MICKAI
Article · 2 July 2026

AI Supply Chain Security for Regulated Institutions

Provenance for every brain, signed components and independence from any foreign model or cloud that could vanish overnight

AI Supply Chain Security for Regulated Institutions
Author
Micky Irons
Published
2 July 2026
Follow Micky Irons
LinkedInX
ai-securitysupply-chainsovereign-airegulated-institutionsprovenance

Every artificial intelligence system that a bank, a hospital or a defence agency runs is only as trustworthy as its least visible component. A single model weight file pulled from a foreign repository, a cloud inference endpoint controlled by another jurisdiction, a fine-tuning dataset of unknown origin: each is a link in a supply chain that most institutions cannot see, cannot audit and cannot switch off in a hurry. When the intelligence itself is the product, the provenance of that intelligence becomes the security perimeter.

We built Mickai, a Sovereign Intelligence Operating System, to close that gap. The question we answer for regulated institutions is deceptively simple. Where did every brain in this system come from, who is permitted to change it, and what happens if a supplier withdraws service overnight. In this piece we set out how we treat the AI supply chain as a security problem in its own right, and why provenance, signed components and vendor independence are not features bolted on afterwards but foundations laid first.

The invisible dependencies inside a modern AI stack

A typical enterprise AI deployment inherits risk from places its owners rarely inspect. The base model may have been trained on data no auditor has ever reviewed. The inference layer may run on infrastructure governed by another country's disclosure laws. The vector database, the guardrail service, the embedding model and the orchestration framework may each report back to a different supplier. Any one of them can be updated, deprecated, subpoenaed or breached without warning, and the institution carries the regulatory liability regardless of who caused the failure.

For an organisation bound by the General Data Protection Regulation (GDPR), the EU AI Act, the Digital Operational Resilience Act (DORA) or the Health Insurance Portability and Accountability Act (HIPAA), this is untenable. Regulators increasingly expect an institution to name every material third party in its critical systems and to prove it can keep operating without any of them. An AI supply chain assembled from opaque, remotely controlled parts cannot meet that bar. The first task, then, is to make the invisible visible.

A colossal marble statue of Argus covered in many watchful eyes, lit by gold light against a black background
Argus the ever watchful sees every dependency inside the stack that others leave in shadow

Provenance for every brain

Inside Mickai we do not treat the models as anonymous binaries. We call them brains, and every brain carries a documented lineage. We know the foundation it was derived from, the corpus it was aligned on, the version it currently sits at and the cryptographic hash that proves the file running in production is the exact file we vetted. Nothing enters the system without that record. If a brain cannot show its papers, it does not get deployed.

This matters because provenance is what turns a black box into an accountable component. When a regulator, an auditor or an internal risk committee asks what is making decisions inside a lending model or a clinical triage assistant, we answer with specifics rather than a supplier's marketing sheet. And because brains are revocable, an institution can retire one the moment its lineage is called into question, without dismantling the wider system around it.

No opaque foreign model in the loop

The sharpest supply chain risk for a regulated Western institution is a dependency on a model whose training, hosting or control sits in a jurisdiction it cannot influence. A foreign inference endpoint is a data egress point, a censorship surface and a single point of geopolitical failure all at once. If relations sour, if an export rule changes, if a provider is compelled to alter behaviour, the institution's core intelligence shifts underneath it with no recourse.

A colossal marble statue of Hephaestus forging a glowing seal at an anvil, lit by gold light against a black background
Hephaestus forges each component with a signature that cannot be counterfeited or quietly swapped

We remove that exposure by design. Every brain in a Mickai deployment runs on hardware the customer owns, air-gapped or on-premise, with zero data egress. There is no call to a remote endpoint that a third party can throttle, inspect or withdraw. The regulated boundary that the public cloud cannot cross on the customer's terms is exactly the boundary we operate inside. The cloud giants remain valuable allies at their own layer; sovereign intelligence simply belongs on the customer's own ground.

Signed components and a tamper-evident ledger

Provenance without enforcement is only a promise. We make it a control. Every component that ships inside Mickai is cryptographically signed using post-quantum signatures under the FIPS 204 ML-DSA-65 standard, so that a swapped or tampered brain fails verification before it can ever run. Those signature checks work offline, which means an air-gapped installation can prove the integrity of its own supply chain with no connection to anyone.

Around that sits the Operation Attestation Record (OAR), which signs every action a brain intends to take before that action executes. High-stakes operations can be gated behind multi-brain agreement plus voice-biometric approval, so no single component and no single person can push an unreviewed change into production. Everything lands in a tamper-evident, cryptographically-signed audit ledger. When a supervisor asks an institution to demonstrate the integrity of its AI supply chain, the evidence already exists and cannot be quietly rewritten after the fact.

A colossal marble statue of Atlas holding a great sphere aloft alone, lit by gold light against a black background
Atlas bears the whole weight alone so the system never depends on a vendor who can walk away

Resilience when a vendor disappears overnight

The scenario that keeps resilience officers awake is not a dramatic breach. It is a supplier changing terms, raising prices beyond reach, being acquired, or simply switching a service off. When that service is the intelligence running a critical workflow, an overnight withdrawal becomes an operational crisis, and DORA in particular expects financial institutions to have proven continuity for exactly this event.

Because Mickai brains are self-contained, signed and running on infrastructure the customer already possesses, there is no vendor left holding a switch to flip. A brain can be swapped for an alternative of the same capability without re-architecting the system, and an institution can carry on operating in full isolation indefinitely. Vendor independence stops being a negotiating aspiration and becomes an architectural fact. The supply chain has no external chokepoint left for anyone to seize.

Patents that describe the machinery, not a trophy

The mechanisms above are not sketches. They are set out across 104 filed UK patent applications, comprising about 2,340 claims, owned by Mickai LTD. We reference them not as a legal trophy but because they describe the specific capabilities a security team can hold us to: attested actions before execution, offline post-quantum verification, revocable and signed brains, and an audit ledger that resists tampering. The value to a buyer is the capability the filing contains, not the filing itself.

A colossal marble statue of Themis holding balanced scales with a stern calm face, lit by gold light against a black background
Themis holds the ledger in perfect balance so every action stands as tamper evident evidence

The bottom line

AI supply chain security is not a bolt-on for regulated institutions; it is the precondition for using AI at all. Provenance for every brain, no opaque foreign model in the loop, cryptographically signed components and genuine independence from any single vendor together turn an opaque, borrowed intelligence stack into one an institution actually owns and can defend. Mickai is built and live to make that ownership real, on hardware the customer controls, on terms no outside party can revoke.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/ai-supply-chain-security. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles