Five Eyes published the policy on 1 May 2026. Mickai filed the engineering on 4 April 2026. The substrate already exists.

What Five Eyes published on 1 May 2026

On 1 May 2026 six national cyber agencies co-published the document Careful Adoption of Agentic AI Services. The signatories were the Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) in the United States, the Australian Signals Directorate's Australian Cyber Security Centre (ASD ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NCSC New Zealand), and the United Kingdom National Cyber Security Centre (NCSC). The document is the first coordinated regulatory statement from the Five Eyes intelligence-sharing alliance on the security of autonomous AI agents. It is short, direct, and explicit about the problem.

The guidance states that AI agents are already operating across critical infrastructure, that the level of operational autonomy granted to those agents has reached a point where it has tangible safety and national security implications, and that the deployments are largely unbounded by any governance framework that the agencies recognise as fit for purpose. The agencies describe the situation as a critical infrastructure exposure that has accumulated faster than the institutional response to it. The document does not name vendors. It does not name regulations. It describes the gap and addresses operators.

The document is the policy layer's recognition of what the engineering layer has been showing for over a year. AI agents are autonomous decision processes invoking tools across operator infrastructure with no signed audit chain, no per-invocation attestation of the actor in the loop, no externalised trust domain, and in most cases no logging that survives a process restart. The Five Eyes statement is the institutional acknowledgement that the brochure-grade governance the market has been shipping is not adequate for the autonomy level that has already been deployed. It is a clear, calm, well written description of an exposure. It is not, in itself, an engineering specification.

What Mickai filed on 4 April 2026

Four weeks before Five Eyes published the policy, on 4 April 2026, Micky Irons (Mickarle Wagstaff-Irons) filed the Open Audit Record primitive at the UK Intellectual Property Office in Newport. The application is GB2610413.3, applicant reference MWI-PA-2026-022, twenty formal claims. The Open Audit Record (OAR) is the substrate primitive that the Five Eyes guidance describes the absence of. It is a hash-linked, append-only, ML-DSA-65 signed audit record format for autonomous agent decisions, with externalised trust domain, per-invocation actor attestation, and a browser-resident offline verifier that runs without trusting the agent vendor or the agent operator.

OAR is one filing in a portfolio of thirty one. The others extend the substrate across the surfaces the Five Eyes document implicitly requires. The PQ-safe attestation and ML-DSA-65 signed tool-invocation ledger sits at GB2608806.2, applicant reference MWI-PA-2026-008. Decision lineage with ML-DSA signed causal audit ledger sits at GB2608804.7, applicant reference MWI-PA-2026-016. The trust-domain externalisation architectural pattern sits at GB2610415.8, applicant reference MWI-PA-2026-024. Each filing carries a complete specification with description, claims, abstract, prior-art search, drawings, and Form-1 metadata. Each is on the public register at the UK IPO and at mickai.co.uk/patents.

The portfolio totals thirty one UK patent applications and nine hundred and fourteen formal claims, filed between 30 March 2026 and 4 May 2026 from a home address at the United Kingdom. Zero external investors. The filings are the engineering substrate the Five Eyes statement describes the need for, on the public register, four weeks before the statement appeared.

What OAR contains, in plain terms

The Open Audit Record specification contains a defined record format, a chain construction rule, a signing protocol bound to an operator-controlled key under FIPS 204 ML-DSA-65, a verifier protocol that runs offline in a browser using a WebAssembly module, and a trust-domain externalisation pattern that places the signing surface and the verification surface outside the trust boundary of the agent process. The twenty claims cover the format, the chain, the signing, the verifier, the externalisation, and the composition of those elements into the audit substrate that an autonomous agent emits as its by-product of operation.

The point that matters for the Five Eyes context is the externalisation. An audit chain produced by the agent process, signed under the agent vendor's key, and verified by tooling that the agent vendor controls, is not an audit chain in the sense the Five Eyes document is describing. It is a marketing artefact. OAR specifies the structural conditions under which the audit becomes verifiable by a procurement officer in a critical infrastructure operator without trusting the vendor, the operator, or the network between them. That is the engineering condition the policy layer is implicitly demanding.

The Sovereign AI cohort and the United Kingdom address

In parallel with the Five Eyes statement, the United Kingdom government has been advancing its sovereign AI agenda at a pace. The 500 million pound UK Sovereign AI Fund is operational, with an 80 million pound procurement window opening in May 2026 and a first equity investment placed in Callosum. Six startups have been named for AI Research Resource access: Prima Mente, Cosine, Cursive, Doubleword, Twig Bio and Odyssey. The cities tour for the fund is launching in May. Project Mercury, the joint Locai Labs and Civo programme, is positioned as the United Kingdom's first sovereign frontier AI models, fully UK trained and UK hosted.

This is real, it is funded, and it is welcome. It is also research being commercialised. The model layer, the inference infrastructure layer, and the application layer are all in active development under the fund. The substrate layer, meaning the trust primitives that allow any AI agent (sovereign or otherwise) to emit a verifiable audit, is something different. It is the engineering precondition for the rest of the cohort's work to be procurable into critical infrastructure. The substrate is filed, and it is filed from outside the funded cohort.

The address on the IPO filings is the United Kingdom. the United Kingdom is a coastal town on the the British coast, twenty miles south of Carlisle, twenty miles north of. It is not on the standard map of British technology. The standard map has London, Cambridge, Oxford, Manchester, Edinburgh, Bristol. the United Kingdom does not appear, except as a destination for nuclear engineering at Sellafield and tourism in the Lake District. The thirty one UK patent applications filed from this address between 30 March and 4 May 2026 are a different kind of entry into the British AI conversation. The funded cohort is in London. The substrate is in the United Kingdom.

Why the geography is load bearing

Sovereignty is not only a property of the technology. It is also a property of the institutional address. A sovereign AI substrate filed by one British inventor from a British home address, held in a UK-based private vehicle, with no external investors and no operator under licence, is structurally different from the same substrate filed by a London-based corporate vehicle with multiple foreign-fund investors. The structure is verifiable on the public register. It does not depend on assertions in marketing copy. The applicant is one named British inventor at one named British address.

Mythos finds vulnerabilities. Sentinel prevents them.

On a parallel track, Anthropic has been previewing Project Glasswing and the associated Mythos system. The Mythos preview reports that thousands of zero-day vulnerabilities have been found in the course of weeks of internal testing, including a twenty seven year old bug in OpenBSD. Restricted access to the Mythos research has been provided to CISA, Microsoft, Apple and J.P. Morgan. The work is significant and the disclosure path is responsible.

The category of work Mythos performs is the category that finds vulnerabilities in code. It identifies that a particular implementation of a particular function in a particular codebase has a flaw that can be exploited. It feeds the patch into the disclosure pipeline. The vulnerability gets fixed. The next vulnerability, somewhere else in the codebase or in another codebase, gets found in turn.

The category Mickai's Sentinel performs is different. Sentinel does not find vulnerabilities in code. Sentinel prevents AI agents themselves from becoming the vulnerability. The substrate primitives (signed tool invocation, decision lineage, per-skill clearance gating, voice-biometric quorum on high-impact actions, hardware attested typed actions with compensating rollback, browser-resident offline verifier) are designed so that an autonomous agent operating in a critical infrastructure environment cannot perform a high-impact action without that action being attested at the moment of invocation, signed under an operator-controlled key, and verifiable downstream by a procurement officer or auditor without trusting the agent vendor.

The two categories are complementary. Mythos shrinks the space of exploitable code. Sentinel shrinks the space within which an autonomous agent can act unaccountably. The Five Eyes document addresses the second category, because the first category is already a maturing discipline and the second category, until very recently, has had almost no engineering substrate at all.

The shadow AI governance crisis and the substrate that closes it

Security Boulevard reported in late April 2026 that eighty per cent of Fortune 500 companies are running AI agents in production environments. Only ten per cent of those companies have a clear governance strategy for those agents. The average enterprise reports thirty seven AI agents in operation. More than half of those agents run with no security oversight and no audit logging that survives a process restart. The figures are consistent with what enterprise security teams have been reporting privately for the last year. The figures map almost exactly onto the gap the Five Eyes guidance describes.

The condition is structural. AI agents have proliferated faster than the security architecture inside the organisations deploying them. There is no shortage of governance frameworks, control catalogues and policy documents. There is a shortage of engineering substrate that allows any of those frameworks to bind to the actual operational behaviour of the agents. An agent that does not emit a signed audit cannot be governed. An agent governed by a brochure is not governed.

• GB2610413.3, MWI-PA-2026-022, Open Audit Record (OAR) primitive, twenty claims, named inventor Micky Irons, filed 4 April 2026.
• GB2608806.2, MWI-PA-2026-008, PQ-Safe Attestation and ML-DSA Signed Tool-Invocation Ledger, named inventor Micky Irons.
• GB2608804.7, MWI-PA-2026-016, Decision Lineage with ML-DSA Signed Causal Audit Ledger, named inventor Micky Irons.
• GB2610415.8, MWI-PA-2026-024, Trust-Domain Externalisation Architectural Pattern, named inventor Micky Irons.
• GB2610414.1, MWI-PA-2026-023, Browser-Resident Offline Post-Quantum Verifier, named inventor Micky Irons.
• GB2608799.9, MWI-PA-2026-013, Voice-Biometric-Gated LLM Tool Invocation, named inventor Micky Irons.
• GB2608818.7, MWI-PA-2026-021, Per-Skill Clearance-Gated Execution, named inventor Micky Irons.

The seven filings above are a representative subset of the thirty one application portfolio. Each is on the UK IPO public register. Each contains a complete specification. Together they specify the engineering precondition for the eighty per cent of Fortune 500 deployments to migrate from ungoverned to governed without retraining the agents, replacing the models, or rewriting the application layer. The substrate sits underneath. The application layer binds to it through a documented integration surface.

What this means for procurement and operator teams

A procurement officer in a critical infrastructure operator now has a concrete reference to ask vendors against. The Five Eyes document supplies the policy framing. The Mickai filings supply the engineering specification. A procurement question that asks a vendor whether the vendor's agent emits an OAR-format audit chain, signed under an operator-controlled ML-DSA-65 key, verifiable by a browser-resident offline verifier, with externalised trust domain, is a question with a defined answer. The vendor either does or does not. The substrate is on the public register and the specification is in the public claim language. There is no longer a fog around what good looks like.

Why this story is the substrate story

Two narratives compete for the British AI 2026 headline. The first narrative is that the United Kingdom has a sovereign AI strategy, a 500 million pound fund, a six startup AI Research Resource cohort, a cities tour, a 80 million pound procurement window, and Project Mercury readying the first sovereign frontier model. This narrative is correct and important. The second narrative is that, in parallel and largely unannounced, the engineering substrate that all of the above will eventually need to bind to has been filed at the UK IPO by one British inventor from a British home address. This narrative is also correct and is, in operational terms, more load bearing.

The substrate narrative is structurally more important because the funded cohort cannot bind to a substrate that does not exist. The Mickai filings do not displace the funded cohort. They make the funded cohort procurable into critical infrastructure when it ships. The relationship is complementary. The recognition that the substrate is a national strategic capability, on the same footing as the funded model and inference layers, is the institutional decision of the next two quarters. The Five Eyes statement is the international pressure that makes the decision urgent.

Micky Irons is contactable at press@mickai.co.uk. The portfolio is at mickai.co.uk/patents. The substrate is on the UK IPO public register. The conversation is open.

“On 1 May 2026 the Five Eyes published the first coordinated description of the autonomous AI agent governance gap. On 4 April 2026, four weeks earlier, Micky Irons filed at the UK IPO the engineering primitive that closes it. The policy describes the absence. The substrate fills it. The institutional question for the next two quarters is whether Britain recognises this as British work, or absorbs it into someone else's standard.”

Sources and references

• Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Australian Signals Directorate ASD ACSC, Canadian Centre for Cyber Security (CCCS), NCSC New Zealand, NCSC United Kingdom, Careful Adoption of Agentic AI Services, joint guidance, 1 May 2026.
• UK Sovereign AI Fund, 500 million pounds, 80 million pound procurement window, first equity investment in Callosum, AI Research Resource cohort (Prima Mente, Cosine, Cursive, Doubleword, Twig Bio, Odyssey), gov.uk announcements with coverage in Computer Weekly and The Register.
• Project Mercury, Locai Labs and Civo, UK trained and UK hosted sovereign frontier model programme.
• Anthropic, Project Glasswing and Mythos preview, restricted access provided to CISA, Microsoft, Apple, J.P. Morgan, vulnerability discovery including a twenty seven year old OpenBSD bug.
• Security Boulevard, shadow AI governance reporting, eighty per cent Fortune 500 AI agent deployment, ten per cent governance strategy adoption, average thirty seven agents per enterprise, late April 2026.
• UK Intellectual Property Office, public register, applications GB2607309.8, GB2608766.8 to GB2608830.2, GB2610413.3 to GB2610422.4, named inventor Mickarle Sean Junior Wagstaff-Irons.
• Mickai patent portfolio, mickai.co.uk/patents, thirty one filed UK patent applications, nine hundred and fourteen formal claims, filed between 30 March 2026 and 4 May 2026.
• GB2610413.3, MWI-PA-2026-022, Open Audit Record (OAR) Primitive, twenty claims.
• GB2608806.2, MWI-PA-2026-008, PQ-Safe Attestation and ML-DSA Signed Tool-Invocation Ledger.
• GB2608804.7, MWI-PA-2026-016, Decision Lineage with ML-DSA Signed Causal Audit Ledger.
• GB2610415.8, MWI-PA-2026-024, Trust-Domain Externalisation Architectural Pattern.
• FIPS 204, Module-Lattice-Based Digital Signature Standard (ML-DSA), NIST, finalised August 2024.
• NCSC, Migrating to post-quantum cryptography guidance, updated 2023 and 2024.