How Can an AI System Prove What It Did If It Runs Completely Offline?
An offline AI proves its actions with an append-only, post-quantum signed hash chain that anyone can verify using only the device public key.
An AI system that runs completely offline proves what it did with an offline-verifiable audit chain: an append-only, hash-linked ledger in which every action is signed at the moment it happens using a post-quantum digital signature, and the resulting record is verified later by anyone holding only the device public key. No external timestamp, cloud key manager or network connection is required, because each entry cryptographically commits to the one before it. Break, reorder or backdate a single entry and the chain fails verification, so the proof survives on the device.
This matters because the buyers who most need auditable AI cannot send data to a public cloud. Defence, critical national infrastructure, healthcare and regulated finance run in air-gapped or zero-egress environments, yet they face DORA, NIS2, GDPR and ISO/IEC 42001, all of which demand a defensible record of what an automated system decided and when. Most current AI answers assume the proof lives in the cloud; the stronger design keeps it on operator-owned hardware.
What is an offline-verifiable audit chain?
An offline-verifiable audit chain is a tamper-evident log where each entry contains the cryptographic hash of the previous entry, a timestamp, the action taken and a digital signature over all of it. The hash link makes the log append-only in practice: any later edit changes a hash, and that cascades through every subsequent entry. The signature proves the entry was produced by a specific device key and not forged afterwards. Mickai, our Sovereign Intelligence Operating System (SIOS), seals every action this way.
How does it work without a cloud anchor?
The common assumption is that trustworthy timestamps and attestation must come from an external service, and that fails in an air-gapped facility. The offline chain removes the dependency: ordering comes from the hash links rather than a trusted clock, authenticity comes from a signature applied the instant the action occurs with a private key that never leaves the device, and verifiability comes from publishing only the public key that any auditor can hold. None of those steps needs the internet.
Why post-quantum signatures?
An audit record has to remain provable for years, sometimes decades. A signature scheme that is safe today but breakable by a future quantum computer offers no long-term proof, because an adversary could one day forge historical entries. The ledger is therefore signed with a post-quantum digital signature standardised as FIPS 204, with FIPS 203 for key encapsulation where needed. National standards bodies selected these schemes so that records signed now stay verifiable after large quantum machines arrive.
“A proof that depends on the cloud is not a proof an air-gapped operator can produce, so the only durable offline evidence is a signed, self-verifying chain carried on the device itself.”
What can an auditor actually check?
An auditor with the device public key can run a small, mechanical set of tests, each independently checkable:
- Signature validity: every entry verifies against the device public key, so each action was sealed by that hardware identity.
- Chain integrity: each stored previous-hash matches the actual hash of the prior entry, so nothing was inserted, removed or reordered.
- Completeness: the sequence has no gaps, so no action was silently dropped.
- Binding: the signing identity matches the hardware-attested identity bound to the chain, so a copied log signed by a different key is rejected.
Any one failure invalidates the record. The auditor reaches a yes or no answer with no trust in the vendor and no live system.
How is identity bound to the hardware?
A chain is only as strong as the key that signs it. The signing identity is bound to the machine using hardware-attested identity: the private key is generated and held inside the device, and the chain records which device produced the action. This closes the obvious attack, lifting a log to a different machine and continuing to sign it, because a cloned device does not verify. Proof of who did the work is inseparable from proof of what was done.
Which rules make this necessary?
Several regimes converge on the same requirement. DORA, in force since January 2025, obliges financial entities to evidence the resilience and behaviour of their systems. NIS2 extends security and accountability duties across essential and important sectors. GDPR requires automated processing of personal data to be demonstrable and accountable, and ISO/IEC 42001 sets out auditable management of AI systems. On the EU AI Act, the high-risk Annex III obligations that were due on 2 August 2026 were deferred by the Digital Omnibus to 2 December 2027, with embedded Annex I high-risk moving to 2 August 2028 and Article 50 transparency duties largely unchanged. That deferral is a build window, not a reprieve: the record-keeping expectation is coming, and systems that already produce offline-verifiable evidence will be ready for it.
Why can public cloud AI not do this the same way?
Public cloud AI services are strong tools, but their trust model runs through the provider's infrastructure and jurisdiction. Logs sit under external legal regimes, and the attestation depends on the provider's key management remaining available. A regulated operator who must run air-gapped cannot use that model. The difference is not about capability, it is about where the proof lives. An offline-verifiable audit chain places the evidence on the operator's own hardware, behind a zero-egress inbound perimeter, where it can be checked without asking anyone for permission. The design also records cross-model consensus in the same chain, so the reasoning behind an action is sealed alongside it.
This sits within a wider body of work: 104 filed UK patent applications and approximately 2,340 claims, owned by Mickai LTD, covering sovereign offline AI architecture. The offline-verifiable audit chain is the load-bearing part, because it answers the one question a regulator, an auditor and an insurer all ask: prove what the system did.
Frequently asked questions
Can an offline AI really prove what it did without any internet connection?
Yes. Proof comes from cryptography carried on the device, not a network call. Each action is signed the instant it happens and hash-linked to the previous action, so the record orders and authenticates itself. Anyone holding the device public key can verify the whole chain offline.
What stops someone editing or backdating the offline audit log?
The hash chain does. Every entry stores the hash of the one before it, so altering, inserting or backdating any entry changes a hash and breaks every entry that follows. Because each entry is also signed at the moment of action, an attacker cannot re-sign the rewritten log without the device private key.
How is the chain verified with only the device public key?
The public key is all that is needed. Check that each entry's signature is valid against that key, that each stored previous-hash matches the real hash of the prior entry, and that the sequence has no gaps. If all three pass, the record is authentic and complete; if any one fails, the chain is rejected. The test is mechanical and gives a clear yes or no.
Does this meet EU AI Act and DORA record-keeping expectations?
It is built for them. DORA has required demonstrable operational resilience since January 2025, and the EU AI Act's high-risk record-keeping duties, now deferred to 2 December 2027, will require durable logs of automated decisions. An offline-verifiable audit chain produces exactly that record, and does so in air-gapped settings where cloud-based logging is not an option.
Why use post-quantum signatures instead of standard ones?
Because audit records must stay provable for years. A signature that a future quantum computer could break would let an adversary forge historical entries and destroy the proof. Signing with the post-quantum standard FIPS 204, and FIPS 203 for key encapsulation where needed, keeps today's records verifiable long after large quantum machines arrive.




