AI in the Courtroom: Sovereign Intelligence for the Justice System
Justice systems can only adopt artificial intelligence if every inference is signed, sealed and reviewable long after the hearing ends.
The substantive high-risk obligations of the EU AI Act, once due on 2 August 2026, now apply from 2 December 2027 after the Digital Omnibus deferral, and the Annex III high-risk list names systems intended to assist judicial authorities in researching and interpreting facts and law. Any court, prosecution service or justice ministry that lets an automated system touch a case file, an evidence bundle or a sentencing calculation still sits squarely inside that category. The proof requirements are unchanged, so the deferral buys build time and nothing more. The obligation is no longer to avoid the technology. It is to make its use defensible, and the sensible response is to build now.
Defensible has a precise meaning in a courtroom. It means that months or years after a hearing, on appeal or under disclosure, a party can ask what the system was shown, what it produced and whether either was altered, and receive an answer that itself holds up as evidence. Alongside the AI Act sit the operational-resilience duties of DORA, in force since January 2025 for regulated finance and increasingly a reference model elsewhere, the cybersecurity baseline of NIS2, and the management standard ISO/IEC 42001. None of these tolerate a record that cannot be reconstructed. Chain of custody, the oldest discipline in the justice system, becomes the hardest test that any AI must pass.
Chain of custody is a cryptographic problem now
For physical evidence, chain of custody is a signed paper trail: who handled the item, when, and in what state. The moment an inference touches a case, the same discipline has to extend to bytes. The question a defence advocate will ask is simple. Was this document the one the system actually read, or a later edit. Was this the output the court relied on, or a summary of a summary.
A paper log cannot answer that, because a paper log can be rewritten. A cryptographic record can. Every action inside a Sovereign Intelligence Operating System is sealed as a signed entry in an append-only chain, where each entry commits to the one before it. The input file, the model version that processed it, the exact output and the operator identity are hashed together and signed. Change any byte after the fact and the signature breaks. The record does not merely say what happened. It proves it, to anyone holding the public key, without trusting the operator's word.
Why the record must survive quantum, not just today
Justice records outlive the technology that made them. A conviction sealed in 2026 may be reviewed in 2040. That horizon is the reason audit chains are signed with post-quantum algorithms rather than the elliptic-curve schemes that a future quantum computer could forge in retrospect. An adversary who harvests a signed record today, hoping to break it later and claim the evidence was tampered with, finds nothing to break.
The design choice is deliberate: a signature meant to prove integrity two decades from now must be built to survive two decades of cryptanalysis. This is one of the areas covered by our 104 filed UK patent applications, comprising approximately 2,340 claims and owned by Mickai LTD. These are filed and patent pending, and we describe them here as architecture rather than as any settled legal right.
The perimeter: nothing the court did not choose to admit
Evidence law is obsessed with provenance, and rightly so. A system that quietly reaches out to an external service to enrich a case, fetch a definition or check a fact has introduced material that no one admitted and no one can cross-examine. In a courtroom that is not a feature. It is contamination.
A zero-egress inbound perimeter answers this. The Sovereign Intelligence Operating System runs on operator-owned hardware, offline, and does not call out to any external endpoint. Case data enters through a controlled inbound path and stays inside the boundary. The reasoning happens where the evidence lives, on machines the justice authority physically controls, and every model that participates is one the operator has vetted and pinned.
“An AI has a place in the justice system only when its every inference can be sealed, held offline and independently reviewed long after the verdict.”
Sovereignty is a jurisdictional fact, not a slogan
Where justice data physically resides is a question of law, not preference. A cloud model of security, however well engineered, places data and the keys to it within reach of the provider and, through instruments such as the US CLOUD Act, potentially within reach of a foreign jurisdiction's compelled-disclosure powers. That is a matter of architecture and design, not an accusation against any company. For a court holding sealed material, protected witnesses or live prosecutions, it is a matter that has to be settled before the first file is loaded.
Sovereign intelligence answers it by construction. The hardware belongs to the operator. The models are sovereign and run locally. The keys never leave the boundary. Identity is hardware-attested, so the system can prove which physical machine and which authorised operator performed an action, and no remote party can silently assume that identity. There is no third party to compel, because there is no third party in the loop.
One model can be wrong. Make several agree.
A single automated summariser that misreads a clause or invents a citation is a known failure mode, and the OWASP work on risks in large-language-model applications catalogues it plainly: prompt injection buried in a document, fabricated output presented with confidence, sensitive data leaking into a response. In a justice setting a single silent error is not an inconvenience. It can distort a decision about a person's liberty.
Cross-model consensus reduces that exposure. More than one sovereign model examines the same material independently, and where they disagree the divergence is surfaced to a human rather than smoothed over. The output is not treated as fact. It is treated as a prompt for a qualified person to confirm or reject, and that confirmation is itself sealed into the record. The human decision remains the decision, with the machine's contribution captured, attributed and reviewable.
Reviewability is the whole point
Every safeguard above converges on one requirement that the justice system has always demanded and that the AI Act now codifies: a decision must be capable of being examined. An appellate court, an inspectorate, a data-protection regulator or a defence team must be able to reconstruct not just the outcome but the path to it.
Because the audit chain is append-only, signed and complete, that reconstruction is mechanical rather than a matter of trust. A reviewer can be handed the sealed record and the public keys and can verify, independently, what the system was shown, what it produced, which model version was responsible and that nothing was altered afterwards. The operator does not ask to be believed. The operator hands over a record that proves itself, which is precisely the standard the rest of the courtroom already meets.
What a defensible courtroom looks like next
The direction of travel is set. High-risk classification, operational-resilience duties and management standards are converging on a single expectation, that automated assistance in consequential decisions must be logged, attributable and reviewable to an evidential standard. Justice systems that treat this as a compliance afterthought will find their records challenged. Those that build on a sealed, offline, sovereign foundation will find the same challenges answered before they are raised.
The position is unadorned. Artificial intelligence can serve the justice system, but only inside an architecture that assumes every output may one day be contested and prepares the proof in advance. That is what a Sovereign Intelligence Operating System is for: reasoning that runs where the evidence lives, sealed the moment it happens, and open to review for as long as the case can be reopened.




