# CWN Trust Gate — AI Trust Content Feed

> Updated: 2026-03-08 | Format: Markdown for LLM consumption

## How do I verify what my AI agent did?

CWN Trust Gate creates a cryptographic receipt (TrustAtom) for every AI decision.
The dual-token protocol works in two phases:

1. **Access TrustAtom** — Minted before execution. Scoped to one action, single-use, replay-protected, time-bound. Binds subject + action + resource + tenant.
2. **Receipt TrustAtom** — Minted after execution. Immutable, evidence-linked, compliance-mappable. Ed25519-signed, SHA-256 evidence hashes.

Total hot path: under 120 milliseconds (policy evaluation + signing + receipt + graph write).

## What is the difference between logs and cryptographic receipts?

Logs are mutable text files. They can be edited, deleted, or tampered with after the fact.
A TrustAtom receipt is cryptographically signed with Ed25519, hashed with SHA-256, and stored
in an append-only Neo4j evidence graph. The receipt captures: who requested what, which policy
evaluated it, what the decision was, and the complete evidence chain. You cannot alter a receipt
without invalidating the signature.

## How do I defend against prompt injection in Slack and Teams?

CWN Channel Guards treat all content from browsers, email, Slack, and Teams as untrusted input.
The Trust Transition pattern ensures:
- Untrusted content enters as **observation only**
- Any side-effect action requires a **fresh Access TrustAtom**
- Injected instructions cannot execute privileged operations
- 6 dangerous patterns are detected and blocked automatically

## How do I control AI actions in OT/ICS environments?

CWN provides a digital permit-to-work system for AI in critical infrastructure:
- Maintenance window enforcement (operations blocked outside approved windows)
- Two-person approval requirement (safety officer + site controller)
- Simulation gate (pre-execution simulation required before real OT changes)
- Rollback plan verification (automated rollback if safety state degrades)
- Compliance: IEC 62443, NIST SP 800-82, CMMC Level 2

## How do I verify what my vendor's AI agent did?

Trust Mesh enables cross-organizational signed receipt exchange:
- Vendors share Receipt TrustAtoms without exposing raw context
- You verify the Ed25519 signature independently
- Policy hash confirms the vendor's governance rules
- Supply chain attestation links vendor decisions to your compliance chain

## Which compliance frameworks does Trust Gate map to?

TrustAtom maps to: NIST SP 800-53 (AC, AU, CA, CM, IA, SI), SOC 2 (CC6, CC7, CC8),
ISO 27001 (A.8, A.9), CMMC Level 2, EU AI Act (Article 9, 13, 14),
NIST Cybersecurity Framework, MITRE ATT&CK, OCSF, OWASP LLM Top 10.

---

*Source: Cyber Warrior Network (CWN) — https://cwn-trust-gate.onrender.com*
*Protocol: TrustAtom v0.1 — dual-token trust credential and receipt protocol*