British AI needs an audit substrate, not another white paper. The Bletchley Declaration, the Seoul Summit, AISI, ARIA, and the engineering layer none of them ship.

Britain has produced the policy. The substrate is missing.

Between November 2023 and May 2026 the United Kingdom has shipped more AI governance documentation per capita than any other G7 nation. The Bletchley Declaration. The Seoul Summit communique. The UK AI Safety Institute (AISI) evaluation framework. The Advanced Research and Invention Agency (ARIA) opportunity spaces, including the Safeguarded AI programme led by David Dalrymple. The Tony Blair Institute's policy papers on AI for the public sector. The Frontier AI Taskforce work that became AISI. The National AI Strategy. The AI regulation white paper. Two state-visit-grade summits. None of those documents specify the substrate that the policy is supposed to bind to.

This is not a criticism of any one document. Each is internally coherent. Each is the work of competent people. The structural gap is that policy is necessary but not sufficient, and the engineering layer that would make the policy bind to a running system has been left to the market. The market has produced governance brochures, model cards, and red-team reports. None of those artefacts can be cryptographically verified by a third party. None of them survives a vendor acquisition. None of them is admissible in a tribunal. The Bletchley Declaration says cooperate on safety. AISI evaluates models. ARIA funds the research frontier. None of them tells a procurement officer what to demand from a vendor at the moment the vendor's agent commits an action that affects regulated data.

The country that wrote the policy has been waiting for a private actor to ship the substrate. The substrate is now filed. It is filed at the UK Intellectual Property Office in Newport, by Micky Irons (Mickarle Wagstaff-Irons), sole inventor of record, from Workington in Cumbria. Thirty one applications. Nine hundred and fourteen claims. Each filing a complete specification with description, claims, abstract, prior-art search, figures, and Form-1 metadata. The portfolio is on the public record at mickai.co.uk/patents.

What an audit substrate actually is

The phrase audit substrate is unfamiliar because the industry has not had one. The closest analogy in adjacent regulated sectors is the difference between a quality-management policy and the cryptographically signed batch records that a pharmaceutical regulator can inspect. The policy is the intent. The signed batch records are the substrate. A regulator inspecting the policy alone learns what the company says it does. A regulator inspecting the signed batch records learns what the company actually did. Without the substrate the policy is unverifiable.

An AI audit substrate has six structural properties. The vendor either has them or does not. Each property maps to a Mickai filed patent. The list is the contract clauses a procurement officer should be able to demand and verify, and the engineering primitives a vendor should be able to produce on request.

**Property one, signed at commit.** Every action that mutates state outside the agent process is signed at the moment of commit, under a hardware-bound key whose private half lives in operator-controlled hardware. Mickai patent GB2608806.2 / MWI-PA-2026-008 covers PQ-safe attestation and an ML-DSA-signed tool-invocation ledger, signed under FIPS 204 ML-DSA-65 so the signature survives the arrival of cryptographically relevant quantum computing in the early 2030s.

**Property two, append-only and hash-linked.** The audit ledger is structurally append-only and hash-linked, so a deletion or an edit breaks the chain detectably. Mickai patent GB2608804.7 / MWI-PA-2026-016 covers decision lineage with an ML-DSA-signed causal audit ledger, recording not only the decision but the causal ancestors of the decision in a directed acyclic graph that a third party can walk.

**Property three, externally verifiable.** A third party can verify the chain without trusting the vendor's tooling, the vendor's website, or the vendor's hosted endpoint. Mickai patent GB2610414.1 / MWI-PA-2026-023 covers a browser-resident offline post-quantum verifier with a no-network invariant. The verifier compiles to WebAssembly. It runs in the procurement officer's browser. It does not phone home. It cannot be intercepted.

**Property four, vendor-neutral schema.** The record format is a published open schema, not a vendor proprietary format. A procurement officer evaluating two vendors can compare like-for-like. Mickai patent GB2610413.3 / MWI-PA-2026-022 covers the Open Inter-Vendor Audit Record (OAR) format with cross-vendor trust-bundle federation. OAR is the canonical schema. Any compliant vendor can produce it. Any compliant verifier can validate it.

**Property five, trust domain externalised.** The signing keys, the audit ledger, and the verification surface live outside the trust domain of the agent process that produced them. Mickai patent GB2610415.8 / MWI-PA-2026-024 covers the trust-domain externalisation architectural pattern, the structural commitment that makes self-marking-its-own-homework impossible by construction. Three independent trust domains. The agent process. The signing hardware. The verifier. None of them can produce the others' artefacts.

**Property six, gated at the moment of action, not the moment of session.** Authority to invoke a high-impact action is evaluated at the moment of invocation against the current attested actor, not at session start. Mickai patents GB2608799.9 / MWI-PA-2026-013 (voice-biometric-gated LLM tool invocation) and GB2608818.7 / MWI-PA-2026-021 (per-skill clearance-gated execution) cover the architectural primitives that make this enforceable rather than aspirational.

Six properties. Six patents. Each one filed, each one specified to the level a UK examiner can prosecute. Together they constitute the engineering definition of the audit substrate that British AI policy has been describing in prose for two and a half years and that no shipping vendor has produced.

Why this is a British problem first

The audit substrate is not exclusively a British concern. The European Union, through the AI Act, has produced an even more prescriptive regulatory framework. The United States, through NIST AI RMF and ISO/IEC 42001, has produced equivalents. The substrate problem is global. The reason it is acute in the United Kingdom in May 2026 is that the British policy machinery has done its half of the job exceptionally well, and the gap to the engineering layer is now the bottleneck for everything downstream.

Specific examples. AISI's evaluation work, led by Ian Hogarth and informed by senior international advisors including Yoshua Bengio, has shipped a credible model-evaluation methodology. The methodology evaluates the model. It cannot evaluate the action chain that a deployed agent produces in a regulated environment, because the action chain does not exist as a verifiable artefact in the absence of the substrate. ARIA, chaired by Matt Clifford, is funding the Safeguarded AI programme to produce mathematical safety guarantees for AI systems. Mathematical safety guarantees compose with cryptographic action attestation. Without the cryptographic layer the safety guarantee describes a property of a model in isolation, not a property of the deployed system at the moment of decision. The Tony Blair Institute's recommendation that the NHS adopt AI for diagnostic and triage workflows assumes a substrate that allows clinical liability to be reconstructed after the fact. Without OAR or an equivalent, the substrate is the vendor's proprietary log file and the contract clause that says please do not delete it.

Each of these workstreams is excellent. Each is structurally incomplete without an audit substrate. The substrate is now in process at the IPO under one British inventor. The opportunity for the UK is to be first to compose policy and substrate into a procurement standard, an evaluation methodology, and a regulatory expectation that the rest of the world then has to catch up to. The country has the policy. The country now has the substrate. What is missing is the composition.

What the substrate enables for British institutions

Five concrete deployments become possible the day a procurement officer is empowered to demand OAR, a browser-resident verifier, and trust-domain externalisation as standard contract clauses.

**The NHS.** Patient-data AI workloads can be deployed inside operator-controlled trust domains, with every clinical-decision-affecting action signed at commit under a hospital-held key, exportable on demand for a coroner's inquest, an MHRA inspection, or an information governance audit. The hospital owns the audit chain. The vendor cannot delete it. A subsequent vendor can be onboarded by importing the existing OAR records into the new tooling without re-running history.

**Defence and the intelligence community.** Sensitive AI workloads can run on operator hardware, with attestation of the running model image, the loaded skills, the gated tool surface, and the per-action authority. The browser-resident verifier means that a cleared analyst can verify another team's audit trail without touching the original system. Trust-domain externalisation means the developer of the model cannot inspect the resulting audit. The substrate makes compartmentalised AI usable in environments that currently reject AI on the grounds that the audit is unverifiable.

**Financial regulators.** The Bank of England, the FCA, and the PRA can require regulated firms to produce signed action chains for any AI system involved in a customer-affecting decision. The chain is exportable. The verifier is independent. A regulator does not have to trust the firm's compliance team about what the AI did. The chain is the evidence.

**The judiciary.** A signed, hash-linked, externally verifiable action chain is admissible in a way that an unsigned vendor log file is not. The audit substrate makes AI evidence prosecutable and defensible to the same standard as any other digital evidence handled under Section 78 of the Police and Criminal Evidence Act 1984. The Mickai chain is signed under FIPS 204 ML-DSA-65, so the evidence remains valid through the post-quantum transition that classical-signature-based digital evidence will not survive.

**Local and devolved government.** Welsh Government, the Scottish Government, the Northern Ireland Executive, and English combined authorities can require British-built AI substrate for citizen-facing workloads. The workloads run on infrastructure inside the relevant jurisdiction. The signing keys are held by the public body. The audit chain is property of the citizen, not the supplier. The CLOUD Act exposure that haunts US-headquartered vendor deployments is removed by construction, because the trust domain is in the jurisdiction.

What the substrate looks like in practice

A worked example. A procurement officer at a UK NHS trust is evaluating two AI vendors for a clinical-coding workload. Both vendors have ISO/IEC 42001 certification. Both have model cards. Both have written governance policies. Neither, on inspection, can produce an OAR-compliant signed action chain for the previous month of operation against the trust's own data set. The procurement officer asks the structural question. Show me, for the previous thirty days of operation, an exportable OAR record of every clinical-coding decision your system made, signed under a key that I can verify in my browser without your tooling.

Vendor A produces a JSON blob with timestamps and a vendor-issued hash. Verification requires the vendor's hosted endpoint. The chain breaks if the vendor changes hosting providers. Vendor B produces an OAR-compliant chain signed under ML-DSA-65, with an inline link to a browser-resident WebAssembly verifier (Mickai's open verifier, or any compatible third-party verifier). The procurement officer verifies the chain on her own laptop, offline, in a tab she controls. The chain validates. Trust-domain externalisation means the verifier does not depend on the vendor and the vendor cannot have edited the chain after the fact without breaking the hash linkage.

Vendor A is not necessarily worse at clinical coding. Vendor A is structurally less verifiable, and in a regulated NHS workload structural verifiability is a procurement requirement, not a nice to have. The procurement officer selects Vendor B. The same selection happens in defence, in financial services, in central government. A market that produces a published open standard for the substrate selects vendors on engineering. A market that does not produces vendors on marketing. British AI policy has to date selected on marketing because the engineering layer was not specified. It is now specified, in patent claims at the IPO.

What needs to happen now

Three things, in declining order of leverage, all of them within the gift of British actors who already exist and already have authority.

**One, AISI publishes an evaluation extension that scores vendors on substrate availability.** Beyond model evaluation, score on whether the vendor produces an OAR-compliant signed action chain, exportable, externally verifiable, under a key the operator controls. The methodology already exists. The Mickai patent corpus specifies the primitives. AISI is the credible body to elevate the substrate to a measurable property of the deployed system.

**Two, ARIA opens a procurement-substrate workstream within Safeguarded AI.** Mathematical safety guarantees and cryptographic action attestation are complementary. ARIA's competence and convening power can produce a public-sector procurement standard that combines both. The output is a clause set that any UK government department, any NHS trust, any local authority can adopt. The clauses are short. The clauses are testable. The clauses bind to the engineering substrate the patents specify.

**Three, the Cabinet Office's Crown Commercial Service updates the AI procurement frameworks (RM6263 and successors) to require OAR or equivalent open-substrate audit records by default.** Default is the operative word. Any supplier that wants to opt out has to justify the opt-out, rather than every buyer having to justify the request. Default OAR makes the substrate the floor, not the ceiling, of British AI procurement.

Each of these three actions is achievable inside the existing institutional architecture. None of them requires new legislation. None of them requires waiting for the next white paper. The substrate is filed. The standard is published. The verifier is in process. The procurement officers are ready. What is required is the institutional decision that the engineering layer is now part of the policy, not external to it.

An invitation to the people who can decide this

Mickai is built and held by one British inventor of record, Micky Irons, in Workington. The corpus is the substrate British AI policy has been describing for two and a half years. The OAR family is filed. The browser-resident verifier is in process. The trust-domain pattern is on the IPO record. The invitation is open in three directions, all answered at press@mickai.co.uk by the inventor in person.

First, to AISI, ARIA, the Cabinet Office, the Department for Science Innovation and Technology, and the Government Digital Service. The substrate is sitting in a folder on the IPO portal. We can sit in a room and walk the procurement clauses, the OAR schema, and the verifier together inside fifteen minutes.

Second, to UK procurement officers writing AI specifications for the NHS, MoD, financial regulators, the courts, and local government. The contract clauses are on mickai.co.uk/articles/the-uk-procurement-checklist-for-sovereign-ai-2026. They are written to be pasted into actual procurement documents.

Third, to British AI vendors who want to integrate OAR before the schema freezes. The protocol is improved by competent peers. The compatibility costs go down for everyone if the standard is set in the open.

British AI does not need another white paper. British AI needs a substrate the policy can bind to. The substrate is now British, sovereign, post-quantum, and on the public record at the UK IPO. The next move belongs to the institutions that have the authority to require it.

“Sovereign means the answer to the question did the agent have authority to act, and can you prove it without trusting the vendor, is decided by an audit chain the operator owns, signed under a key the operator controls, verifiable by a third party in a browser the vendor does not host. Anything less is a brochure.”

Sources and references

• Mickai patent portfolio, mickai.co.uk/patents (31 filed UK patent applications, 914 claims, sole inventor of record Micky Irons / Mickarle Wagstaff-Irons).
• GB2608806.2 / MWI-PA-2026-008, PQ-Safe Attestation and ML-DSA Signed Tool-Invocation Ledger.
• GB2608804.7 / MWI-PA-2026-016, Decision Lineage with ML-DSA-Signed Causal Audit Ledger.
• GB2610413.3 / MWI-PA-2026-022, Open Inter-Vendor Audit Record (OAR) Format.
• GB2610414.1 / MWI-PA-2026-023, Browser-Resident Offline Post-Quantum Verifier.
• GB2610415.8 / MWI-PA-2026-024, Trust-Domain Externalisation Architectural Pattern.
• GB2608799.9 / MWI-PA-2026-013, Voice-Biometric-Gated LLM Tool Invocation.
• GB2608818.7 / MWI-PA-2026-021, Per-Skill Clearance-Gated Execution.
• Bletchley Declaration (November 2023) and Seoul Summit communique (May 2024).
• UK AI Safety Institute (AISI), evaluation methodology and senior advisor materials, 2024 to 2026.
• ARIA, Safeguarded AI programme led by David Dalrymple under chair Matt Clifford.
• Tony Blair Institute, AI for the public sector policy series.
• FIPS 204 (ML-DSA), NIST post-quantum digital signature standard.
• ISO/IEC 42001 (AI management systems), EU AI Act, NIST AI RMF.
• Police and Criminal Evidence Act 1984, Section 78 (admissibility of evidence).