open protocol that produces cryptographic witness anchors for AI system behavior. Each anchor records three factors per procedure, a clearing level, and a fingerprint. SWT3 does not enforce policy or make risk decisions. It creates the evidence layer that GOVERN, MAP, MEASURE, and MANAGE functions require.
2. Function-to-Procedure Mapping
| AI RMF Function | Category | SWT3 Procedure(s) | Coverage |
|---|---|---|---|
| GOVERN 1.1 | Legal and regulatory requirements | AI-GRD.1, AI-GRD.3, policy_version | Full |
| GOVERN 1.5 | Organizational risk tolerances | AI-GRD.1, AI-GRD.2, clearing_level | Partial |
| GOVERN 1.7 | AI lifecycle documentation | AI-INF.1, AI-MDL.1, AI-MDL.2, AI-CHR.1 | Full |
| GOVERN 2.1 | Roles and responsibilities | AI-ID.1, AI-ACC.1, agent_id | Full |
| MAP 1.1 | Intended purpose and context | jurisdiction, purpose_class, legal_basis | Full |
| MAP 1.5 | Benefits and costs | AI-INF.2, AI-ENV.1, AI-ENV.2 | Partial |
| MAP 2.3 | Data provenance | AI-DATA.1, AI-DATA.2, AI-RAG.1 | Full |
| MAP 3.5 | Data provenance documentation | AI-DATA.3, AI-DATA.4, AI-RAG.2 | Full |
| MAP 4.1 | Model lifecycle tracking | AI-MDL.1, AI-MDL.2, AI-MDL.5, AI-MDL.6, AI-MDL.7 | Full |
| MEASURE 2.5 | Continuous monitoring | AI-INF.1, AI-INF.2, AI-INF.3, AI-BASE.1 | Full |
| MEASURE 2.6 | Performance measurement | AI-INF.2, AI-FAIR.1, AI-FAIR.2, AI-FAIR.3 | Full |
| MEASURE 2.7 | Transparency | AI-EXPL.1, AI-EXPL.2, AI-MARK.1 | Full |
| MEASURE 4.1 | Third-party evaluation | AI-TRUST.1, AI-TRUST.2, AI-CHAIN.1 | Full |
| MANAGE 2.2 | Risk response | AI-REV.1, AI-SAFE.1, AI-VIO.1 | Full |
| MANAGE 4.1 | Incident response | AI-REV.1, AI-CHAIN.2, AI-VIO.1 | Full |
3. GOVERN: Governance and Accountability
Regulatory Compliance and Lifecycle Documentation
AI RMF requirement: Organizations document legal and regulatory requirements applicable to AI systems and maintain documentation throughout the AI lifecycle.
SWT3 evidence: Every inference produces an AI-INF.1 anchor (provenance hash), AI-MDL.1 (model identity), and AI-MDL.2 (version tracking). The policy_version field binds each anchor to a specific governance policy revision. The AI-CHR.1 (Agent Charter) procedure records the declared operating boundaries of autonomous agents.
Procedures: AI-INF.1, AI-MDL.1, AI-MDL.2, AI-GRD.1, AI-GRD.3, AI-CHR.1
Roles, Responsibilities, and Identity
AI RMF requirement: Roles and responsibilities for AI risk management are clearly defined and documented.
SWT3 evidence: The agent_id field (AI-ID.1) uniquely identifies each AI agent instance. AI-ACC.1 records access control decisions. AI-HITL.1/2 record human oversight involvement. All anchors carry CJT fields (jurisdiction, legal_basis, purpose_class) that survive all clearing levels.
Procedures: AI-ID.1, AI-ACC.1, AI-HITL.1, AI-HITL.2
4. MAP: Context and Measurement
Data Provenance and Documentation
AI RMF requirement: Scientific integrity and data provenance are maintained throughout the AI system lifecycle. Data sources, transformations, and quality measures are documented.
SWT3 evidence: AI-DATA.1 records training data provenance. AI-DATA.2 tracks data lineage. AI-RAG.1 witnesses context retrieval provenance (chunk hashes, corpus identity) and AI-RAG.2 records relevance scoring. AI-DATA.3/4 track data lifecycle events including PII handling.
Procedures: AI-DATA.1, AI-DATA.2, AI-DATA.3, AI-DATA.4, AI-RAG.1, AI-RAG.2
Model Lifecycle Tracking
AI RMF requirement: Risks related to third-party AI components and pre-trained models are identified and managed.
SWT3 evidence: AI-MDL.1 hashes model weights at inference time (drift detection). AI-MDL.5 records weight file integrity. AI-MDL.6 attests adapter stacks (LoRA, QLoRA). AI-MDL.7 records quantization method and precision. AI-SKILL.1 attests skill manifests. All hashes are computed locally and never leave the deployment boundary.
Procedures: AI-MDL.1, AI-MDL.2, AI-MDL.5, AI-MDL.6, AI-MDL.7, AI-SKILL.1
5. MEASURE: Metrics and Monitoring
Continuous Monitoring
AI RMF requirement: AI system performance is monitored regularly with appropriate metrics.
SWT3 evidence: AI-INF.1 records every inference with provenance hashing. AI-INF.2 tracks latency against configurable thresholds. AI-INF.3 aggregates inference volume. AI-BASE.1 establishes behavioral baselines and detects drift from expected agent behavior patterns. The Merkle accumulator produces daily rollup roots for tamper-evident audit trails.
Procedures: AI-INF.1, AI-INF.2, AI-INF.3, AI-BASE.1
Fairness and Performance Measurement
AI RMF requirement: AI system trustworthiness characteristics are measured, including fairness, bias, and performance across demographic groups.
SWT3 evidence: AI-FAIR.1 records demographic parity metrics. AI-FAIR.2 tracks equalized odds. AI-FAIR.3 records disparate impact ratios. AI-EXPL.1/2 record explainability and confidence scoring. All fairness anchors survive clearing levels 0-2, with identifiers removed at level 3.
Procedures: AI-FAIR.1, AI-FAIR.2, AI-FAIR.3, AI-EXPL.1, AI-EXPL.2
Transparency and Content Provenance
AI RMF requirement: AI system outputs are transparent and traceable. AI-generated content is identifiable.
SWT3 evidence: AI-MARK.1 witnesses content provenance marking, recording when AI-generated content is labelled with C2PA manifests, watermarks, or metadata tags. AI-EXPL.1 records model explanations. AI-EXPL.2 tracks confidence scoring. The clearing protocol ensures that transparency evidence is available to auditors while protecting sensitive inference details.
Procedures: AI-MARK.1, AI-EXPL.1, AI-EXPL.2
6. MANAGE: Response and Remediation
Risk Response and Incident Management
AI RMF requirement: Mechanisms exist to respond to AI risks, including incident response, model recall, and safe shutdown.
SWT3 evidence: AI-REV.1 mints revocation anchors with 7 reason codes (model_recall, policy_violation, data_contamination, consent_withdrawal, regulatory_order, error_correction, unspecified). AI-SAFE.1 records safe-state transitions. AI-VIO.1 records policy violations with category codes. AI-CHAIN.2 records trust degradation across multi-agent chains.
Procedures: AI-REV.1, AI-SAFE.1, AI-VIO.1, AI-CHAIN.2
7. Critical Infrastructure Considerations
Resilience and Availability
Critical infrastructure demands continuous operation. SWT3 operates in the evidence path, not the inference path. A witness failure does not degrade AI system availability. The Write-Ahead Log (WAL) buffers anchors during network interruptions and replays them when connectivity is restored. Air-gapped deployments use .pulse bundles for offline evidence transfer.
Supply Chain Integrity
AI supply chain risks are amplified in CI sectors. AI-MDL.5 hashes model weight files. AI-SKILL.1 attests skill manifests (with SKILLCARD.yaml ingestion for declarative config). AI-MDL.6 records adapter stacks. The Trust Mesh protocol (AI-TRUST.1/2) enables bilateral identity verification between agents before data exchange.
Multi-Jurisdiction Operation
Critical infrastructure often spans regulatory boundaries. SWT3 CJT fields (jurisdiction, legal_basis, purpose_class) are embedded in every anchor and survive all clearing levels. A single agent operating across US, EU, and APAC jurisdictions produces a complete per-inference regulatory audit trail.
Hardware Attestation
AI-HW.1 records GPU topology and accelerator inventory. AI-HW.3 attests TPM 2.0 platform integrity (PCR registers 0-7). The hardware.runtime_profile in .swt3.yaml binds expected topology constraints at config time. All hardware identifiers are SHA-256 hashed before transmission.
8. Assessor Quick Reference
| When the assessor asks... | Where to look |
|---|---|
| "How do you document AI system provenance?" | AI-INF.1 anchors in the witness ledger. Each inference has a SHA-256 fingerprint, model identity, and timestamp. |
| "How do you track model changes?" | AI-MDL.1 (weight integrity), AI-MDL.2 (version), AI-MDL.5/6/7 (weights, adapters, quantization). Model drift detection via consecutive anchor comparison. |
| "How do you monitor fairness?" | AI-FAIR.1/2/3 anchors record demographic parity, equalized odds, and disparate impact. Historical trend via posture API. |
| "How do you handle AI incidents?" | AI-REV.1 (revocation with reason code), AI-SAFE.1 (safe state), AI-VIO.1 (policy violation record). Revocation status visible at /verify. |
| "How do you ensure data provenance in RAG?" | AI-RAG.1 (chunk hashes, corpus identity), AI-RAG.2 (relevance scoring). Content is never transmitted; only SHA-256 hashes leave the deployment. |
| "How do you verify agent identity?" | AI-ID.1 (agent_id on every anchor), AI-TRUST.1/2 (bilateral trust verification), AI-CHAIN.1/2 (chain handoff witnessing). |
| "How do you handle AI-generated content marking?" | AI-MARK.1 records content provenance marking (C2PA, watermark, metadata tag). Content type code and standard identifier recorded per anchor. |
| "How do you detect agent behavioral drift?" | AI-BASE.1 establishes behavioral baselines and monitors drift score against configurable thresholds. Four modes: establishing, monitoring, drift_detected, baseline_reset. |
9. Document Lineage
SWT3 Protocol:
- SWT3 AI Witness SDK Documentation
- SWT3 Clearing Protocol Addendum
- Factor Handoff Protocol v1.0.0
- Public Anchor Verification
Regulatory Sources:
- NIST AI 100-1: AI Risk Management Framework 1.0 (January 2023)
- NIST AI 600-1: AI RMF Generative AI Profile (July 2024)
- NIST SP 800-53 Rev. 5: Security and Privacy Controls
- Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience
- Executive Order 14110: Safe, Secure, and Trustworthy AI (October 2023)
Related Overlays: