Enterprise GenAI is consumer-grade with paperwork. Real sovereignty runs in your perimeter, signs every action, and audits per tenant.

By Micky Irons, sole inventor and sole applicant of the Mickai portfolio (UK00004373277), Workington, Cumbria.

The hook: your CFO just integrated ChatGPT Enterprise

Your CFO signed the contract on Friday. By Monday, the finance team is summarising board packs through a shared multi-tenant model. The audit log lives in the vendor's account, not yours. The same model is serving forty-seven thousand other companies, including at least three of your direct competitors. The system prompt that frames every response is held in a configuration store the vendor controls, and the vendor reserves the right to update it without notice for "safety and quality." The training data refresh schedule is at the vendor's discretion. The data your finance team typed into the prompt left your perimeter the moment they hit return.

You signed an SLA. You did not sign a sovereignty contract. The two are not the same. An SLA promises uptime and remediation; sovereignty promises that the model, the audit ledger, and the action chain remain inside a boundary you control. Most "Enterprise GenAI" deployments shipped in early 2026 are SLAs dressed in compliance language. They are consumer-grade architectures with enterprise paperwork stapled on top.

What the big vendors actually offer

Strip away the marketing and a 2026 enterprise GenAI tier reduces to four things. First, a multi-tenant inference fleet where your queries run on the same hardware, behind the same model weights, as everyone else's. Second, an audit log written into the vendor's storage account, accessible to you through a vendor portal, and erasable by the vendor under their incident-response policy. Third, a system prompt and safety filter the vendor maintains and updates on a cadence you do not control. Fourth, a training-data and model-update schedule decided by the vendor, with versioning that may or may not be exposed to you in detail.

Each of those four properties is fine for a consumer product. None of them is acceptable for a regulated workflow. If your audit log is at the vendor, the regulator who shows up at your door is auditing the vendor's storage discipline, not yours. If the system prompt can change overnight, the behavioural guarantees you tested last quarter are not the behavioural guarantees you ship this quarter. If the model is shared with your competitors, the assumption that "no one else can see my queries" rests entirely on the vendor's process discipline, not on a cryptographic boundary.

The procurement teams who recognise this in 2026 are starting to ask harder questions. The vendors are answering with SOC 2 reports and ISO 27001 certificates. Those are useful documents. They are not, in any structural sense, sovereignty.

What sovereign enterprise GenAI looks like

Sovereign enterprise GenAI is a different architecture, not a different SLA. It has seven structural properties, each of which corresponds to a filed Mickai patent in the UK00004373277 portfolio.

Per-tenant hardware-attested isolation. The model and the inference path run inside a hardware boundary that the tenant possesses. The boundary is attested cryptographically; the tenant can verify, at any moment, that the inference happened on hardware they control and not on a shared fleet. This is the core claim of GB2608828.6 / MWI-PA-2026-004 (Adaptive Intelligence Operating System with On-Device Healthcare and Multi-Tenant Enterprise Deployment Under Voice-Biometric Hardware-Attested Tenant Switching). Patent 4 is the structural anchor for the rest of the article; every other property below depends on the boundary it specifies.

Per-tenant voice-biometric gating for tenant switching. When a clinician moves from one tenant context (a hospital trust) to another (a research collaboration), the switch is gated by a hardware-attested voice biometric tied to the user's enrolled key. The tenant context is not a session cookie or a UI tab; it is a cryptographic state transition recorded under the tenant's own keys. This too is in Patent 4.

Per-tenant audit chains that the tenant signs. Every tool invocation, every retrieval, every action the LLM takes inside the tenant's perimeter is signed at the moment of generation under FIPS 204 ML-DSA-65 (a post-quantum signature scheme), with the private half of the signing key resident in hardware the tenant controls. The vendor cannot forge a record, replay a record, or quietly delete a record, because the vendor never possessed the private key. This is GB2608806.2 / MWI-PA-2026-008 (PQ-Safe Attestation and ML-DSA Signed Tool-Invocation Ledger). The decision lineage on top of the ledger, which captures which inputs led to which outputs through which intermediate inferences, is GB2608804.7 / MWI-PA-2026-016 (Decision Lineage with ML-DSA-Signed Audit Ledger).

Pre-commit dry-runs in the tenant's scope. Before the LLM commits any action with irreversible side effects (sending an email, posting a payment instruction, mutating a patient record), the action is simulated against a sandboxed copy of the affected resource, the structured diff is presented for approval, and the action does not commit until the approval lands. The simulation runs inside the tenant's perimeter; the diff is signed under the tenant's keys; the approval is recorded in the tenant's audit chain. This is GB2608802.1 / MWI-PA-2026-015 (Pre-Commit Dry-Run Simulation).

Reversibility discipline per tenant. Every action the model can perform declares its compensating inverse at action-definition time, not at incident time. If a clinical-summary tool inserts a paragraph into a record, the inverse (remove that paragraph and restore the prior version) is stored alongside the signed action. The tenant can issue a retroactive undo against any signed action, and the system constructs the inverse chain inside the tenant's scope. This is GB2608800.5 / MWI-PA-2026-014 (First-Class Actions with Compensating Rollback).

Per-tenant data store with per-voice-print revocation. The retrieval-augmented context the LLM draws on lives in a sovereign data store with row-level and column-level access control, where revocation can be issued against a specific voice-print identity without touching anyone else's access. A leaver does not require a global re-key; a compromised credential does not require a tenant-wide outage. This is GB2608815.3 / MWI-PA-2026-018 (Granular Row-Column Access Control with Per-Voice-Print Revocation on a Sovereign Data Store).

Branch-based workflows for compliance teams. Compliance and clinical-governance reviewers work on branches of the live state, not on the live state itself. They can simulate a policy change, run a parallel inference to see what the model would have done under the new policy, and merge or discard the branch. The merge is a signed event in the tenant audit chain. This is GB2608805.4 / MWI-PA-2026-019 (Branch-Based Workflow with Hive-Mind Federation). The federation half of Patent 19, together with GB2608807.0 / MWI-PA-2026-017 (Personal Fleet Coordination), addresses the case where a tenant operates across multiple sites and wants the inference fleet to coordinate without leaking either tenant or per-site state.

Seven properties, seven filings, one architectural baseline. Each property is independently testable. None of them is satisfied by an SLA.

A worked example: clinical-note summarisation in a healthcare provider

A hospital trust wants to deploy LLM-based clinical-note summarisation. Junior doctors dictate a free-form note; the model summarises it into a structured record with diagnosis codes, medication changes, and follow-up actions. The trust has obligations under UK data-protection law, NHS England's information-governance framework, and the trust's own clinical-safety case.

On a vendor-cloud deployment, the path is straightforward and structurally indefensible. The dictation is transmitted to the vendor. The summarisation runs on a shared multi-tenant model. The audit record (which clinician dictated, what the model produced, which diagnosis codes were assigned) is written to the vendor's storage. When the regulator asks for evidence that a particular code assignment was the model's output and not a clinician's edit, the trust hands over a vendor portal screenshot. When a clinician leaves and the trust needs to revoke their access to historical summaries, the revocation is a vendor support ticket. When the vendor updates the model, the behavioural envelope of the deployment changes without the trust's clinical-safety case being re-tested.

On a Mickai deployment under Patent 4, the path looks different. The dictation is transcribed inside the trust's hardware boundary. The summarisation runs on a model whose weights are loaded into a tenant-isolated inference path that the trust's hardware key has attested. The clinician's voice biometric gates the tenant context (Patent 4 again). Every tool the model invokes (the diagnosis-code lookup, the medication-list update, the structured-record write) is signed at the moment of invocation under the trust's ML-DSA key (Patent 8). The decision lineage that ties the dictation to the summary to the code assignment is captured in the signed ledger (Patent 16). Before the structured record is written to the patient file, the write is simulated against a sandbox copy and the diff is presented to the clinician for approval (Patent 15). If the clinician approves and later realises the medication change was wrong, the trust issues a retroactive undo and the inverse chain restores the prior state (Patent 14). When the clinician leaves, their voice-print identity is revoked at the row-column store (Patent 18) and the relevant historical access dies with it.

The regulator who walks into that trust is not asking the vendor for evidence. The regulator is verifying a signed chain held under the trust's own keys. That is the structural difference between a sovereignty contract and an SLA.

What procurement officers should change in their RFPs

The procurement question for 2026 is not "is your platform SOC 2?" Every serious vendor answers yes to that question, and the answer carries no structural information about whether your data, your audit log, and your action chain remain in your perimeter. The question to ask instead is structural.

Does every tool invocation get signed by hardware that the vendor cannot replay? If the answer is "the audit log is in our cloud storage with role-based access control," the answer is no. If the answer is "every invocation is signed by an ML-DSA key whose private half lives in your TPM," the answer is yes.

Does the model serve only your tenant on the hardware path you possess? If the answer is "we have logical isolation between tenants on shared infrastructure," the answer is no. If the answer is "the inference path is attested as running on hardware you have provisioned and the attestation is verifiable by your security team," the answer is yes.

Does an action with irreversible side effects get simulated and approved before commit? If the answer is "we have safety filters on the output," the answer is no. If the answer is "the action is dry-run against a sandbox, the structured diff is presented for approval, and the commit is gated by the approval signature," the answer is yes.

Can a regulator independently verify your audit chain without asking the vendor for permission? If the answer is "the regulator can request an export through our compliance portal," the answer is no. If the answer is "the regulator holds the public half of your signing key and verifies the chain directly," the answer is yes.

Procurement teams who put those four questions into a 2026 RFP will discover that most vendors cannot answer them in the affirmative without restructuring their architecture. That restructuring is the work. It is not solved by paperwork.

Call to action

Mickai is the architecture for sovereign enterprise GenAI integration. Patent 4 (GB2608828.6 / MWI-PA-2026-004) is the specific filing that any procurement officer or enterprise architect should read first; it is the multi-tenant deployment baseline on which the rest of the portfolio composes. Patents 8, 14, 15, 16, 17, 18, and 19 fill in the audit, reversibility, simulation, federation, and access-control surfaces around the baseline.

Micky Irons is the sole inventor and sole applicant of all twenty-one filings, acting in person, no patent attorney, no law firm, no commercial intermediary. Enterprises who want sovereign GenAI integration (legal, finance, healthcare, defence, regulated infrastructure) can engage the inventor directly. The conversation is structural, not promissory; the licensing can be structured per-deployment, per-vertical, or as a strategic cross-licence in a single conversation.

If your enterprise is integrating GenAI into a workflow that a regulator will eventually audit, the structural test is not whether your vendor has paperwork. The structural test is whether the model, the audit ledger, and the action chain remain inside a boundary you control. That is what Mickai is filed to deliver.

Contact: press@mickai.co.uk. Filing reference: UK00004373277.