Cryptographic Provenance for AI Outputs
We believe every consequential AI decision should carry proof of who made it, on what basis, and when, and that proof should hold up under scrutiny.
An answer is not evidence
For most of the past few years, the question people asked of an AI system was simple. Is the answer any good. That was always the wrong question to lead with in a hospital, a bank, a court, a defence programme, or a critical national utility. In those places the better question is not whether the answer looks right. It is whether you can prove, later, who produced it, on what basis, under whose authority, and at what moment in time. An answer is not evidence. Evidence is an answer plus a record you can trust.
We built Mickai around that distinction. Mickai is a Sovereign Intelligence Operating System, a SIOS, and one of its founding commitments is that no consequential action should ever leave the system without a signed, verifiable record of how it came to be. We call that record the Open Audit Record, and it is not an add on. It is the substrate that everything else stands on.
Why provenance is now a hard requirement
The pressure for verifiable AI is coming from several directions at once, and it is no longer theoretical. Regulators are moving from principles to obligations, and obligations tend to arrive with the word demonstrate attached. Boards are being asked to sign off on systems whose reasoning they cannot inspect. Insurers are starting to price the risk of automated decisions that no one can reconstruct. And adversaries, both external and internal, have worked out that the easiest thing to attack in an AI pipeline is not the model. It is the story of what the model did.
Consider what a decision actually touches on its way to a person. There is the prompt or the trigger. There is the data the system was allowed to see. There is the specific model state, the policy in force, the governance check that either passed or blocked. There is the human who approved it, or the rule that let it run without a human. Every one of those is a place where an account can drift, be edited after the fact, or simply be lost. In a low stakes setting that is an inconvenience. In a high stakes setting it is the difference between a defensible decision and an indefensible one.
“If you cannot reconstruct how a decision was made, you do not have a decision. You have a rumour with good production values.”
What signed provenance actually means
Provenance is a word that gets used loosely, so we want to be precise about what we mean by it. A logged event is not provenance. A log file can be edited, truncated, or fabricated, and most logging was never designed to resist a motivated insider. Cryptographic provenance is different in kind. It means that each action carries a signature that binds together the inputs, the reasoning path, the governing policy, the outcome, and the exact time, so that any later change to any part of that bundle breaks the signature and shows itself.
In Mickai, the Open Audit Record captures that bundle at the moment of the action, not afterwards from memory. Fifty specialist brains, twenty five domain and twenty five operational, run under deterministic governance, which means the same inputs and the same policy produce the same governed path rather than a fresh improvisation each time. When one of those brains acts, the record is written and signed there and then. The signature is what turns a description of events into proof of events.
A useful provenance record answers a specific set of questions without anyone needing to take the system's word for it:
- What triggered this action, and what data was the system permitted to use.
- Which brain or brains handled it, under which policy, and whether governance passed or blocked.
- Whether a human approved it, and if not, which rule authorised it to proceed.
- The exact ordering and timing of steps, sealed so the sequence cannot be quietly rearranged.
- Whether the record has been altered in any way since it was signed.
Signing that survives the next decade
There is a harder problem hiding underneath all of this, and most systems ignore it. A signature is only as durable as the mathematics behind it. Much of today's digital signing rests on assumptions that a sufficiently capable quantum computer would undermine, which means a record signed today could, in principle, be forged or repudiated years from now once that capability exists. For a chat assistant, nobody cares. For a decision that has to remain defensible across a decade of audits, litigation, and regulatory review, it matters enormously.
That is why Mickai signs with ML-DSA-65, a post-quantum signature scheme. We are not asking a customer to trust that the maths will hold. We are choosing signing designed to hold even as the threat model changes underneath it. Provenance that expires the moment the cryptography ages is not provenance. It is a promise with a short shelf life.
Provenance only counts if the ground is yours
There is a quiet contradiction in a lot of AI governance talk. Organisations are asked to prove control over decisions while the actual computation, data, and memory sit inside infrastructure they neither own nor can inspect. You cannot claim sovereignty over provenance when the round trip leaves your walls. So the record and the reasoning have to live where the customer can stand over them.
Mickai runs on the customer's own hardware, on premises and air gapped where required, with zero data egress and no public cloud round trip. The memory belongs to the customer. The audit record belongs to the customer. Nothing has to leave the building for a decision to be made or for its provenance to be proven. When an inspector, a regulator, or an internal risk team asks to see how something happened, the evidence is already sitting inside the estate, signed, sealed, and ready to be checked against the maths rather than against anyone's assurances.
The engineering behind the claim
We are conscious that claims like these are easy to make and hard to substantiate, so it is worth being clear about what stands behind ours. The architecture that carries deterministic governance, the Open Audit Record, post-quantum signing, and customer owned memory is described in a body of filed UK patent applications. As of now that portfolio runs to 104 filed applications containing roughly 2,340 claims, with the full specifications, claims, and figures set down in detail, and it is progressing toward examination and grant. We publish that number because the specifics of how provenance is generated and sealed are exactly the part that ought to be written down, examined, and held to account.
The market is starting to notice the shape of what we are building. On Crunchbase our founder now ranks number 2, and the company Heat Score has reached 94 out of 100, climbing from single digits. We read that less as a verdict on us and more as a signal about where attention is moving. The appetite is shifting from AI that sounds convincing toward AI that can prove what it did.
Where this goes next
We think verifiable provenance will stop being a differentiator and become a baseline, in the same way that encrypted traffic and audited financials did before it. The organisations that handle the highest stakes will simply refuse to deploy AI that cannot show its working in a form that holds up under adversarial scrutiny. When that happens, the interesting question will no longer be how clever a system sounds. It will be whether every artefact it produces arrives with a signature that a stranger, years later, can still verify without trusting anyone in the chain.
That is the standard we are building toward, and we are building it into the foundation rather than bolting it on at the end. In the environments that matter most, we would rather hand you proof than ask for your trust. Cryptographic provenance is how we turn one into the other.





