Snowflake governs AI workloads inside its trust boundary. SWT3 provides the independent witness evidence that auditors need from outside it.
Who this is for: Snowflake architects and data engineers building Cortex AI pipelines, compliance officers (especially SR 11-7 financial services), security teams evaluating Horizon Catalog governance, and auditors assessing AI model risk on Snowflake infrastructure.
Snowflake Cortex AI is live. $200M OpenAI partnership announced 2026. Horizon Catalog centralizes governance across data, models, and agents. Agent Identity, Data Movement Policies, and Trust Center exfiltration detection are generally available.
LLM reasoning directly on governed data within Snowflake. Cortex functions bring inference capabilities (summarization, classification, extraction, embedding) to SQL queries without moving data outside Snowflake. The $200M OpenAI partnership integrates frontier models into the Cortex pipeline.
A universal AI catalog that centralizes governance, context, and security across the enterprise. Horizon Context ensures that every person, tool, and AI agent operates from the same trusted business definitions. Models, datasets, and agents are cataloged with lineage and access policies.
Every agent action is logged and tagged in a complete audit trail. Agent Identity maintains provenance for every operation an AI agent performs within Snowflake, tied to the agent's identity and the data it accessed.
Policies that block data from leaving Snowflake. Combined with Trust Center exfiltration detection, which flags agents pulling unusual volumes of sensitive data in real time. Row-level security and dynamic masking apply to both human users and AI agents.
Pre-built query patterns designed for Snowflake's governance framework. Tasks like access audits and compliance checks can be executed without deep SQL expertise. Cortex Code generates governed queries that respect all active policies.
Native VECTOR data type with Cortex Search for managed hybrid retrieval pipelines. Embeddings stored alongside business data in a single governed platform.
Snowflake's governance features are comprehensive within Snowflake's trust boundary. Horizon Catalog, Agent Identity, Data Movement Policies, and query history audit all operate inside the same infrastructure that hosts the data and executes the AI workloads.
Regulators, auditors, and counterparties need evidence from outside that trust boundary. An organization cannot audit itself. SWT3 provides the independent third-party attestation that sits outside Snowflake's infrastructure.
| Snowflake Feature | Internal Governance (Inside Snowflake) | SWT3 Independent Witness (Outside Snowflake) |
|---|---|---|
| Cortex AI Inference | Model invocation logged in query history | Inference provenance anchored with model, provider, and clearing level |
| Agent Identity | Agent actions tagged and logged within Snowflake | Agent identity cryptographically bound to each attestation via HMAC-SHA256 |
| Horizon Catalog | Model registry, lineage, access policies | Approved model registry verification, model weight integrity attestation |
| Data Movement Policies | Block data from leaving Snowflake | Data lineage and guardrail enforcement independently witnessed |
| Trust Center | Exfiltration detection flags unusual agent behavior | Security posture and guardrail bypass detection with independent evidence |
| Vector Search / RAG | Embeddings stored alongside governed business data | Retrieval provenance with chunk count, corpus integrity, similarity scores |
| Query History | Full audit trail of every Cortex call | Independent audit log integrity hash with RFC 3161 external timestamps |
| Row-Level Security | Data masking and access control within Snowflake | Data minimization and consent record witnessing |
| Snowflake Feature | SWT3 Procedure | What It Witnesses | Evidence Produced |
|---|---|---|---|
| Cortex AI Inference | AI-INF.1 | Inference provenance | Factor A: model identifier, Factor B: provider, Factor C: clearing level |
AI-INF.2 | Inference latency measurement | Factor A: latency ms, Factor B: token count, Factor C: throughput | |
| Agent Identity | AI-ID.1 | Agent identity assertion | Factor A: agent ID hash, Factor B: signature present (1/0), Factor C: reserved |
| Horizon Catalog | AI-GOV.3 | Approved model registry | Factor A: model identifier, Factor B: approval status, Factor C: registry version |
AI-MDL.1 | Model weight integrity | Factor A: model identifier, Factor B: weight hash, Factor C: version | |
| Data Movement Policies | AI-DATA.1 | Data lineage attestation | Factor A: source hash, Factor B: destination hash, Factor C: classification |
AI-GRD.1 | Guardrail enforcement | Factor A: guardrail ID, Factor B: action taken, Factor C: severity | |
| Trust Center | AI-SEC.1 | Security posture attestation | Factor A: posture score, Factor B: findings count, Factor C: critical count |
AI-GRD.2 | Guardrail bypass detection | Factor A: bypass method, Factor B: detection confidence, Factor C: blocked (1/0) | |
| Vector Search / RAG | AI-RAG.1 | Context retrieval provenance | Factor A: chunks retrieved, Factor B: corpus hash present, Factor C: average similarity |
AI-RAG.2 | Retrieval relevance scoring | Factor A: relevance method, Factor B: threshold, Factor C: pass/fail | |
| Query History Audit | AI-AUDIT.1 | Audit log integrity | Factor A: entries checked, Factor B: integrity verified (1/0), Factor C: log format |
AI-LOG.1 | Logging pipeline attestation | Factor A: log destination, Factor B: pipeline hash, Factor C: rotation policy | |
| Row-Level Security | AI-DATA.3 | Data minimization verification | Factor A: fields requested, Factor B: fields returned, Factor C: minimization ratio |
AI-CONSENT.1 | Consent record witnessing | Factor A: consent type, Factor B: scope, Factor C: expiration | |
| Cortex Code Skills | AI-TOOL.1 | Tool call witnessing | Factor A: tool name hash, Factor B: arguments hash, Factor C: outcome |
Snowflake does: Cortex AI logs every model invocation in Snowflake's query history. The OpenAI partnership models, Snowflake-hosted models, and custom fine-tuned models are all tracked within the platform.
SWT3 independently witnesses: Every inference call wrapped by the SDK produces a Witness Anchor recording the model identifier, provider, and clearing level. This creates an independent timeline of which models produced which outputs, verifiable outside Snowflake.
AI-INF.1 anchors provide a complete inference history independent of Snowflake's query log. Factor A (model) identifies which Cortex model was invoked. Factor B (provider) distinguishes between OpenAI partnership models, Snowflake native models, and custom deployments. Compare anchor timestamps against Snowflake query history for cross-validation.
Snowflake does: Agent Identity logs and tags every action an agent takes within Snowflake. The audit trail is tied to the agent's Snowflake identity and the data it accessed.
SWT3 independently witnesses: The agent's identity is captured as a SHA-256 hash and optionally signed with HMAC-SHA256 in every witness call. This creates a cryptographic identity chain that exists outside Snowflake's identity management system.
AI-ID.1 anchors with Factor B = 1 (signed) prove cryptographic identity binding. The agent ID hash in Factor A should be consistent across all anchors from the same Snowflake agent. Compare the SWT3 identity chain against Snowflake's Agent Identity logs. Discrepancies indicate identity spoofing or misconfiguration.
Snowflake does: Data Movement Policies block data from leaving the Snowflake environment. Horizon Catalog tracks data lineage and classification within the platform.
SWT3 independently witnesses: The witness_data_lineage() call captures a hash of the data source, a hash of the destination, and the data classification level. This creates an independent record of data flow that proves lineage was tracked at the point of AI inference.
AI-DATA.1 anchors prove that data lineage was captured during inference. Factor C (classification) should match Snowflake's data classification tags. For GDPR or SR 11-7 compliance, the lineage chain from AI-DATA.1 anchors demonstrates that data provenance was maintained throughout the AI pipeline.
Snowflake does: Guardrails provide runtime protections against prompt injection and misuse. Trust Center monitors for anomalous agent behavior including data exfiltration attempts.
SWT3 independently witnesses: The witness_guardrail() call captures the guardrail identifier, the action taken (blocked, warned, allowed), and the severity level. This creates independent evidence that guardrails were active and enforced during AI operations.
AI-GRD.1 anchors prove guardrails were active. Factor B (action taken) documents whether the guardrail blocked, warned, or allowed the operation. AI-GRD.2 anchors specifically document bypass attempts, with Factor C indicating whether the bypass was successfully blocked.
Snowflake does: Cortex Search provides managed hybrid retrieval pipelines. Vectors are stored alongside business data with unified governance. Row-level security and dynamic masking apply to retrieved context.
SWT3 independently witnesses: The witness_rag_context() call records how many chunks were retrieved, whether corpus integrity was verified, and the average similarity score. This creates an independent record of what data influenced the AI's reasoning.
AI-RAG.1 anchors quantify the retrieval operation. Factor A (chunks retrieved) shows the volume of context that influenced the output. Factor B (corpus hash present) proves the data source was verified. Factor C (similarity) indicates retrieval quality. For regulated decisions, this evidence proves which governed data informed the AI's response.
Snowflake does: Query history provides a full audit trail for every Cortex call and agent action. Snowflake's audit trail is wired into the platform's query history.
SWT3 independently witnesses: The witness_audit() call computes an integrity hash of the audit log and records whether verification passed. Combined with RFC 3161 external timestamps (AI-AUDIT.2) and daily Merkle rollups, this creates a tamper-evident evidence chain independent of Snowflake's infrastructure.
AI-AUDIT.1 anchors with Factor B = 1 prove audit log integrity at specific timestamps. The SWT3 evidence chain (anchor + Merkle rollup + RFC 3161 timestamp) provides three independent layers of tamper evidence outside Snowflake's trust boundary.
Snowflake is the dominant data warehouse in financial services. SR 11-7 (Supervisory Guidance on Model Risk Management) requires that model validation evidence be independent of the model development and execution environment. Snowflake's internal governance satisfies operational controls, but SR 11-7 examiners expect evidence from outside the platform.
SWT3 provides the independent evidence layer that SR 11-7 requires:
| SR 11-7 Requirement | Snowflake Feature | SWT3 Independent Evidence |
|---|---|---|
| Model Inventory | Horizon Catalog model registry | AI-GOV.3 anchors prove which models are approved and their registry versions |
| Model Validation | Cortex AI model performance metrics | AI-DRIFT.1 + AI-PERF.1 anchors track model drift and performance independently |
| Ongoing Monitoring | Query history + Agent Identity logs | AI-INF.1 + AI-INF.2 anchors provide continuous inference provenance |
| Outcome Analysis | Snowflake analytics on model outputs | AI-FAIR.1 + AI-EXPL.1 anchors prove bias measurement and explanation generation |
| Audit Trail Independence | Snowflake query history (internal) | AI-AUDIT.1 + AI-AUDIT.2 + Merkle rollups (external, verifiable at /verify) |
| Data Governance | Row-level security, dynamic masking | AI-DATA.1 + AI-DATA.3 anchors prove data lineage and minimization |
For a detailed SR 11-7 crosswalk, see the SR 11-7 Overlay Guide.
| Examiner Question | Where to Look |
|---|---|
| Which Cortex models are running inference on our data? | AI-INF.1 anchors. Factor A = model identifier, Factor B = provider (OpenAI partnership vs. Snowflake native vs. custom). |
| Can you prove agent identity across this Snowflake pipeline? | AI-ID.1 anchors with Factor B = 1 (HMAC signed). Cross-reference with Snowflake Agent Identity logs. |
| What data influenced this AI decision? | AI-RAG.1 anchors. Factor A = chunks retrieved, Factor C = similarity scores. AI-DATA.1 for lineage. |
| Are guardrails active and enforced? | AI-GRD.1 (enforcement) and AI-GRD.2 (bypass detection) anchors. Factor B documents the action taken. |
| Do you have evidence independent of Snowflake? | Every SWT3 anchor is verifiable at sovereign.tenova.io/verify. Merkle proofs and RFC 3161 timestamps exist outside Snowflake's trust boundary. |
| How do you satisfy SR 11-7 model validation independence? | SWT3 anchors provide model risk evidence from outside Snowflake's execution environment. See Section 5 and the SR 11-7 Overlay Guide. |
| Is the Snowflake audit trail intact? | AI-AUDIT.1 anchors with Factor B = 1. AI-AUDIT.2 for RFC 3161 external timestamps. SWT3 Merkle rollup for inclusion proof. |
Full SDK documentation: sovereign.tenova.io/docs
Create a free account: sovereign.tenova.io/signup