Watermarking and Provenance for AI Models
How Mickai weaves verifiable, attributable origin into every brain and every artefact, signed before it acts and provable offline on hardware the customer owns.
Every artefact a system produces carries a question inside it: where did this come from, and can we prove it. For artificial intelligence, that question has become urgent. A model can be copied, fine-tuned, stripped of its lineage and passed off as something it is not. An output can be forged, altered or attributed to the wrong hand. In regulated environments, uncertainty of this kind is not a nuisance. It is a liability, and increasingly a breach.
Watermarking and provenance answer that question directly. They bind identity and origin into the model itself and into everything it emits, so that authorship survives copying, fine-tuning and the long journey an artefact takes across a fleet. At Mickai, provenance is not a feature bolted on at the end. It is woven through the substrate, verifiable and attributable at every point, and that is the standard this piece sets out.
The problem: models that cannot account for themselves
A modern estate of artificial intelligence is a moving population. Brains are deployed, retired, revised and recombined. Weights migrate between machines. Outputs flow into contracts, filings, diagnoses and decisions that carry legal weight. When a regulator, an auditor or an adversary asks which model produced a given result, and under which policy, most estates cannot answer with certainty. They rely on logs that can be edited and metadata that can be forged.
The frameworks now landing across our sector treat this gap as a first-order risk. The European Union Artificial Intelligence Act (the EU AI Act) demands traceability and disclosure for machine-generated content. ISO 42001, the standard for AI management systems, expects demonstrable control over the lineage of every model. The NIST AI Risk Management Framework (the NIST AI RMF) makes attribution a condition of trust. None of these can be satisfied by good intentions. They require proof that a hostile examiner cannot dismiss.
Provenance woven into the model, not stamped on it
A watermark applied like a sticker is a watermark that can be peeled. We take the opposite approach. Provenance is woven into the weights and into the runtime the way Arachne wove her thread through the whole cloth, so that identity is a property of the fabric and not an ornament on its surface. Each sovereign brain carries an embedded, cryptographically anchored fingerprint that persists through fine-tuning and adaptation, so a revised brain still declares its ancestry rather than shedding it.
That fingerprint is not a secret handshake known only to us. It is bound to the model with post-quantum signatures, specifically the FIPS 204 ML-DSA-65 standard, so the claim of origin can be checked by anyone holding the public key and cannot be counterfeited by anyone who is not the true author. Copy the model, move it, embed it inside a larger system, and the lineage travels with it. Strip the fingerprint and the model no longer verifies, which is precisely the outcome a serious estate wants.
Every artefact signed before it exists
Provenance is not only about the model. It is about what the model does. In our substrate, the Operation Attestation Record, our OAR, signs every action before it executes. The intent, the brain responsible, the policy in force and the inputs are captured and sealed at the moment of decision, not reconstructed afterwards from a log that could have been touched. An output without a matching attestation is, by construction, unaccountable, and the system treats it as such.
Because the record is created ahead of the act, provenance is a precondition rather than a receipt. Nothing meaningful happens without a signed statement of who is acting, why, and under what authority. This inverts the usual order, in which systems act first and explain later, and it is the difference between an estate that can be audited and one that merely hopes to be believed.
A ledger that cannot be quietly rewritten
Individual signatures prove authorship of individual artefacts. A chain proves the integrity of the whole history. Every attestation is hash-linked into a tamper-evident ledger using SHA-3-512, so each entry seals the one before it. Altering a past record breaks the chain from that point forward, and the break is visible to anyone who checks. There is no version of the story in which a single entry is silently edited and the rest still reconciles.
Crucially, this verification is offline. An auditor does not phone home to a vendor to confirm that an artefact is genuine. The signatures and the chain can be validated on hardware the customer owns, with no call to us and no dependency on our continued existence. Provenance that requires the vendor to be alive and cooperative is not provenance. It is a promise, and promises are not admissible.
Attribution the customer controls on their own ground
Provenance is worthless if the customer cannot exercise it. Ours runs on hardware the customer owns, air-gapped or on-premise, with zero data egress, so the evidence never leaves the boundary and the customer is never asked to trust an outside party with the record of their own decisions. Brains are revocable: withdraw a compromised or superseded brain and its authority to sign new artefacts ends, while everything it produced before revocation remains verifiable in place.
For actions that carry real consequence, a single signature is not the whole gate. High-stakes operations require multi-brain agreement together with voice-biometric approval, so no lone process and no single stolen key can commit a decision that binds the organisation. Attribution then names not just a model but a governed act, approved by the parties the customer designated, recorded in a form that holds up when it is examined.
How this satisfies the regulators, not just the engineers
For a bank under the Digital Operational Resilience Act (DORA), a hospital under the Health Insurance Portability and Accountability Act (HIPAA), or a defence supplier under the International Traffic in Arms Regulations (ITAR), provenance is compliance made concrete. When the question is which model, which policy and which authority produced a decision, the estate answers with signed, chained, offline-verifiable evidence rather than assurances. The traceability duties of the EU AI Act and the lineage expectations of ISO 42001 are met by the architecture rather than by paperwork bolted on afterwards.
This is the layer the public cloud cannot reach on the customer's own terms, and it is where we work alongside the hyperscalers rather than against them. They operate at a different layer and provide extraordinary capability. We provide the sovereign boundary at which that capability becomes accountable, attributable and defensible inside a regulated wall. The two fit together, and the customer keeps the ledger.
The bottom line
Watermarking and provenance are not decoration. They are the difference between an estate of artificial intelligence that can prove what it did and one that can only insist. Mickai weaves origin and authorship into every brain and every artefact, signs each action before it executes, chains it into a tamper-evident ledger, and lets the customer verify all of it offline on hardware they own. The thread runs through the whole cloth, and it does not come loose. That is provenance you can put in front of a regulator, and it is built and live today.
Micky Irons, founder and CEO of Mickai.




