MICKAI
Article · 4 July 2026

Deterministic Multi-Agent Systems for Regulated Work

Predictable, auditable agent orchestration for institutions that must prove every step

Deterministic Multi-Agent Systems for Regulated Work
Author
Micky Irons
Published
4 July 2026
Follow Micky Irons
LinkedInX
multi-agentdeterminismcomplianceauditsovereign-ai

Ask any compliance officer at a bank, a hospital, or a defence contractor what keeps them awake, and the answer is rarely the thing an agent does. It is that they cannot say, in advance and under oath, what the agent will do next. A cloud agent given the same instruction twice may take two different paths, call two different systems, and reach two different conclusions. For a marketing task, that is a curiosity. For a payment run, a patient record, or an export-controlled document, it is a fireable offence waiting to happen.

Regulated institutions do not buy cleverness. They buy predictability they can prove. At Mickai we built our multi-agent orchestration around a single non-negotiable idea: an agent system that cannot reproduce its own runs, cannot sign its own hand-offs, and cannot be replayed for an auditor is not fit for regulated work. Determinism is not a nice-to-have bolted on afterwards. It is the substrate.

Why non-deterministic agents fail the regulated test

A black-box cloud agent is, by design, a probabilistic process wrapped in an opaque service you do not control. It reasons freely, chooses tools on the fly, and its behaviour drifts as the provider updates the model beneath it. That flexibility is exactly what makes it unusable where the law demands an account. Under the General Data Protection Regulation (GDPR), a data subject can ask why a decision was made. Under the Digital Operational Resilience Act (DORA), a financial firm must demonstrate control over its operational processes. Under the European Union Artificial Intelligence Act (EU AI Act), high-risk systems must be traceable end to end.

None of that survives an answer of "the agent decided, and we cannot tell you why or reproduce it." A regulator does not accept probability where the rule requires proof. If the same input can yield a different output tomorrow, the institution has no defensible position. This is the boundary the public cloud cannot cross on the customer's own terms, and it is precisely the boundary we serve. The cloud giants remain allies at their layer. We operate at the layer where the answer must be repeatable.

A colossal marble statue of Chronos holding a great motionless wheel of hours lit by gold light against a black void
Like Chronos holding time still, a deterministic run repeats the same path every time it is asked

Determinism as an engineering commitment

Determinism means that a given input, a given set of brains, and a given configuration produce the same sequence of actions and the same result every single time. We achieve this by pinning everything that can drift. The brains that carry out the work are versioned and revocable, so a run always names the exact brains it used. Model weights, prompts, tool definitions, random seeds, and decision thresholds are all fixed to the run and recorded, never left to float against a remote service that changes underneath you.

Orchestration is treated as a controlled workflow, not a free-roaming conversation. Each brain has a declared role, declared inputs, and declared outputs. The route a task takes between brains is planned and bounded rather than improvised. When a step involves genuine judgement, that judgement is captured as a recorded decision with its inputs attached, so the reasoning stays inspectable rather than being lost. The result is a system you can point at and say: run this again, and it will do the same thing.

Signed hand-offs between brains

The most dangerous moment in any multi-agent system is the hand-off, the instant one component passes work to another. In an ordinary pipeline that hand-off is a bare function call with nothing vouching for it. In ours, every action is bound to an Operation Attestation Record (OAR) that is signed before the action executes, never after. The OAR names the brain, the inputs, the intended operation, and the authority under which it runs, and it is sealed with a post-quantum signature using the Federal Information Processing Standard 204 (FIPS 204) ML-DSA-65 scheme.

A colossal marble statue of Hermes pressing a glowing golden seal onto a scroll passed between two hands against a black void
Hermes the messenger seals every hand-off before it moves, so no message travels unsigned

Because the attestation is signed in advance, there is no window in which a brain acts first and accounts for it later. A hand-off with a broken or missing signature simply does not proceed. One brain cannot silently impersonate another, and no step can be slipped into the chain without leaving a cryptographic gap that verification will catch. Each signed hand-off links to the one before it, so the whole run forms an unbroken chain of custody from first input to final output.

Reproducible runs and the audit ledger

Every run writes to a tamper-evident, cryptographically-signed audit ledger. It captures the inputs, the brains and versions involved, each signed hand-off, every decision, and the final output, in an order that cannot be quietly rewritten. Because the record is complete and the configuration is pinned, an institution can take a run from six months ago and replay it exactly, or hand the ledger to an examiner who can verify it independently.

That verification works offline. An auditor does not need to call our systems, trust a live service, or accept our word for what happened. The signatures on the ledger can be checked against public keys on a machine with no network connection at all. This matters enormously for firms operating under DORA, for clinical environments bound by the Health Insurance Portability and Accountability Act (HIPAA), and for anyone handling material under the International Traffic in Arms Regulations (ITAR), where the ability to prove a process to an outside party, without depending on the vendor, is the difference between a defensible record and a liability.

A colossal marble statue of Mnemosyne inscribing an unbroken column of records into gold-veined stone against a black void
Mnemosyne, keeper of memory, inscribes a ledger that cannot be quietly rewritten

High-stakes actions need more than one voice

Determinism tells you the system will behave the same way every time. It does not, on its own, decide whether a consequential action should happen at all. For that we require agreement. A high-stakes operation, moving money, releasing a controlled document, altering a patient record, is gated behind multi-brain approval, so more than one independent brain must attest to the action before it proceeds. Where a human must stand behind the decision, we add voice-biometric approval, binding the authorisation to a specific person rather than a shared password.

This turns a single point of failure into a quorum. A compromised brain, or a single mistaken instruction, cannot on its own trigger an irreversible action, because the approval is distributed and cryptographically recorded. Every one of those approvals is itself an attested, signed event on the ledger, so the account of who authorised what is as reproducible as the work itself.

Built to run where the data lives

All of this runs on hardware the customer owns. Mickai is deployed air-gapped or on-premise, with zero data egress, so the regulated material never leaves the institution's own boundary to reach a third party's cloud. Determinism and sovereignty reinforce each other here. A reproducible run is only truly reproducible if you control every layer it depends on, and you cannot control a layer that lives inside someone else's data centre and changes without your consent.

A colossal marble statue of Argus covered in watchful golden eyes standing guard over a sealed gateway against a black void
Argus of the hundred eyes stands for quorum approval, where more than one watcher must consent

The capabilities behind this architecture are described across 104 filed United Kingdom patent applications, comprising about 2,340 claims, owned by Mickai LTD. We frame those filings by what they contain: signed attestation before execution, offline verification, revocable brains, and quorum approval for consequential actions. They describe a way of making agent systems accountable, not a legal trophy.

The bottom line

Regulated institutions cannot run their most sensitive work on agents that improvise and cannot be replayed. The requirement is not intelligence, it is an account that holds up when someone asks. Deterministic orchestration, signed hand-offs sealed before they execute, reproducible runs, an offline-verifiable ledger, and quorum approval for high-stakes actions turn multi-agent work from an unprovable black box into evidence. That is the standard the boundary demands, and it is the standard we built to.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/deterministic-multi-agent-systems. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles