Deterministic Multi-Agent Systems for Regulated Work
Predictable, auditable agent orchestration for institutions that must prove every step
Ask any compliance officer at a bank, a hospital, or a defence contractor what keeps them awake, and the answer is rarely the thing an agent does. It is that they cannot say, in advance and under oath, what the agent will do next. A cloud agent given the same instruction twice may take two different paths, call two different systems, and reach two different conclusions. For a marketing task, that is a curiosity. For a payment run, a patient record, or an export-controlled document, it is a fireable offence waiting to happen.
Regulated institutions do not buy cleverness. They buy predictability they can prove. At Mickai we built our multi-agent orchestration around a single non-negotiable idea: an agent system that cannot reproduce its own runs, cannot sign its own hand-offs, and cannot be replayed for an auditor is not fit for regulated work. Determinism is not a nice-to-have bolted on afterwards. It is the substrate.
Why non-deterministic agents fail the regulated test
A black-box cloud agent is, by design, a probabilistic process wrapped in an opaque service you do not control. It reasons freely, chooses tools on the fly, and its behaviour drifts as the provider updates the model beneath it. That flexibility is exactly what makes it unusable where the law demands an account. Under the General Data Protection Regulation (GDPR), a data subject can ask why a decision was made. Under the Digital Operational Resilience Act (DORA), a financial firm must demonstrate control over its operational processes. Under the European Union Artificial Intelligence Act (EU AI Act), high-risk systems must be traceable end to end.
None of that survives an answer of "the agent decided, and we cannot tell you why or reproduce it." A regulator does not accept probability where the rule requires proof. If the same input can yield a different output tomorrow, the institution has no defensible position. This is the boundary the public cloud cannot cross on the customer's own terms, and it is precisely the boundary we serve. The cloud giants remain allies at their layer. We operate at the layer where the answer must be repeatable.
Determinism as an engineering commitment
Determinism means that a given input, a given set of brains, and a given configuration produce the same sequence of actions and the same result every single time. We achieve this by pinning everything that can drift. The brains that carry out the work are versioned and revocable, so a run always names the exact brains it used. Model weights, prompts, tool definitions, random seeds, and decision thresholds are all fixed to the run and recorded, never left to float against a remote service that changes underneath you.
Orchestration is treated as a controlled workflow, not a free-roaming conversation. Each brain has a declared role, declared inputs, and declared outputs. The route a task takes between brains is planned and bounded rather than improvised. When a step involves genuine judgement, that judgement is captured as a recorded decision with its inputs attached, so the reasoning stays inspectable rather than being lost. The result is a system you can point at and say: run this again, and it will do the same thing.
Signed hand-offs between brains
The most dangerous moment in any multi-agent system is the hand-off, the instant one component passes work to another. In an ordinary pipeline that hand-off is a bare function call with nothing vouching for it. In ours, every action is bound to an Operation Attestation Record (OAR) that is signed before the action executes, never after. The OAR names the brain, the inputs, the intended operation, and the authority under which it runs, and it is sealed with a post-quantum signature using the Federal Information Processing Standard 204 (FIPS 204) ML-DSA-65 scheme.
Because the attestation is signed in advance, there is no window in which a brain acts first and accounts for it later. A hand-off with a broken or missing signature simply does not proceed. One brain cannot silently impersonate another, and no step can be slipped into the chain without leaving a cryptographic gap that verification will catch. Each signed hand-off links to the one before it, so the whole run forms an unbroken chain of custody from first input to final output.
Reproducible runs and the audit ledger
Every run writes to a tamper-evident, cryptographically-signed audit ledger. It captures the inputs, the brains and versions involved, each signed hand-off, every decision, and the final output, in an order that cannot be quietly rewritten. Because the record is complete and the configuration is pinned, an institution can take a run from six months ago and replay it exactly, or hand the ledger to an examiner who can verify it independently.
That verification works offline. An auditor does not need to call our systems, trust a live service, or accept our word for what happened. The signatures on the ledger can be checked against public keys on a machine with no network connection at all. This matters enormously for firms operating under DORA, for clinical environments bound by the Health Insurance Portability and Accountability Act (HIPAA), and for anyone handling material under the International Traffic in Arms Regulations (ITAR), where the ability to prove a process to an outside party, without depending on the vendor, is the difference between a defensible record and a liability.
High-stakes actions need more than one voice
Determinism tells you the system will behave the same way every time. It does not, on its own, decide whether a consequential action should happen at all. For that we require agreement. A high-stakes operation, moving money, releasing a controlled document, altering a patient record, is gated behind multi-brain approval, so more than one independent brain must attest to the action before it proceeds. Where a human must stand behind the decision, we add voice-biometric approval, binding the authorisation to a specific person rather than a shared password.
This turns a single point of failure into a quorum. A compromised brain, or a single mistaken instruction, cannot on its own trigger an irreversible action, because the approval is distributed and cryptographically recorded. Every one of those approvals is itself an attested, signed event on the ledger, so the account of who authorised what is as reproducible as the work itself.
Built to run where the data lives
All of this runs on hardware the customer owns. Mickai is deployed air-gapped or on-premise, with zero data egress, so the regulated material never leaves the institution's own boundary to reach a third party's cloud. Determinism and sovereignty reinforce each other here. A reproducible run is only truly reproducible if you control every layer it depends on, and you cannot control a layer that lives inside someone else's data centre and changes without your consent.
The capabilities behind this architecture are described across 104 filed United Kingdom patent applications, comprising about 2,340 claims, owned by Mickai LTD. We frame those filings by what they contain: signed attestation before execution, offline verification, revocable brains, and quorum approval for consequential actions. They describe a way of making agent systems accountable, not a legal trophy.
The bottom line
Regulated institutions cannot run their most sensitive work on agents that improvise and cannot be replayed. The requirement is not intelligence, it is an account that holds up when someone asks. Deterministic orchestration, signed hand-offs sealed before they execute, reproducible runs, an offline-verifiable ledger, and quorum approval for high-stakes actions turn multi-agent work from an unprovable black box into evidence. That is the standard the boundary demands, and it is the standard we built to.




