MICKAI
Article · 13 June 2026

When AI Enters the Control Room, the Record Has to Outlive the Vendor

In 2026 CISA and the NCSC told operators to integrate AI into operational technology carefully. The harder question is who holds an audit trail that survives the supplier and a regulator can replay.

When AI Enters the Control Room, the Record Has to Outlive the Vendor
Author
Micky Irons
Published
13 June 2026
Follow Micky Irons
LinkedInX
critical-infrastructureoperational-technologycisa-ncsc-guidanceagentic-aiopen-audit-record

The control room gets an AI, and a new question: who holds the record

In 2026 the United States Cybersecurity and Infrastructure Security Agency (CISA), the United Kingdom National Cyber Security Centre (NCSC) and international partners issued joint guidance on securely integrating artificial intelligence (AI) into the operational technology (OT) that runs power grids, water treatment plants and industrial processes, alongside separate guidance on the careful adoption of agentic AI. The guidance is welcome and overdue. It names the obvious hazards: a model that drifts, a vendor channel that becomes an attack surface, an autonomous agent that acts faster than a human can intervene. But underneath the recommendations sits a harder question that the guidance gestures at without solving. When an AI takes part in operating a turbine, a pump or a breaker, who holds the record of what it did, will that record still exist, and will it still be verifiable, after the vendor is gone.

What the 2026 guidance actually asks operators to do

The joint guidance treats AI in operational technology as a supply-chain and assurance problem rather than a productivity story. It asks operators to understand the provenance of the models they deploy, to constrain what an agent is permitted to do, to keep a human meaningfully in the loop for consequential actions, and to log enough to reconstruct events after the fact. The agentic AI guidance goes further, warning that systems which plan and act on their own raise the stakes for monitoring and accountability. These are sound instincts. The difficulty is that most of the assurance they describe is delegated, in practice, to the supplier. The model provenance is whatever the vendor attests. The logs sit in the vendor's telemetry pipeline. The monitoring dashboard is the vendor's product. Each of those is fine while the relationship holds. None of it is a property the operator owns.

Critical infrastructure outlives its vendors

A water treatment works runs for forty years. A grid substation runs longer. The software vendors that supply their control systems do not. They are acquired, they pivot, they discontinue product lines, they go out of business, they have their cloud credentials breached. This is not a tail risk in critical infrastructure, it is the base case over an asset's life. Which means an audit trail that depends on the AI vendor still existing, or on the current operator still holding the same contract, is not an audit trail. It is a liability waiting for a vendor change or an incident. The day a regulator asks what the control system did during a near-miss is precisely the day the operator discovers that the relevant logs were the vendor's, the vendor is three acquisitions removed, and the export format is undocumented.

The test is simple, and it is one most current deployments fail. Can the operator, alone, on hardware it owns, produce a tamper-evident record of every decision an AI took in the control room, and can an independent party replay and verify that record without calling the supplier. If the answer requires the vendor's cooperation, the operator does not have an audit trail. It has a dependency.

The Cyclopes, one-eyed giant smiths, working at a colossal forge lit by satin gold fire against a void-black background
The forge outlasts the smith. Infrastructure assurance has to be built to survive the supplier that installed it.

A record the operator holds, not one the vendor keeps

The engineering answer is to invert the ownership. The record has to be the operator's from the moment it is written, sealed by keys the operator controls, in a format any independent party can replay. This is the discipline Micky, Mickai's founder, carried from nuclear commissioning into the substrate. In a nuclear plant the commissioning record is not the contractor's convenience, it is the operator's legal and safety obligation, and it has to stand up to a regulator who was not in the room and who arrives years later. That standard, a record the operator holds and a regulator can replay independently, is the one critical infrastructure needs for AI, and it is the standard the broader software industry has never met.

In the Mickai Sovereign Intelligence Operating System (SIOS), a built and live system, this discipline is the Open Audit Record (OAR). The OAR is an append-only, hash-chained ledger in which every action is signed before it executes, not logged after. The signature uses Federal Information Processing Standard 204 (FIPS 204) ML-DSA-65, a National Institute of Standards and Technology (NIST) post-quantum standard, so the seal is built to outlast the cryptography it replaces rather than to be re-secured later. The signing keys live in a Trusted Platform Module (TPM) on hardware the operator owns. A browser-resident verifier checks any record offline, with no call home to the supplier. That last property is the one that matters in a control room. Verification that needs the vendor's servers is verification the vendor can switch off.

Sign before you act, so the record cannot be edited to fit

The ordering is the point, and it is the detail conventional logging gets wrong. Most systems act first and write a log line afterward, which means the log is a description of what happened, produced by the same system that did it, and editable by anyone who can reach the log store. In the OAR the intended action is signed before it executes. The cryptographic commitment exists before the turbine command goes out. An attacker who compromises the control system after the fact cannot quietly rewrite history to make a harmful action look routine, because the chain already carries a signed, timestamped commitment to what was about to happen. For incident reconstruction this is the difference between a narrative the operator hopes is intact and a chain a regulator can independently prove was not altered.

Stopping the agent before it does the unrecoverable thing

The 2026 agentic AI guidance is right to single out autonomy as the sharper edge. An agent that can act in operational technology can also exfiltrate, wipe or issue a command no operator intended. A record, however well sealed, is forensic. It tells you what went wrong after it has gone wrong. Critical infrastructure needs a control that acts before the action lands. In the SIOS this is Sentinel, a Mickai capability that stops agents wiping or exfiltrating data, paired with authority-at-execution. Dangerous actions are gated so that several brains must agree before one runs. A single compromised or hallucinating component cannot push a consequential command to physical plant on its own authority. The keys to verify and the gate to prevent both live on the operator's hardware, not in a vendor tenant, which is what the joint guidance is reaching toward when it asks for meaningful human control and constrained agency.

Post-quantum from inception, because the record has to outlive the threat

A control-room record made in 2026 may need to be replayed in 2040. The cryptography protecting it has to survive not only the vendor but the threat horizon, including the arrival of quantum computers capable of breaking today's signatures. Retrofitting post-quantum protection later does not help a record already written and already harvested. This is why the OAR uses a post-quantum signature standard from inception rather than as a planned upgrade. It is also why the broader Mickai architecture treats sovereignty as a hardware and key-custody fact, not a policy. The operator owns the silicon, the operator holds the keys, the operator possesses the chain. The fifty Mickai brains run on the Poseidon silicon substrate, the audit root is anchored externally for independent corroboration, and the whole arrangement is designed so that the operator's ability to prove what happened does not depend on anyone else's continued goodwill or continued existence.

Helios driving his golden sun-chariot across a void-black sky, satin gold light against deep darkness
A record built to be replayed decades from now, after the supplier and the cryptography of its day have both moved on.

What to ask before AI enters your control room

The CISA and NCSC guidance gives operators a vocabulary for the risk. The procurement question that turns that vocabulary into protection is narrow, and it is testable. When an AI acts in your control room, is the record of what it did yours, signed before the action with cryptography that will still hold in fifteen years, stored on hardware you own, and replayable by an independent regulator with no call to the vendor. If a supplier cannot answer yes to every clause, what they are offering is convenience that lasts exactly as long as the relationship does. Critical infrastructure cannot be assured on those terms. The Mickai SIOS was built so the answer is yes by construction. The Open Audit Record is the operator's, the keys sit in a Trusted Platform Module on owned hardware, the chain replays offline, and the seal is post-quantum from the first entry. The control room outlives its vendors. The record has to outlive them too.

ShareLinkedInXHacker NewsRedditMastodonBlueskyEmail
Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/control-room-ai-record-must-outlive-the-vendor. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles
13 Jun 2026
The AI Underwriting Gap: Why Provable Records Now Decide What Gets Covered
In 2026 insurers are repricing, carving out, and in some cases refusing AI risk, while affirmative AI policies at Lloyd's of London bind only against provable controls. The common requirement, from carriers and regulators alike, is credible evidence of what an AI system actually did. Without a signed, replayable record such as the Open Audit Record, an enterprise is self-insuring its own agents.
13 Jun 2026
Shadow AI Leaves a Record, or It Leaves the Building
Most knowledge workers now use AI their employer never sanctioned, pasting sensitive data into consumer tools that data-loss prevention cannot see. Blocking and detection fight the symptom, not the cause. The durable fix is a sanctioned sovereign substrate where approved AI runs on the operator's own hardware and every use is signed into a verifiable record.
13 Jun 2026
When Your Agent Clicks I Agree
When an AI agent ticks "I agree", contract and agency law usually bind its principal, whether or not anyone reviewed the terms. The hard problem is proving, after a dispute, what the agent was authorised to do and what it actually agreed. The signed Open Audit Record is the difference between an enforceable account of that commitment and a deniable one.
13 Jun 2026
When Model Risk Management Meets Generative AI
Model risk management was designed for deterministic statistical models, and 2026 regulation is openly acknowledging that it does not fit generative AI: US SR 26-2 excludes it, the UK keeps SS1/23 technology-neutral, and the EU AI Act mandates tamper-evident logging from August. Validators now need replayable lineage and an independently verifiable record, not paperwork the bank produced about itself. The Open Audit Record, a subsystem of the Mickai SIOS, signs every action before it executes into a post-quantum hash-chained ledger a regulator can verify offline without trusting the institution.
See all articles →