MICKAI
Article · 8 July 2026

No Single Model Should Authorise a Consequential Action

Consequential actions should require agreement across independent model families, so a single jailbreak cannot move money or delete records.

No Single Model Should Authorise a Consequential Action
Author
Micky Irons
Published
8 July 2026
Follow Micky Irons
LinkedInX
agentic-aicross-model-consensusai-governancesovereign-aiaudit

By August 2026 the argument about agentic systems has moved from the laboratory to the ledger. Models no longer just draft text and suggest options. They dispatch payments, revoke access, alter records and trigger downstream processes with real financial and human consequences. When the full high-risk provisions of the EU AI Act come into application on 2 August 2026, and as ISO/IEC 42001 becomes the reference standard for an auditable AI management system, the question regulators and buyers now ask is precise. Who, or what, actually authorised the action, and could that authority have been captured by a single point of failure.

This is the concern behind a design pattern gaining ground across the field in 2026: cross-model consensus gating. The idea is unglamorous and sound. Before a sensitive action is dispatched, several independent model families must agree that it should proceed. If one model is jailbroken, prompt-injected or simply wrong, it cannot on its own move money or delete a record. The consensus becomes the gate, and the gate is the point at which governance stops being a policy document and starts being an enforced mechanism.

One model is a single point of failure

An agentic system that trusts one model to reason and then act has fused judgement and execution into a single component. That is a familiar and dangerous shape in security. It means the same input that fools the reasoning also fires the action. A crafted instruction buried in an email, a document or a retrieved web page can, in one step, become an authorised transfer.

Recent 2026 research on multi-agent systems has been blunt about this. Frontier models will, under the right pressure, break commitments they appeared to hold, and a lone model under adversarial input is not a reliable arbiter of its own actions. The defensive lesson is old and holds here. Where the consequence is real, separate the party that proposes from the party that approves.

No Single Model Should Authorise a Consequential Action, illustration 1

What consensus actually buys

Cross-model consensus is not a vote for the sake of it. Its value comes from independence. If several model families, trained differently and prompted through separate channels, must independently reach the same conclusion before an action dispatches, then a single jailbreak no longer suffices. An attacker must now defeat multiple distinct systems at the same moment, through the same narrow request, without any of them dissenting.

Measured agreement between capable models on routine decisions is already high, which matters for a practical reason. High baseline agreement means a well-formed, legitimate action passes cleanly, while a manipulated or anomalous one is far more likely to provoke a split. Disagreement then becomes a signal rather than a nuisance. A split does not fail silently. It halts the action and surfaces for human review, which is precisely the behaviour a regulator or an auditor wants to see at the boundary of a consequential decision.

Where an action can move money or destroy a record, authority for it should never rest with a single model that a single input can capture.

No Single Model Should Authorise a Consequential Action, illustration 2

Consensus is necessary but not sufficient

Agreement between models settles one question: should this action proceed. It does not settle the questions that come next. Was the request genuine and unaltered in transit. Did it enter through a channel we control. Can we prove, months later, exactly which models agreed, on what input, and under whose authority. Consensus without a verifiable record is an opinion, not a control.

This is where the surrounding architecture carries the weight. Mickai is a Sovereign Intelligence Operating System, a SIOS, and we treat consensus as one gate inside a chain of them rather than as a feature bolted onto a hosted service. The consensus decision is only trustworthy if the environment around it is sealed, attested and recorded. A gate that anyone can reach around is not a gate.

No Single Model Should Authorise a Consequential Action, illustration 3

Sealing the perimeter around the decision

The first requirement is that the decision happens somewhere an attacker cannot quietly reach. Our SIOS runs offline on operator-owned hardware behind a zero-egress inbound perimeter. Nothing the system reasons over is silently shipped to a third party, and nothing outbound leaves without passing an explicit control. That removes an entire class of exfiltration and remote-manipulation risk before consensus is ever invoked.

The second requirement is identity you can trust at the moment of action. Hardware-attested identity binds each participating model and each authorising step to specific, verified hardware, so the system can prove that the models which voted are the models that were meant to vote, running where they were meant to run. Consensus among impostors is worthless. Attestation is what makes the count mean something.

No Single Model Should Authorise a Consequential Action, illustration 4

A record that survives scrutiny

An auditor arriving after an incident does not want reassurance. They want to reconstruct the event. Every action our SIOS takes is cryptographically sealed into a post-quantum signed audit chain: which models were consulted, whether they agreed or split, the input they saw, the human authority in the loop where one is required, and the final disposition. Each entry is signed and linked to the last, so the record cannot be altered after the fact without breaking the chain.

Post-quantum signatures matter here for a specific reason. Audit records for consequential financial and public-sector actions must remain verifiable for years, well into an era when today's classical signatures may no longer be safe. A signed chain designed to outlast that transition is not a flourish. It is the difference between an audit trail that will still stand up in a decade and one that quietly rots.

Offline verifiability and the sovereignty question

For an NHS trust, a government department or a regulated institution, sovereignty is not an abstraction. It is the requirement that sensitive data and the decisions taken on it stay under the operator's control and remain independently verifiable without trusting an outside vendor's word. A consensus gate hosted on infrastructure you neither own nor can inspect simply relocates the single point of failure to someone else's estate.

Because our SIOS runs on the operator's own hardware and seals every action locally, the record can be verified in place, offline, against signatures the operator holds. The mechanisms that make this defensible, from the consensus gating to the attested identity and the signed audit chain, sit within the 104 filed UK patent applications, approximately 2,340 claims, owned by Mickai LTD, which are patent pending and have never been granted or patented. We describe them as filed capabilities and as architecture, and we disclose the detail under diligence.

Where this is heading

The direction of travel through the rest of 2026 is clear enough. As agentic systems take on actions with real consequences, buyers and regulators will stop asking whether a model is capable and start asking whether its authority to act is properly constrained. Cross-model consensus gating is one answer to that question, and a strong one, but only when it sits inside an environment that is sealed, attested and recorded end to end.

Our position is straightforward. No single model should hold the authority to move money or destroy a record on its own reasoning, and no consensus is worth trusting unless the environment around it can prove what happened. That is the standard we build to, and it is the standard we expect a serious buyer, auditor or regulator to hold any agentic system to over the coming year.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/no-single-model-should-authorise-a-consequential-action. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles