MICKAI
Article · 3 July 2026

Prompt Injection Defence, Sovereignly

The malicious prompt is a riddle in your text. Governance-as-code and signed policy answer it before any action can run.

Prompt Injection Defence, Sovereignly
Author
Micky Irons
Published
3 July 2026
Follow Micky Irons
LinkedInX
prompt injectionai securitygovernancesovereign aipost-quantum

Every regulated organisation now runs on language. Contracts, tickets, emails, case notes, telemetry: all of it flows through models that read text and then act on it. That is the quiet danger. When an assistant treats the words it reads as instructions to obey, an attacker no longer needs your password. They only need to leave a sentence where your model will find it.

This is prompt injection, and it is the defining boundary problem of the agentic era. A poisoned document, a booby-trapped web page, a comment buried in a support thread: each carries a hidden command dressed as ordinary content. The riddle sounds innocent. Answer it wrongly and the system exfiltrates data, approves a payment, or rewrites a policy. We built Mickai, our Sovereign Intelligence Operating System, so the riddle is answered before any action ever executes.

The malicious prompt is a riddle

The Sphinx did not attack travellers with force. She posed a question, and the wrong answer was fatal. Prompt injection works the same way. The attacker does not breach a firewall. They plant a riddle in the model's field of view and wait for it to answer on your behalf. Ignore the instruction to leak a secret, ignore the demand to escalate privileges, ignore the plea to forward the ledger, and you pass. Comply, and you are consumed.

Conventional defences try to win by reading better. They filter inputs, scan for known jailbreak phrases, and hope the model can tell content from command. That is a losing posture, because language is infinitely variable and the attacker only needs one phrasing you did not anticipate. You cannot out-riddle an adversary who writes the riddles. The right response is not a cleverer guess. It is refusing to let the answer matter.

A colossal marble figure of Nemesis standing in darkness holding a set of balanced scales, lit by gold light
Like Nemesis measuring every deed, signed policy weighs each intended action before it is allowed to run.

Why filtering the words will always lag

Input sanitisation and guardrail classifiers are useful, and we run them, but they are the outer skin, not the spine. Every classifier is a snapshot of yesterday's attacks. Adversarial suffixes, unicode homoglyphs, instructions hidden in image alt-text or in a spreadsheet cell: the surface area is the entire corpus of human expression. A defence that depends on recognising the malicious sentence is permanently one clever rewrite behind.

So we invert the problem. Instead of asking whether a piece of text is trustworthy, we govern what any instruction, from any source, is permitted to cause. The model may be tricked into wanting to send the customer database to an unknown address. That desire is harmless if the desire alone cannot move data. In Mickai, capability is not granted by persuasion. It is granted by signed policy, checked at the moment of action, on hardware the customer owns.

Governance-as-code answers before the action

At the heart of Mickai sits the OAR, the Operation Attestation Record. Before any consequential action runs, whether a brain wants to write a file, call an external system, move funds, or alter a record, the intended operation is described, checked against policy, and cryptographically signed. The OAR is created before execution, not logged after it. If the intended action is outside policy, there is no signature, and without a valid signature the action simply does not happen.

A colossal marble figure of the many-eyed giant Argus covered in watchful eyes standing in gold-lit darkness
Argus never blinked, and neither does an audit ledger that seals every record to the one before it.

This is governance-as-code. Your rules are not a policy document a model is asked to remember and respect. They are executable constraints enforced by the substrate itself. A malicious prompt can convince a brain of anything it likes about what it should do. It cannot forge the policy, and it cannot manufacture the signature that authorises the deed. The riddle is answered by the machine that owns the lock, not by the traveller standing in front of it.

Signed policy the attacker cannot rewrite

Policies in Mickai are signed with post-quantum cryptography, specifically the FIPS 204 Module-Lattice Digital Signature Algorithm, ML-DSA-65. Each attestation is written into a tamper-evident ledger, hash-linked with SHA-3-512 so that every entry seals the one before it. Alter a single record and the whole chain breaks visibly. The audit trail is not a convenience for later. It is a load-bearing part of the control itself, and it can be verified offline, air-gapped, with no call home to anyone.

Because the policy is signed, an injected instruction has nothing to grip. It cannot edit the rule set, because it cannot produce the signature. It cannot escalate a brain's privileges, because privileges are bound to signed capability grants, not to whatever the model was most recently told. High-stakes operations demand more still: multi-brain agreement plus voice-biometric approval from an authorised human before the action clears. One poisoned sentence cannot pass all three gates.

A colossal marble figure of Cerberus the three-headed hound guarding a dark threshold in gold light
Cerberus let none pass unauthorised, the way high-stakes actions clear only through many gates at once.

Sovereign by design, not by promise

None of this depends on trusting a distant provider. Mickai runs on infrastructure the customer controls, on-premise or fully air-gapped, with zero data egress. That matters for prompt injection specifically, because many injection payloads are attempts to make your system phone home to an attacker. When the substrate has no permitted path to the outside world except the ones your signed policy allows, the classic exfiltration riddle has no answer to give. There is simply nowhere for the stolen secret to go.

This is the boundary the public cloud, for all its power, cannot cross on the customer's own terms. OpenAI, Microsoft, AWS, Google and Oracle are allies operating at a different layer, and Mickai sits alongside them at the regulated edge, where the data cannot leave and the rules must be provable. For a hospital under the Health Insurance Portability and Accountability Act (HIPAA), a bank under the Digital Operational Resilience Act (DORA) and Basel, a defence contractor under the International Traffic in Arms Regulations (ITAR), or any body facing the EU AI Act, the General Data Protection Regulation (GDPR) and NIS2, the assurance cannot be a vendor's word. It must be a signature you can check yourself.

The capability, protected by 104 filings

The mechanisms described here, attestation before execution, signed and revocable brains, hash-linked ledgers, multi-party plus biometric authorisation, are covered across 104 filed UK patent applications comprising about 2,340 claims, owned by Mickai LTD. We frame those filings by the capability they contain rather than the count, because the point is not the paperwork. The point is that the answer to the riddle is engineered into the substrate, deliberately, and documented as an invention.

A colossal marble figure of Hephaestus the smith forging at an anvil in gold light against black
Hephaestus forged unbreakable bindings, as governance-as-code welds your rules into the substrate itself.

Prompt injection will not be solved by a better classifier next quarter. It is a structural property of systems that let read text become executed intent. The durable fix is structural too: sever the link between persuasion and permission, and make the severing cryptographically real.

The bottom line

The Sphinx was only deadly to those who had to answer her. Build a system that does not stake its safety on winning the riddle and the riddle loses its power. Mickai does exactly that. Every consequential action is described, checked against signed policy, and attested before it runs, on hardware you own, with a ledger you can verify alone. Attackers can still whisper malicious prompts into your documents. In our world, the words arrive, and the lock does not open, because the answer was decided long before the question was asked.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/prompt-injection-defence-sovereign. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles
4 Jul 2026
Sovereign AI for Central Banks
A central bank cannot send its rate deliberations or supervisory secrets to anyone else's cloud. We built Mickai, a Sovereign Intelligence Operating System, so monetary and supervisory intelligence runs entirely offline on hardware the bank owns, with independence proven, secrecy architectural and every decision signed before it acts.
4 Jul 2026
Sovereign AI for Defence Primes
Defence primes hold the most sensitive programme data in the world, and the public cloud cannot cross the boundary that protects it. We built Mickai as a Sovereign Intelligence Operating System that runs on hardware the prime owns, air-gapped, where every action is cryptographically signed before it executes and every brain can be revoked in seconds.
4 Jul 2026
Sovereign AI for Maritime and Shipping
Fleets and ports need intelligence that keeps deciding when the satellite link dies and keeps an honest record no one can edit. Mickai runs on the operator's own hardware, at sea and on the quay, with zero data egress and a post-quantum signed ledger. Autonomy where the connection ends, governance that never does.
4 Jul 2026
Sovereign AI for Aerospace
Aerospace cannot ship export-controlled geometry to borrowed cloud infrastructure or hand engineers unexplained answers. We built Mickai, a Sovereign Intelligence Operating System, to run design and safety-case intelligence on hardware the customer owns, with zero data egress and cryptographic provenance signed onto every artifact before it exists.