MICKAI
Article · 12 May 2026

NCSC named the AI patch wave. The audit substrate is what survives it.

On 1 May 2026 the NCSC CTO told operators to prepare for a forced correction in software vulnerability disclosure, driven by frontier AI. The operators that hold ground through that correction will be the ones that have a cryptographic position on what they patched, in what order, under whose key. Mickai™ is that position, filed at the UK IPO, post-quantum signed from inception, browser-verifiable offline.

Author
Micky Irons
Published
12 May 2026
ncscpatch-waveai-cybervulnerability-disclosurepost-quantum

What the NCSC actually said on 1 May

On 1 May 2026 the NCSC's CTO, Ollie Whitehouse, told UK organisations to prepare for a patch wave: a forced correction in software vulnerability disclosure, driven by frontier AI tooling that can now identify, classify, and chain CVEs at a rate that overwhelms the existing patch cadence. The framing matters. The NCSC is not warning that AI will be used by attackers (that warning has been on the public record since the 2024 to 2027 threat assessment). The NCSC is warning that AI is about to be used by defenders, by researchers, and by vendors, at a scale that pulls forward years of accumulated technical debt into a compressed window. The operational question for any UK organisation running production AI workloads is no longer 'can we patch faster.' It is 'can we prove what we patched, in what order, against which vulnerability, on whose authority, in a form a regulator can replay six months later.' That second question is an audit question, not a patching question. It is also the question that current commercial AI tooling does not answer.

The structural problem under the patch wave

An organisation that adopts AI for a regulated workload (clinical decision support in an NHS Trust, transaction monitoring in an FCA-regulated bank, agent-to-agent procurement in a Cabinet Office domain, fire-control assistance in a UKDI operational unit) sits inside three audit perimeters at once. The vendor's audit log, recorded under the vendor's key, stored on the vendor's endpoint. The operator's own change-management trail, typically in a ticketing system. The regulator's expectation, expressed in framework language (NHS DSPT, PRA SS1/23, NCSC's AI Cyber Security Code of Practice, the JSP 440 derivatives for defence). None of the three audit perimeters are cryptographically linked. When the patch wave lands and the operator has to demonstrate, to all three parties at once, that a specific CVE was patched against a specific deployed agent at a specific time under a specific operator key, the operator either has the chain or does not. The vendor audit log alone is not the chain, because it is signed under the vendor's key and held on vendor infrastructure. The ticketing system is not the chain, because it has no cryptographic primitive. The regulator's framework guidance is not the chain, because it is descriptive rather than constructive.

The fix is structural, not procedural. The audit chain has to be the operator's, at the cryptographic primitive layer, under a key the operator holds in TPM, in a deterministic format that any third party can replay offline. That is what the substrate solves. Every committed action across every AI workload, including patch events themselves, is serialised in CBOR, hashed under SHA-3-512, signed under FIPS 204 ML-DSA-65 against the operator's TPM-bound key, and appended to a hash-linked chain. The chain is the operator's record of processing, in primitive form. A regulator inspecting the chain six months after the patch wave can walk it on a sandboxed laptop, with no network call to the vendor and no dependency on the vendor's audit format surviving an acquisition, a contract change, or a vendor lock event.

Why the patch wave makes this urgent rather than abstract

Until the patch wave, an operator could reasonably defer the audit-substrate question on the grounds that the vendor's log was sufficient for the current rate of incidents. That deferment is no longer defensible. The NCSC's published projection is that AI-driven vulnerability identification will produce, in 2026 to 2027, a disclosure rate that exceeds the patch cadence by a factor that the existing infrastructure cannot absorb. The implication for regulated AI is that the audit perimeter will be tested by the volume of patches, not by the severity of individual incidents. The operator who can demonstrate a cryptographic chain through that volume holds the ground. The operator who cannot will be reading vendor change logs in JSON, in tabs, against a regulator's stopwatch.

The substrate matters here in a way that is hard to articulate without using the word substrate. A signed action ledger is not a feature of an AI system; it is the floor underneath the AI system. Adding it after the fact, after a patch wave incident has surfaced the gap, is a major piece of engineering. Adding it before, while AI workloads are still being onboarded, is a configuration change against an open primitive. The Mickai audit primitive (filed at the UK IPO, schema and conformance vectors scheduled for joint open-source release) is engineered for the configuration-change case, not the retrofit case.

What a concrete deployment looks like

Take an NHS Trust running a Microsoft 365 tenant under MSP-managed Cyber Essentials, with an AI assistant that summarises clinical correspondence. With standard configuration, the audit trail of what the assistant did sits in Microsoft's audit log under Microsoft's key. With OAR-substrate configuration, every action the assistant takes is signed at commit under the Trust's own TPM-bound key, in CBOR, hash-linked, and exportable on demand. When a CVE lands against the assistant (an AI-driven disclosure during the patch wave), the Trust does three things in parallel. The MSP applies the vendor patch. The Trust's audit chain records the patch event under the Trust's key. The Trust's regulator (ICO, NHS DSPT) can walk the chain on a sandboxed laptop and emit a deterministic verdict per record: VERIFIED, INVALID, STALE, REVOKED. There is no fifth verdict, and there is no recourse to the vendor's audit format. The Trust holds the position.

Take an FCA-regulated bank running an agent-to-agent payment-decision workflow. PRA SS1/23 names third-party AI dependency as concentration risk that must be priced into operational resilience. The patch wave is exactly the scenario PRA SS1/23 was drafted around: a vendor-disclosed CVE on a dependency, followed by a window of regulatory inspection. The bank that holds a substrate-grade audit chain through the inspection has discharged its obligation in primitive form. The bank that does not is in the position of negotiating with whichever vendor succeeded the original one, in whichever audit format the successor supports.

Take a UKDI operational unit running AI-assisted target classification under JSP 440. The classification model is supplied by a vendor; the operational data class is OFFICIAL or higher. The patch wave includes CVEs against the classifier. The unit cannot send classified workloads to a frontier model API for re-evaluation. It cannot rely on the vendor's audit log because the log sits outside the operator's perimeter. It needs the audit chain on operator iron, signed under operator key, replayable by Authority. That is the brief the substrate was designed for, and that is the brief the patch wave makes urgent.

Where this fits against NCSC's stated direction

The NCSC's 1 May patch wave warning is part of a longer line of NCSC publications that, taken together, describe a substrate. The AI Cyber Security Code of Practice. The post-quantum migration roadmap (2028 discovery, 2031 high-priority migration, 2035 full migration). The threat assessment on AI-augmented cyber operations. The supply-chain integrity expectation. The published guidance on operational technology. Each publication describes, in policy and threat language, an audit primitive that does not yet ship in the commercial AI stack. The patch wave warning is the operational pressure point: the moment at which the commercial stack starts to fail under the disclosure rate, and the absence of a substrate becomes visible to the regulator. Mickai is the substrate, on the public record at the UK Intellectual Property Office, engineered under the same architectural assumptions the NCSC has been documenting in policy for two years. Patent numbers GB2607309.8 to GB2610422.4. Trade mark UK00004373277.

What an operator should do this week

Three steps that fit inside an MSP engagement and do not require switching any vendor.

  • Inventory the AI-touched decisions that a regulator could later audit. The list is usually short (chat summarisation, document classification, accounts coding, customer support triage, agent-to-agent procurement). Identify the ones where a patch wave CVE would create a regulatory inspection window.
  • Demand from each AI vendor a signed action chain in an open format, exportable on request, verifiable without the vendor's tooling. If the vendor cannot supply it, treat that as the vendor locking the audit and price it accordingly in the next renewal.
  • Pilot OAR against one workload before the patch wave hits. The reference verifier runs in a browser tab. The SDK ships with conformance test vectors. The integration is a wrapper around the AI vendor's existing decision-emit hook plus a one-time operator key ceremony.

An MSP working with the SME or the Trust can deliver all three steps as part of the normal cyber-security, compliance, and AI-adoption engagements they already run. None of this requires the operator to switch its MSP, its cloud provider, or its AI vendor. None of it depends on a budget cycle. All of it is a configuration change against an open primitive, in advance of a forced correction the NCSC has already announced.

An invitation

UK Managed Service Providers, sovereign-tech buyers, NHS DSPT operators, FCA-regulated firms with AI in production, and UKDI operational customers are open to a fifteen-minute briefing at any time. press@mickai.co.uk. The schema, the conformance vectors, and the reference verifier are scheduled for joint open-source release at github.com/Micky-CMO upon UK IPO acknowledgement of the OAR family.

Sources and references

  • NCSC, CTO Ollie Whitehouse on the AI vulnerability patch wave, 1 May 2026.
  • NCSC AI Cyber Security Code of Practice (DSIT consultation 2024 to 2025).
  • NCSC Impact of AI on cyber threat from now to 2027.
  • NCSC Timelines for migration to post-quantum cryptography (2028 / 2031 / 2035).
  • FIPS 204 (ML-DSA), NIST post-quantum digital signature standard.
  • PRA Supervisory Statement SS1/23 (model risk management for banks).
  • NHS Digital Data Security and Protection Toolkit (DSPT).
  • Open Inter-Vendor Audit Record (OAR), filed at the UK IPO and intended for joint open-source release.
  • Mickai trade mark UK00004373277, classes 9 and 42, filed 15 April 2026.
ShareLinkedInXHacker NewsRedditMastodonBlueskyEmail
Originally published at https://mickai.co.uk/articles/ncsc-named-the-ai-patch-wave-the-audit-substrate-is-what-survives-it. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles
7 May 2026
Confidence IT named four IT challenges facing UK SMEs in 2025. Underneath all four sits an engineering substrate that does not depend on which Managed Service Provider you choose.
Confidence IT have named four IT challenges facing UK SMEs in 2025: cyber security, compliance, AI adoption, hybrid work. Each is real, each has an MSP-driven operational answer, and each has an engineering layer underneath it where the substrate-level answer is the same primitive: a vendor-neutral signed audit record that survives any one supplier and verifies offline. This piece sits the OAR primitive next to the four challenges and shows where it fits.
6 May 2026
An open note to the National Cyber Security Centre. Sovereign AI is a cyber security problem before it is a policy problem, and the substrate is now British and on the public record.
NCSC has published the threat picture and the migration roadmap. Mickai has filed the engineering substrate: post-quantum signing under FIPS 204, browser-resident offline verification, trust-domain externalisation, vendor-neutral audit records. The portfolio sits on the UK IPO public register. This article maps the filings to NCSC's published priorities and opens an invitation to brief.
4 May 2026
British AI needs an audit substrate, not another white paper. The Bletchley Declaration, the Seoul Summit, AISI, ARIA, and the engineering layer none of them ship.
British AI policy in 2026 has the same structural problem as the rest of the world: there is no engineering layer underneath it. The Bletchley Declaration, the Seoul Summit communique, the UK AI Safety Institute's evaluation work, and ARIA's mission all assume the existence of a substrate they do not specify. Mickai is that substrate. Thirty one filed UK patent applications, nine hundred and fourteen claims, named inventor Micky Irons, filed in Newport, built in the United Kingdom.
3 May 2026
AI agent governance is an engineering problem, not a policy problem. Prompt injection, data poisoning, action hijacking, and the case for verifiable substrate.
AI agent governance has become a policy conversation. It should not be. Prompt injection is an architecture failure. Data poisoning is an architecture failure. Action hijacking is an architecture failure. Evidence destruction is an architecture failure. Mickai is the engineering answer, with eight relevant filed UK patents and an open inter-vendor audit standard now in process at the IPO.
See all articles →