Post quantum signing for every AI decision
We sign every AI decision and the software stack behind it with ML-DSA-65, so what a machine did stays provable long after the threat model changes.
Why we sign every AI decision, and why it has to be quantum resistant
When an intelligence system approves a payment, moves a valve, routes a drone, or clears a patient, the organisation running it needs one thing above all others. It needs to prove, later and to a hostile examiner, exactly what happened, what the system was, and that nobody altered the record. That is the whole game in defence, finance and critical infrastructure. Not the cleverness of the model, but the certainty of the account it leaves behind.
Most AI deployments today cannot pass that test. They log to files that an administrator can edit, they ship decisions off to someone else's cloud, and they keep no cryptographic proof of the software that made the call. If the log can be changed, it is not evidence. It is a story. We built Mickai as a Sovereign Intelligence Operating System precisely so that the account is never a story. Every action a Mickai brain takes is written to a cryptographically signed audit record, and every one of those signatures is post quantum. We use ML-DSA-65, the signature scheme standardised by NIST as FIPS 204.
The quantum clock is already running
The reason to care now, rather than later, is a strategy that adversaries are running today. It is called harvest now, decrypt later. A capable actor records signed traffic and stored evidence in the present, keeps it, and waits for a cryptographically relevant quantum computer to break the classical mathematics that protected it. The signatures we rely on across most of the world, RSA and elliptic curve, fall to Shor's algorithm once that machine exists. Anything signed with them can, in principle, be forged after the fact.
For a chat assistant that is a curiosity. For a signed record that a court, a regulator or a defence board will lean on in ten or fifteen years, it is a live liability. Records made today have to remain unforgeable across the whole period they matter. A payment audit trail, a maintenance log for a reactor, an intelligence product, a clinical decision. These do not expire when the quarter closes. If the signature protecting them can be broken inside their useful life, the proof was never real.
ML-DSA-65 is built on module lattice mathematics, which is not known to fall to a quantum attack. Choosing it is not a bet on a distant future. It is a refusal to sign anything today with a scheme we already expect to break.
We sign the decision and the stack, not just the message
A signature on the output alone is weak. It tells you the words are unchanged, but not what produced them or under what rules. So we sign wider. Each entry in the Open Audit Record, the tamper evident ledger at the heart of Mickai, binds together the pieces that let an examiner reconstruct the whole event with confidence.
- The decision itself, the inputs it saw, and the output it produced.
- The identity of the specific brain that acted, drawn from the 50 specialist brains under deterministic governance (25 domain and 25 operational).
- The governance rules in force at that moment, so an examiner can see the decision was inside policy, not merely that it was made.
- A fingerprint of the software stack that ran, so the exact version of the system is nailed to the record and cannot be quietly swapped.
- An ML-DSA-65 signature over all of the above, chained to the entries before it, so any later edit breaks the chain visibly.
The result is a record where changing one field, one input, or one line of the software behind it invalidates the signature. You do not have to trust the operator, the vendor, or us. You verify the mathematics. That is the difference between a log and evidence.
“A log you can edit is a story. A record you can verify is evidence. We decided a Sovereign Intelligence Operating System should only ever produce the second kind.”
This only holds because the system stays on your ground
Post quantum signatures are worth little if the data they protect has already left the building. A signed record that is generated inside someone else's cloud has passed through infrastructure the customer does not control, and the trust boundary is already broken before the signature is applied. So the signing has to happen where the customer's authority actually reaches.
Mickai runs on the customer's own hardware, on premises and air gapped where the mission demands it. There is zero data egress and no public cloud round trip. The 50 brains reason locally, the memory belongs to the customer, and the signing key never crosses a boundary the customer cannot see. The audit record is produced and sealed on the same ground the decision was made on. For a defence programme working across classification levels, a bank under supervisory scrutiny, or an operator running national infrastructure, that locality is not a comfort. It is the precondition for the whole thing being true.
What this changes for the three hardest sectors
In defence, an autonomous or assisted action carries an accountable chain from the first input to the final signature, provable to an authority that assumes an adversary was watching and recording. In finance, every model driven decision arrives with a signed, policy bound account a supervisor can examine long after the fact, with no dependence on a third party's honesty about their own logs. In critical infrastructure, the record of why a system acted survives the arrival of quantum computing, so the safety case does not quietly rot as the mathematics ages under it.
The common thread is that none of these buyers can accept a system whose proof has an expiry date they cannot see. Post quantum signing removes the expiry date from the cryptography itself.
The work behind this, and where it is heading
This is not a diagram waiting to be built. The signing architecture, the Open Audit Record, the governed brains and the post quantum layer sit inside a body of intellectual property we have filed as 104 UK patent applications carrying approximately 2,340 claims, each with a full specification, claims and figures, now building toward examination and grant. We are describing what the specifications set out, in a system that runs.
The wider signal has moved with the work. Our founder now ranks number 2 on Crunchbase, and the company Heat Score has reached 94 out of 100, climbing from single digits. We read that as the market starting to agree that sovereignty and provable trust are not extras bolted onto intelligent systems. They are the substrate the serious buyers were always going to demand.
The standards bodies have named the mathematics. The adversaries have named their strategy. What has been missing is an intelligence system that treats a post quantum, tamper evident account of every decision as a default rather than an upgrade path. We built that default in. As quantum capability moves from a slide in a threat briefing to a line item in a procurement risk register, the systems that signed everything the right way from the start will be the only ones still standing on evidence. We intend Mickai to be one of them, and we are building so that the account it leaves behind holds up whenever, and by whoever, it is finally read.





