Cryptographic Provenance for Every AI Artifact
How every document, line of code, and decision a Mickai brain produces leaves the system already signed, attested, and verifiable
Every day, more of the work inside a regulated organisation is produced by machines. A brain drafts the loan decision, writes the patch that ships to production, summarises the clinical note, assembles the board pack. The output looks finished and authoritative. What it almost never carries is proof: proof of which brain produced it, under whose authority, at what moment, against which policy. When something goes wrong later, the artifact cannot answer the only questions that matter.
We built Mickai, our Sovereign Intelligence Operating System (SIOS), so that this gap never opens. Every artifact a Mickai brain generates, whether a document, a single line of code, or a decision, leaves the system already signed. Not signed as an afterthought by a logging layer, but signed as a condition of its own existence. This is cryptographic provenance, and inside a SIOS it is not a feature you switch on. It is the physics of the place.
Why an unsigned artifact is a liability
An AI output with no verifiable origin is a rumour with good grammar. It may be correct. It may be catastrophic. You cannot tell by reading it, and neither can a regulator, an auditor, or a court. Under the EU AI Act, high-risk systems must be traceable and their records must survive scrutiny. Under the Digital Operational Resilience Act (DORA), financial entities must reconstruct exactly what happened during an incident. Under the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA), you must show who touched what and on what basis. An unattributed machine artifact fails all of these the instant it is challenged.
The deeper problem is authority. As soon as an autonomous brain acts on a customer's behalf, someone is accountable for that act. If the artifact cannot say which brain produced it, under whose delegated permission, and against which live policy, then accountability evaporates precisely when it is needed. Provenance is how we keep authority attached to action, so that responsibility is never orphaned from the work.
Sign before you act, not after
Most systems record what happened after it happened. We invert that order. In Mickai, before any brain performs a consequential action, it produces an Operation Attestation Record (OAR): a structured statement of what is about to be done, by which brain, under whose authority, against which policy version, at which timestamp. The OAR is signed first. Only then does the action proceed. If the signature cannot be produced, the action does not run at all.
This ordering is the whole point. A signature applied afterwards proves only that a log exists. A signature applied beforehand proves intent, authority, and constraint at the moment of decision. The artifact that emerges, the code, the document, the decision, inherits that attestation and carries it wherever it travels. Hermes, messenger of the gods, never arrived without the sealed authority of the one who sent him. Neither does anything a Mickai brain produces.
ML-DSA-65: signatures built for the next decade
The signature itself uses the Module-Lattice Digital Signature Algorithm at security level 65 (ML-DSA-65), standardised as Federal Information Processing Standard (FIPS) 204. We chose it deliberately. Classical signature schemes such as RSA and elliptic curve are, in principle, breakable by a sufficiently capable quantum computer, and an adversary who records signed artifacts today can attempt to forge or repudiate them years from now once that capability exists. A provenance system whose signatures expire the day quantum arrives is not provenance. It is a countdown.
ML-DSA-65 is a post-quantum signature: its security rests on lattice problems that resist both classical and quantum attack. An artifact signed today by a Mickai brain remains verifiable, and remains attributable, into a future where the cryptographic ground has shifted beneath everyone else. For regulated buyers holding records for seven, ten, or twenty years, that longevity is not a luxury. It is the requirement.
The tamper-evident ledger
Individual signatures prove that a specific artifact came from a specific brain. On their own they do not prove that the record of history is complete and unaltered. For that, every OAR is written into a tamper-evident, cryptographically-signed audit ledger, where each entry is chained to the one before it. Remove an entry, alter an entry, or reorder the sequence, and the chain breaks visibly. You cannot quietly rewrite what a brain did last Tuesday, because Tuesday is holding hands with Monday and Wednesday.
This gives auditors something they almost never get with AI systems: a spine of history they can trust without trusting the operator. The ledger does not ask to be believed. It offers to be checked. And because brains in Mickai are revocable, a compromised or retired brain's authority can be withdrawn while its past attestations remain permanently legible, so revocation never erases the record of what was already done.
Verification that needs no phone-home
A provenance claim you can only verify by calling the vendor's cloud is a provenance claim you do not fully own. Mickai artifacts verify offline. The signature, the OAR, and the ledger position can be checked on hardware the customer controls, air-gapped if they wish, with no call to us and no data leaving the boundary. A defence integrator working under the International Traffic in Arms Regulations (ITAR), or a hospital that will not let patient records touch an external network, can still prove every artifact is authentic and correctly attributed.
This matters because verification is where most provenance schemes quietly fail. They can sign, but checking the signature drags you back online, back into dependency, back into egress. Everything in Mickai runs on hardware the customer owns, with zero data egress by default, so verification inherits that sovereignty. The proof travels with the artifact, and the artifact answers for itself anywhere it lands.
Provenance for the highest-stakes decisions
For routine work, a single brain's signed attestation is enough. For actions that carry real consequence, moving funds, altering a clinical pathway, deploying to a production system, we require more than one witness. High-stakes actions in Mickai can demand multi-brain approval combined with voice-biometric confirmation from an authorised human, and every one of those approvals is itself attested and chained. The resulting artifact does not merely say a machine did this. It says these specific brains and this specific person jointly authorised it, and here is the cryptographic proof.
The cloud giants, OpenAI, Microsoft, Amazon Web Services, Google and Oracle, are our allies, and they operate a different layer of the stack. They were never designed to place a post-quantum, offline-verifiable attestation on every artifact inside a customer's own air-gapped estate. That is the boundary the public cloud cannot cross on the customer's terms, and it is exactly the boundary we were built to hold.
The bottom line
An AI artifact without provenance is an asset you cannot defend and a decision you cannot stand behind. Mickai makes provenance intrinsic: every document, every line of code, every decision leaves the system signed with ML-DSA-65, attested by an OAR created before the action ran, chained into a tamper-evident ledger, and verifiable offline on hardware the customer owns. The capabilities behind this sit among the 104 filed UK patent applications, about 2,340 claims, owned by Mickai LTD. When the auditor, the regulator, or the court finally asks who produced this and under whose authority, the artifact answers for itself. That is the difference between an output and a record.




