MICKAI
Article · 12 May 2026

NCSC's Post-Quantum Cryptography pilot opens. Mickai is the substrate that already ships under FIPS 204.

The NCSC PQC pilot scheme opens in late spring 2026 and runs until 31 March 2027. The published migration timeline is 2028 discovery, 2031 high-priority migration, 2035 full migration. The Mickai audit substrate is engineered under FIPS 204 ML-DSA-65 from inception. The pilot is the formal channel into NCSC for technology that fits the substrate brief. Mickai fits it now, eighteen months ahead of the discovery milestone.

Author
Micky Irons
Published
12 May 2026
ncscpqc-pilotpost-quantumfips-204ml-dsa-65

What the NCSC pilot is

The NCSC has published a Post-Quantum Cryptography pilot scheme for late spring 2026, with a delivery window through 31 March 2027. The pilot is the formal channel for UK organisations to demonstrate post-quantum cryptographic deployment in advance of the published migration milestones (2028 cryptographic discovery, 2031 high-priority migration, 2035 full migration). The pilot is not a procurement exercise. It is a structured route for the NCSC to characterise what production PQC actually looks like across UK regulated environments, before the 2028 milestone forces the wider migration. For the substrate question (the layer below the application), the pilot is the cleanest test bench available. An organisation that can deploy a PQC primitive under the pilot, with the cryptographic discipline NCSC has documented, has cleared the structural test the 2031 milestone implies.

Where Mickai sits against the pilot's intent

The Mickai SIOS audit ledger is engineered under FIPS 204 ML-DSA-65 from inception. Every committed action across the substrate is serialised in CBOR, hashed under SHA-3-512, and signed under the operator's TPM-bound ML-DSA-65 key. The ML-DSA-87 migration path is a parameter change in the same code path, not a redesign. The verifier is browser-resident, runs offline, and emits one of four deterministic verdicts per record: VERIFIED, INVALID, STALE, REVOKED. The substrate is not a retrofit of a classical primitive; it is a primitive that was engineered post-quantum from the first commit. The 31 filed UK patent applications, on the public register at numbers GB2607309.8 to GB2610422.4, describe the substrate at the schema layer, the conformance-vector layer, and the verifier layer.

The pilot's stated intent is to surface what production PQC looks like across UK regulated environments. The Mickai substrate is the answer to that question at the audit-ledger layer specifically. It is not a TLS-only intervention; it is not a key-encapsulation-only intervention. It is a signature primitive that produces a hash-linked, post-quantum signed, deterministically replayable chain of every action across an AI workload. That chain is the artefact a regulator can walk, in any browser, with no network call, six months after a CVE lands. The pilot is the procedural surface; the substrate is the engineering surface; the two are aligned.

Why the 2028 milestone is the binding constraint, not the 2035 one

Most public commentary on PQC migration anchors on the 2035 full-migration milestone. That framing understates the operational pressure. The binding constraint is 2028, which is the year by which UK organisations are expected to have completed cryptographic discovery (an inventory of the cryptographic services that need upgrades and a written migration plan). Discovery without primitive deployment is a paper exercise. Discovery against a substrate that already ships in PQ is a checkpoint. The pilot scheme exists precisely because the discovery milestone is operationally non-trivial for any organisation that does not have a clean cryptographic surface to inventory. Mickai's surface is clean by construction: the schema is post-quantum, the signing key is post-quantum, the verifier is post-quantum, and the audit chain is post-quantum. An organisation that adopts the substrate has, in effect, completed its discovery for the AI audit layer in advance of the 2028 milestone. That is a defensible position for the operator, the regulator, and the procurement officer at the same time.

How the substrate maps to the four NCSC publications it sits underneath

The NCSC has published, in the last twenty-four months, four documents that together describe the substrate the pilot will measure. The Timelines for migration to post-quantum cryptography (the 2028 / 2031 / 2035 framework). The AI Cyber Security Code of Practice (the operator's accountability surface for AI deployments). The Impact of AI on cyber threat from now to 2027 (the threat horizon for which post-quantum matters at the audit-ledger layer). The supply-chain integrity expectation (the requirement that audit trails survive vendor changes). Each document is a different facet of the same engineering problem: a UK regulated AI deployment needs an audit primitive that is operator-held, vendor-neutral, post-quantum, and verifiable without dependency on the vendor's tooling. Mickai is engineered against all four documents at once. The pilot is the venue at which that alignment can be measured.

What the pilot will not cover, and what to do about it

The pilot is bounded. It will not cover every cryptographic surface across the UK regulated economy, and it will not produce a binding migration mandate by 31 March 2027. What it will do is characterise the production behaviour of PQC deployments, identify the operational rough edges, and feed the NCSC's policy direction in the run-up to the 2028 milestone. For an organisation that wants to be ahead of that direction rather than behind it, the practical move is to deploy the substrate against a single regulated AI workload now, in parallel with engaging the pilot. The substrate ships independently of the pilot, runs against any operator TPM, and produces an audit chain that satisfies the NCSC's published criteria today. The pilot adds the formal NCSC engagement; the substrate adds the operational capability. The two are complementary.

Three steps that fit inside an existing engagement model:

  • Engage the NCSC PQC pilot through the published application channel. The application window opens in late spring 2026 and runs to 31 March 2027. The pilot's stated criteria favour deployments that demonstrate PQC against real production traffic.
  • Deploy the Mickai audit substrate against a single regulated AI workload in advance of the pilot engagement. The integration is a wrapper around the AI vendor's existing decision-emit hook and a one-time operator key ceremony. ML-DSA-65 by default; ML-DSA-87 by parameter switch.
  • Document the deployment as a conformance artefact (the chain, the conformance vectors, the verifier verdict log). The artefact is reusable in the NCSC PQC pilot submission, the 2028 cryptographic discovery exercise, and any regulator inspection that pre-dates either milestone.

What a fifteen-minute briefing covers

The substrate at the schema layer. The CBOR canonical serialisation. The SHA-3-512 hash linkage. The FIPS 204 ML-DSA-65 signing pipeline. The TPM-bound operator key ceremony. The browser-resident verifier and its four deterministic verdicts. The migration path to ML-DSA-87 (a parameter change in the same code path, no redesign). The conformance-vector set, scheduled for joint open-source release at github.com/Micky-CMO upon UK IPO acknowledgement. The trust-domain externalisation pattern (the operator holds the keys, not the vendor). All four documents the NCSC has published get mapped to the substrate, line by line, in real time.

An invitation

NCSC procurement and policy leads, the PQC pilot operating team, UK MSPs working with regulated customers, NHS DSPT operators, FCA-regulated firms in early AI deployment, and UKDI operational customers are open to a fifteen-minute briefing at any time. press@mickai.co.uk. The substrate is filed at the UK Intellectual Property Office. The trade mark Mickai is registered at UK00004373277. The pilot is the right venue for the engineering work to be assessed under NCSC's own criteria, and the timing window (now through 31 March 2027) is the right one to engage.

Sources and references

  • NCSC, Timelines for migration to post-quantum cryptography (2028 discovery, 2031 high-priority, 2035 full migration).
  • NCSC, Post-Quantum Cryptography pilot scheme (late spring 2026 to 31 March 2027).
  • NCSC, AI Cyber Security Code of Practice (DSIT consultation 2024 to 2025).
  • NCSC, Impact of AI on cyber threat from now to 2027.
  • FIPS 204 (ML-DSA-65 and ML-DSA-87), NIST post-quantum digital signature standard.
  • SHA-3-512, NIST FIPS 202.
  • CBOR canonical serialisation, IETF RFC 8949.
  • Mickai SIOS audit ledger, filed at UK IPO across the GB2607309.8 to GB2610422.4 family.
  • Trust-domain externalisation architectural pattern, filed at the UK IPO.
ShareLinkedInXHacker NewsRedditMastodonBlueskyEmail
Originally published at https://mickai.co.uk/articles/ncsc-pqc-pilot-opens-mickai-is-the-substrate-that-already-ships-under-fips-204. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles
7 May 2026
Confidence IT named four IT challenges facing UK SMEs in 2025. Underneath all four sits an engineering substrate that does not depend on which Managed Service Provider you choose.
Confidence IT have named four IT challenges facing UK SMEs in 2025: cyber security, compliance, AI adoption, hybrid work. Each is real, each has an MSP-driven operational answer, and each has an engineering layer underneath it where the substrate-level answer is the same primitive: a vendor-neutral signed audit record that survives any one supplier and verifies offline. This piece sits the OAR primitive next to the four challenges and shows where it fits.
6 May 2026
An open note to the National Cyber Security Centre. Sovereign AI is a cyber security problem before it is a policy problem, and the substrate is now British and on the public record.
NCSC has published the threat picture and the migration roadmap. Mickai has filed the engineering substrate: post-quantum signing under FIPS 204, browser-resident offline verification, trust-domain externalisation, vendor-neutral audit records. The portfolio sits on the UK IPO public register. This article maps the filings to NCSC's published priorities and opens an invitation to brief.
4 May 2026
British AI needs an audit substrate, not another white paper. The Bletchley Declaration, the Seoul Summit, AISI, ARIA, and the engineering layer none of them ship.
British AI policy in 2026 has the same structural problem as the rest of the world: there is no engineering layer underneath it. The Bletchley Declaration, the Seoul Summit communique, the UK AI Safety Institute's evaluation work, and ARIA's mission all assume the existence of a substrate they do not specify. Mickai is that substrate. Thirty one filed UK patent applications, nine hundred and fourteen claims, named inventor Micky Irons, filed in Newport, built in the United Kingdom.
3 May 2026
AI agent governance is an engineering problem, not a policy problem. Prompt injection, data poisoning, action hijacking, and the case for verifiable substrate.
AI agent governance has become a policy conversation. It should not be. Prompt injection is an architecture failure. Data poisoning is an architecture failure. Action hijacking is an architecture failure. Evidence destruction is an architecture failure. Mickai is the engineering answer, with eight relevant filed UK patents and an open inter-vendor audit standard now in process at the IPO.
See all articles →