An open note to the National Cyber Security Centre. Sovereign AI is a cyber security problem before it is a policy problem, and the substrate is now British and on the public record.

Sovereign AI is a cyber problem before it is a policy problem

The National Cyber Security Centre has done more in the last twenty four months to set the British direction on AI cyber security than any other public body. The AI Cyber Security Code of Practice (consulted with DSIT, 2024 to 2025). The threat assessment on AI-augmented cyber operations. The Active Cyber Defence (ACD) programme renewals. The post-quantum migration roadmap, with the 2035 deadline for cryptographically relevant systems and 2031 for high-priority infrastructure. The published guidance on operational technology, supply chain, and software bill of materials. Each is a serious piece of work by serious people. Each describes, in policy and threat language, a substrate that does not yet ship in the commercial AI stack.

This article is an open note from a British inventor whose filed patent corpus is the engineering counterpart to those publications. The aim is not to claim NCSC's territory; the aim is to make explicit that the substrate the NCSC documents imply is now filed at the UK Intellectual Property Office under Micky Irons, in a form a procurement officer or a senior NCSC analyst can read in fifteen minutes and integrate against existing departmental requirements. The patents are on the public register at numbers GB2607309.8 to GB2610422.4. The trade mark Mickai is registered at UK00004373277. The codebase is engineered in the United Kingdom. The next move is institutional, and the right institution to make it is the one whose remit is exactly this: cyber security at the national level.

Three NCSC themes that map directly to filed Mickai patents

Theme one: post-quantum migration is now, not later. NCSC's roadmap is explicit. Cryptographically relevant systems must complete the migration to NIST FIPS 204 ML-DSA and FIPS 203 ML-KEM well before the arrival of cryptographically relevant quantum computing. The roadmap identifies the audit-trail problem clearly: a classical-signature audit chain becomes evidentially worthless the day a sufficient quantum computer arrives, because the signatures can be forged retrospectively. Mickai patent GB2608806.2 (PQ-safe attestation and ML-DSA-signed tool-invocation ledger) and GB2608804.7 (decision lineage with an ML-DSA-signed causal audit ledger) specify ML-DSA-65 as a schema-level requirement. Mickai patent GB2610413.3 (Open Inter-Vendor Audit Record) makes the post-quantum signing-algorithm identifier a fixed field in the canonical record, defaulting to ML-DSA-65, with any other algorithm rejected by the reference verifier. The British AI audit substrate is post-quantum from inception, not retrofitted.

Theme two: supply-chain integrity, vendor neutrality, and SCITT-aligned receipts. NCSC's supply-chain guidance, the IETF SCITT (Supply Chain Integrity, Transparency, Trust) working-group output, and the UK government's wider SBOM push share an architectural premise: a record format owned by no single vendor, signed under hardware-rooted keys, verifiable by independent third parties, with cross-vendor federation that survives any one supplier's failure or replacement. Mickai patent GB2610413.3 (Open Inter-Vendor Audit Record, OAR) is exactly that primitive applied to runtime AI decisions. The format is open. The signing is post-quantum. The federation primitive lets one vendor's chain reference another vendor's chain by content hash, which a single offline verifier walks end to end. Mickai patent GB2610414.1 (browser-resident offline post-quantum verifier with no-network invariant) is the verifier itself, compiled to WebAssembly, runnable in any modern browser without phoning home. The combination is the SCITT-receipt analogue for AI runtime audit. The British implementation is filed first.

Theme three: trust-domain separation and the prohibition on self-marking-its-own-homework. NCSC's published expectations on critical national infrastructure, on operator-held cryptographic identity, and on independent attestation roots converge on a single architectural commitment: the entity whose action is being audited cannot be the entity whose verifier is consulted. Mickai patent GB2610415.8 (trust-domain externalisation architectural pattern) specifies three independent trust domains: action-proposing, perimeter-evaluation, and attestation-verification. The signing keys live in operator-controlled hardware. The verifier source code is open and signed by an independent attestor. The structural commitment is testable by any external party using a published test apparatus, without trusting the originator vendor. This is the architectural precondition that makes a procurement officer able to verify a vendor's claim cryptographically rather than contractually.

Where the AI threat picture and the patent corpus draw the same diagram from opposite ends

NCSC's AI threat picture is well documented. Prompt injection. Data poisoning. Model exfiltration. Action hijacking. Supply chain compromise. Adversarial prompts. The picture is of a system in which the AI process can be made to take actions outside its intended authority by adversaries who understand how to manipulate inputs, training, models, or tool surfaces. The defensive answer is structural. Authority to invoke high-impact actions must be evaluated at the moment of invocation against the current attested actor, signed under an operator-held key, recorded in an externally verifiable chain. The patents close each link in that chain. GB2608799.9 (voice-biometric-gated LLM tool invocation) addresses authority at the moment of action. GB2608818.7 (per-skill clearance-gated execution) addresses skill-level least privilege. GB2607420.3 (post-quantum signing primitives) addresses the cryptographic identity. GB2610413.3 / GB2610414.1 / GB2610415.8 (the OAR family) close the audit, the verification, and the trust-domain commitments.

Each individual primitive is conceptually familiar to a senior NCSC engineer. The novelty in the corpus is not any individual primitive; it is the composition. Filed under one named British inventor, on the UK public registry, vendor neutral by claim language, post-quantum from inception. There is no licence to negotiate with a foreign rights holder. There is no offshore intermediary. The schema can be adopted by any compliant vendor. The verifier can be built by any compliant party. That is the structural property that makes the substrate viable as a national capability rather than a single-supplier product.

Sovereign capability has a name on it

British sovereign cyber capability has historically been associated with people, not with private patent filings. CESG, GCHQ, the National Cyber Force. The pattern of an individual inventor filing thirty one applications under his own name, in his own city, in twelve months, is unusual. It is also exactly the structural pattern that the NCSC's industrial-base remit is intended to cultivate: domestic deep-tech capability, in cyber-relevant primitives, owned in the United Kingdom, available for British procurement. The inventor of record is Micky Irons (Mickarle Wagstaff-Irons), of Cumbria. The IPO record is public. The patents will continue to issue under their priority dates regardless of subsequent commercial events. The substrate is, in this precise structural sense, British.

The procurement implications are immediate. Crown Commercial Service framework RM6263 and its successors can adopt OAR-style audit-record requirements as standard contract clauses. The Cabinet Office, DSIT, the AI Safety Institute, and ARIA can compose the substrate with the existing AI safety and policy work. The MOD, GCHQ, the intelligence community, and law enforcement can run sensitive AI inside operator-controlled trust domains with cryptographic audit. The NHS, the financial regulators, and the courts gain an evidence chain admissible under Section 78 of PACE 1984 to a standard the present vendor logs do not meet. None of this requires new legislation. The substrate is filed; the integration is engineering.

An invitation to NCSC, in plain terms

The invitation is direct, brief, and answered in person at press@mickai.co.uk by the named inventor. A fifteen-minute briefing covering: (a) the OAR canonical schema as a SCITT-aligned receipt format for AI runtime decisions, (b) the post-quantum signing pathway and its alignment with the NCSC migration roadmap, (c) the trust-domain externalisation pattern as a precondition for sovereign cyber capability in AI, (d) the browser-resident offline verifier as a procurement-officer tool, and (e) the patent priorities, public-register positions, and licensing posture relevant to British public-sector deployment.

The deeper invitation is to recognise the moment. Britain has produced, under one inventor of record, the engineering substrate that the NCSC publications imply. The substrate is on the UK public registry. It is post-quantum from inception. It is vendor neutral. It is verifiable by the operator without the vendor in the loop. It is consistent with NCSC's published expectations on AI cyber security, on supply-chain integrity, on post-quantum migration, and on critical-infrastructure trust. The next move belongs to the institution whose remit is exactly this.

“Sovereign cyber capability in AI is the architectural commitment that the entity whose action is being audited is not the entity whose verifier is consulted, signed under post-quantum primitives, in a record format owned by no single vendor, verifiable by the operator in a browser the supplier does not host. The British implementation is now filed at the UK IPO under British inventor.”

Sources and references

• Mickai patent portfolio, mickai.co.uk/patents (31 filed UK patent applications, 914 claims, named inventor Micky Irons / Mickarle Wagstaff-Irons, recorded at numbers GB2607309.8 to GB2610422.4).
• Mickai trade mark UK00004373277 (separate registration, classes 9 and 42, 15 April 2026).
• GB2607420.3, post-quantum signing primitives.
• GB2608806.2 / MWI-PA-2026-008, PQ-safe attestation and ML-DSA-signed tool-invocation ledger.
• GB2608804.7 / MWI-PA-2026-016, decision lineage with an ML-DSA-signed causal audit ledger.
• GB2608799.9 / MWI-PA-2026-013, voice-biometric-gated LLM tool invocation.
• GB2608818.7 / MWI-PA-2026-021, per-skill clearance-gated execution.
• GB2610413.3 / MWI-PA-2026-022, Open Inter-Vendor Audit Record (OAR) format with cross-vendor trust-bundle federation.
• GB2610414.1 / MWI-PA-2026-023, browser-resident offline post-quantum verifier with no-network invariant.
• GB2610415.8 / MWI-PA-2026-024, trust-domain externalisation architectural pattern.
• NCSC, AI Cyber Security Code of Practice (DSIT consultation, 2024 to 2025).
• NCSC, post-quantum cryptography migration timeline and guidance.
• NCSC, Active Cyber Defence (ACD) programme.
• IETF SCITT (Supply Chain Integrity, Transparency, Trust) working-group output.
• FIPS 204 (ML-DSA) and FIPS 203 (ML-KEM), NIST post-quantum standards.
• Crown Commercial Service framework RM6263 and successors.
• Police and Criminal Evidence Act 1984, Section 78 (admissibility).
• Mickai prior article: British AI needs an audit substrate, not another white paper (mickai.co.uk/articles/british-ai-needs-an-audit-substrate-not-another-white-paper).