MICKAI
Article · 8 July 2026

FIPS 204 and FIPS 203 Explained for an AI Audit Trail

FIPS 204 is the post-quantum signature standard that signs an AI audit ledger, and FIPS 203 only encapsulates keys and never signs.

FIPS 204 and FIPS 203 Explained for an AI Audit Trail
Author
Micky Irons
Published
8 July 2026
Follow Micky Irons
LinkedInX
fips 204fips 203ml-dsaml-kempost-quantum cryptography

FIPS 204 and FIPS 203 are two of the post-quantum cryptography standards that NIST finalised in August 2024, and only one of them signs an audit trail. FIPS 204 is ML-DSA, the Module-Lattice-Based Digital Signature Algorithm, and it is the standard that places a tamper-evident, non-repudiable signature on each entry in an AI evidence ledger. FIPS 203 is ML-KEM, a key-encapsulation mechanism that establishes shared encryption keys, so it protects confidentiality but it never signs and never proves who did what. For a long-lived AI audit record, FIPS 204 supplies verifiability and FIPS 203 supplies secrecy, and confusing the two is a common error in procurement documents.

The question matters now because a decision an AI system makes in 2026 may need to be defended in 2036. A record protected only by today's classical cryptography can be forged once a cryptographically relevant quantum computer exists, and an adversary can already harvest signed logs today with the intent to forge or repudiate them later. Regulators are moving in the same direction: durable, machine-verifiable provenance is becoming an expectation rather than a differentiator. Choosing the correct standard for the correct job is therefore an architectural decision with a decade-long shadow.

What does FIPS 204 do for an AI audit trail?

FIPS 204 specifies ML-DSA, a digital signature algorithm built on module-lattice mathematics designed to resist both classical and quantum attack. In an audit trail its job is singular: it signs. Each entry, or each sealed block of entries, receives a signature that binds the exact content to a specific signing key. That signature delivers three properties a serious log requires. It proves the record has not changed since signing, which is integrity. It proves which key produced the record, which is authenticity. And it stops the signer credibly denying authorship afterwards, which is non-repudiation. Because the scheme is post-quantum, a record signed today stays verifiable and unforgeable after quantum computers mature.

FIPS 204 and FIPS 203 Explained for an AI Audit Trail, illustration 1

Why is FIPS 203 not the standard that signs the ledger?

FIPS 203 specifies ML-KEM, a key-encapsulation mechanism. Its purpose is to let two parties agree a shared secret over an untrusted channel without an eavesdropper learning it, again with post-quantum security. ML-KEM is the right choice for confidentiality: encrypting records at rest, or establishing a secure session before data moves. What ML-KEM does not do is sign. It produces no signature, offers no non-repudiation and gives no third party a way to verify who created a record. A log encrypted with ML-KEM is secret, but secrecy is not provable integrity. A specification that asks for a "FIPS 203 compliant audit trail" has named the wrong standard, because verifiability comes only from FIPS 204.

An audit trail earns its authority from the signature standard, FIPS 204, and never from the key-encapsulation standard, FIPS 203, because only a signature can prove who acted and that nothing was altered.

FIPS 204 and FIPS 203 Explained for an AI Audit Trail, illustration 2

How does a post-quantum signed audit ledger actually work?

The mechanism is an append-only ledger secured by two ideas working together. First, entries are hash-chained: each block carries the hash of the block before it, so any change to an old entry breaks every hash that follows. Second, the chain is signed with ML-DSA using a key held in tamper-resistant hardware, so the signature covers both the content and its position in the sequence. The result is a record that is tamper-evident, ordered and durable. FIPS 203 has a supporting role here and no more: it can protect the confidentiality of the ledger and the transport around it, but it contributes nothing to the proof of what happened.

FIPS 204 and FIPS 203 Explained for an AI Audit Trail, illustration 3

What can an auditor verify without trusting the vendor?

The value of a FIPS 204 ledger is that verification is offline and independent. An auditor takes the public verification key and the ledger, and checks every signature with no call back to the system that produced it. If a single entry has been edited, deleted or reordered, the check fails on that entry, and the failure is specific rather than a vague alarm. Hardware-attested identity strengthens this further by binding the signing key to a specific attested device, so the auditor is checking not only that a valid key signed the record but that the expected machine held that key. The test an auditor can quote is simple: recompute the hash chain, verify each ML-DSA signature against the published key, and confirm the attestation of the signing device.

FIPS 204 and FIPS 203 Explained for an AI Audit Trail, illustration 4

Which rules make a post-quantum audit trail necessary?

No single regulation names FIPS 204 as a mandate, but several converging duties make durable, verifiable records the safe design. DORA has been in force since January 2025 and expects financial entities to evidence and reconstruct events. NIS2 raises logging and accountability duties across essential sectors. GDPR requires that personal-data processing be demonstrable, not merely asserted. ISO/IEC 42001 sets out AI management-system controls that lean on traceability. The EU AI Act adds record-keeping obligations for high-risk systems: those Annex III obligations, once due on 2 August 2026, were deferred by the Digital Omnibus to 2 December 2027, with embedded Annex I high-risk to 2 August 2028 and Article 50 transparency largely unchanged. We read that as a build window, not a reprieve. A post-quantum signed ledger supports these record-keeping and accountability duties and reduces the risk that evidence is later challenged; it does not by itself certify or guarantee compliance with any of them.

How does Mickai bind identity to the sealed record?

Mickai is a Sovereign Intelligence Operating System, a SIOS, and it runs offline on operator-owned hardware with every action cryptographically sealed. The audit ledger is signed with a post-quantum signature scheme, and the signing identity is hardware-attested and bound into the chain, so a record proves both what an agent did and which attested machine produced it. A zero-egress inbound perimeter keeps the evidence where the operator controls it, which matters because a public cloud AI service processes data on infrastructure the buyer does not hold, so exposure to foreign legal regimes such as the US CLOUD Act becomes a design property rather than a contractual one, and a supplier promise is not a technical guarantee. Where decisions are consequential, cross-model consensus records the agreement of several sovereign models in the same signed entry, so the reasoning is preserved, not just the outcome. The design sits within 104 filed UK patent applications, approximately 2,340 claims, owned by Mickai LTD; never granted or patented.

Frequently asked questions

Is FIPS 203 a digital signature standard?

No. FIPS 203 is ML-KEM, a key-encapsulation mechanism used to establish shared secret keys with post-quantum security. It protects confidentiality and produces no signature, so it cannot provide integrity, authenticity or non-repudiation for an audit record. The post-quantum signature standard is FIPS 204, ML-DSA.

What is the difference between ML-DSA and ML-KEM?

ML-DSA (FIPS 204) signs data, proving who created a record and that it has not changed. ML-KEM (FIPS 203) exchanges keys, letting two parties share a secret so they can encrypt. Signing gives verifiability; key encapsulation gives secrecy. An audit trail needs ML-DSA doing the signing and can use ML-KEM only to protect confidentiality.

Does FIPS 204 replace FIPS 203?

No, they solve different problems and are usually deployed together. FIPS 204 signs records for integrity and non-repudiation, while FIPS 203 establishes encryption keys for confidentiality. A complete system commonly uses both: ML-DSA to sign the ledger and ML-KEM to protect the data around it. Neither one is a substitute for the other.

Can a public cloud AI service provide a FIPS 204 signed audit trail?

A cloud service can sign logs, but the harder question is where the evidence lives and who can reach it. When processing happens on infrastructure the buyer does not control, exposure to foreign legal regimes such as the US CLOUD Act is a design property, and a contractual assurance is not the same as a technical guarantee. An audit trail signed on operator-owned hardware inside a zero-egress perimeter reduces that exposure.

What is FIPS 205, and is it also needed?

FIPS 205 is SLH-DSA, a stateless hash-based post-quantum signature standard, published alongside FIPS 204 in August 2024. It is an alternative signature scheme, valued for conservative, hash-based security assumptions. FIPS 204 is the primary signature standard for most audit uses; FIPS 205 is chosen where its different assumptions are preferred. Both sign, unlike FIPS 203.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/fips-204-and-fips-203-explained-for-an-ai-audit-trail. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles