SWT3 - Sovereign Witness Protocol for AI
Don't audit the agent's thoughts. Audit the agent's actions.
The Problem
AI agents are making production decisions: approving loans, triaging patients, managing infrastructure, writing code. In 2026, 65% of firms reported AI agent security incidents. Only 14.4% of agents go live with full security approval. When something goes wrong, there is no tamper-proof audit trail. Logs are mutable. Metrics are averaged. Nobody can prove what the agent actually did.
GPAI transparency obligations are enforceable now. EU AI Act high-risk enforcement begins December 2, 2027. NIST AI RMF, SR 11-7, and CMMC impose similar obligations. 72% of enterprises believe they have AI governance but lack actual control. Most teams have nothing but dashboards and hope.
The Protocol
SWT3 (Sovereign Witness Traceability) is a deterministic witness protocol for AI systems. It intercepts AI actions, hashes the evidence, and anchors cryptographic proof to an immutable ledger. Your code gets the full response. The auditor gets tamper-proof evidence. Raw prompts and responses never leave your infrastructure.
- Deterministic, not probabilistic. The witness engine uses fixed logic, not AI, to evaluate compliance.
- Zero data retention. Configurable clearing levels strip sensitive content before it leaves your environment.
- Framework-mapped. Every anchor maps to EU AI Act articles, NIST AI RMF functions, and federal controls.
Try It (10 Seconds, No Account)
Python
pip install swt3-ai
python -m swt3_ai.demoTypeScript
npm install @tenova/swt3-ai
npx swt3-demoNo API keys. No account. No network calls. You will see the full witnessing pipeline run locally.
Three Lines to Production
from swt3_ai import Witness
from openai import OpenAI
witness = Witness(endpoint="https://sovereign.tenova.io", api_key="axm_live_...", tenant_id="YOUR_TENANT")
client = witness.wrap(OpenAI())
# Every inference is now witnessed. Your code does not change.
response = client.chat.completions.create(
model="gpt-4o",
messages=[{"role": "user", "content": "Summarize this contract"}],
)Works with OpenAI, Anthropic, AWS Bedrock, Vercel AI SDK, LangChain, LiteLLM (100+ providers), and any OpenAI-compatible endpoint (vLLM, Ollama, Azure OpenAI).
What Gets Witnessed
Each inference produces anchors across 40 AI procedures spanning 20 domains:
| Procedure | Domain | What It Proves | Regulatory Mapping |
|---|---|---|---|
| AI-INF.1 | Inference | Prompt and response captured (provenance) | EU AI Act Art. 12 |
| AI-INF.2 | Inference | Latency within threshold (detects model swaps) | NIST AI RMF MEASURE 2.6 |
| AI-MDL.1 | Model | Deployed model matches approved hash (integrity) | EU AI Act Art. 9 |
| AI-MDL.2 | Model | Model version identifier recorded (tracking) | EU AI Act Art. 72 |
| AI-MDL.5 | Model | Weight file SHA-256 verified (tamper detection) | EU AI Act Art. 15(4) |
| AI-MDL.6 | Model | LoRA/PEFT adapter stack attested | EU AI Act Art. 12(2)(b) |
| AI-MDL.7 | Model | Quantization method recorded | EU AI Act Art. 15(3) |
| AI-GRD.1 | Guardrail | Required safety filters were active (enforcement) | NIST AI RMF GOVERN 1.5 |
| AI-GRD.2 | Safety | No content filter or refusal triggered | EU AI Act Art. 14 |
| AI-GRD.3 | Gatekeeper | Pre-call guardrail gate enforced | EU AI Act Art. 9(2) |
| AI-RAG.1 | Retrieval | RAG context chunks and corpus attested | EU AI Act Art. 12(2)(a) |
| AI-RAG.2 | Retrieval | Retrieval relevance scoring verified | EU AI Act Art. 10(2) |
| AI-TOOL.1 | Tool Use | Agent tool/function call recorded (latency, success) | NIST AI RMF MANAGE 4.1 |
| AI-ID.1 | Identity | Witness instance identity attested (agent accountability) | EU AI Act Art. 13 |
| AI-ACC.1 | Access | Resource access granted or denied with scope | EU AI Act Art. 9(4)(c) |
| AI-REV.1 | Revocation | Previously-issued anchor revoked with reason | EU AI Act Art. 12(3) |
| AI-SEC.1 | Security | Adversarial threat detection performed | EU AI Act Art. 15(4) |
| AI-SEC.2 | Security | Input validated and sanitized before inference | EU AI Act Art. 15(3) |
| AI-SKILL.1 | Skills | Loaded skill/tool/plugin manifest attested | EU AI Act Art. 12(2)(b) |
| AI-SKILL.2 | Memory | Active memory sources bound to decision | EU AI Act Art. 12(2)(a) |
| AI-SKILL.3 | Alignment | RLHF/DPO reward model binding recorded | EU AI Act Art. 9(4)(a) |
| AI-CHAIN.1 | Chain | Multi-agent handoff witnessed with cycle tracking | EU AI Act Art. 12(2)(a) |
| AI-VIO.1 | Violation | Policy violation detected during inference | EU AI Act Art. 9(4)(a) |
| AI-CHR.1 | Charter | Agent charter/system prompt hash attested | EU AI Act Art. 13 |
| AI-MDL.8 | Model | Model verified against approved registry | EU AI Act Art. 51 |
| AI-HITL.3 | Oversight | Reviewer identity bound to human review | EU AI Act Art. 12(3)(d) |
| AI-SAFE.1 | Safety | Stop mechanism tested, safe state confirmed | EU AI Act Art. 14(4)(e) |
| AI-HW.1 | Hardware | GPU/accelerator inventory attested at startup | EU AI Act Art. 15(4) |
| AI-TRUST.1 | Trust | Mutual compliance trust verified between agents | EU AI Act Art. 9(4)(c) |
| AI-TRUST.2 | Trust | Trust handshake details recorded | EU AI Act Art. 12(2)(a) |
Plus 9 additional procedures covering fairness, explainability, training data, and bias measurement. See the full procedure registry.
View an Anchor
A Level 1 anchor for AI-INF.1 (Inference Provenance). This is what reaches the witness ledger. No prompts, no responses, just cryptographic proof.
{
"procedure_id": "AI-INF.1",
"factor_a": 1,
"factor_b": 1,
"factor_c": 0,
"clearing_level": 1,
"anchor_fingerprint": "c059eb5938c0",
"anchor_epoch": 1774800000,
"fingerprint_timestamp_ms": 1774800000000,
"ai_prompt_hash": "315f5bdb76d078c4",
"ai_response_hash": "a1b2c3d4e5f60718",
"ai_latency_ms": 842,
"ai_model_id": "gpt-4o",
"ai_context": {
"provider": "openai",
"guardrails": ["content-filter", "pii-redaction"]
}
}The anchor_fingerprint is computed from SHA256("WITNESS:{tenant}:{procedure}:{fa}:{fb}:{fc}:{ts}"). Anyone with the factors can independently verify the math. Trust is a vulnerability. Math is the remedy.
Clearing Levels
The clearing engine controls what leaves your infrastructure. Your code always gets the full response. Clearing only affects what reaches the witness ledger.
| Level | Name | On the Wire | Use Case |
|---|---|---|---|
| 0 | Analytics | Hashes + factors + model + provider + guardrails | Internal analytics |
| 1 | Standard | Hashes + factors + model + provider | Default. Production apps |
| 2 | Sensitive | Hashes + factors + model only | Healthcare, legal, PII workloads |
| 3 | Classified | Numeric factors only. Model ID hashed. | Defense, air-gapped environments |
At Level 1+, raw prompts and responses never leave your infrastructure.
SDKs
| Language | Package | Install |
|---|---|---|
| Python | swt3-ai |
pip install swt3-ai |
| TypeScript | @tenova/swt3-ai |
npm install @tenova/swt3-ai |
| Rust | swt3-ai |
cargo add swt3-ai |
| C# | swt3-ai |
dotnet add package swt3-ai |
| Ruby | swt3-ai |
gem install swt3-ai |
| MCP Server | @tenova/swt3-mcp |
npx @tenova/swt3-mcp |
Both SDKs produce identical SWT3 fingerprints. 21 cross-language test vectors validated at build time.
Get Started
- Create a free account - instant API key, no credit card
-
pip install swt3-aiornpm install @tenova/swt3-ai - Wrap your AI client. Every inference is witnessed.
Regulatory Coverage
| Framework | Coverage |
|---|---|
| EU AI Act | Articles 9, 10, 12, 13, 14, 15, 50, 51, 53, 72 |
| NIST AI RMF | GOVERN, MAP, MEASURE, MANAGE (10 subcategories) |
| NIST 800-53 | SI-7, AU-2, AU-3, AC controls |
| CMMC v2.0 | Level 2 practice mappings |
| SR 11-7 | Model Risk Management (5 examination areas) |
| ISO 42001 | Annex A AI management controls |
Repository Structure
packages/swt3-ai/ Python SDK (PyPI: swt3-ai)
packages/swt3-ai-ts/ TypeScript SDK (npm: @tenova/swt3-ai)
packages/swt3-ai-rust/ Rust SDK (crates.io: swt3-ai)
packages/swt3-ai-dotnet/ C# SDK (NuGet: swt3-ai)
packages/swt3-ai-ruby/ Ruby SDK (RubyGems: swt3-ai)
packages/swt3-mcp/ MCP Server (npm: @tenova/swt3-mcp)
packages/libswt3/ Protocol reference implementation
config/ Control definitions and framework crosswalks
Compliance & Privacy
Your prompts and responses never leave your infrastructure. The SDK computes SHA-256 hashes locally and transmits only irreversible hashes and numeric factors to the witness ledger. At Clearing Level 3, even the model name is hashed.
- Data Flow and Privacy Architecture - Visual data boundary for legal and DPO review
- Clearing & Data Sovereignty Addendum - Shared responsibility, incident response SLA, regulatory applicability
- Air-Gap Deployment Guide - Zero-egress operation, sneakernet sync, offline verification
Documentation
- SDK Developer Docs - Quickstart, providers, clearing levels
- Factor Handoff Protocol - Secure factor custody transfer
- CMMC Compliance Overlay - Defense industrial base mappings
- SR 11-7 Compliance Overlay - Model risk management mappings
Contributing
See CONTRIBUTING.md for development setup and guidelines.
License
Apache 2.0. See LICENSE. Patent pending.
If you believe AI systems should prove they followed the rules, give us a star.
SWT3: Sovereign Witness Traceability. We don't run your models. We witness them.
TeNova - Defining the AI Accountability Standard.