Renting Intelligence From a Foreign Power

The thing you rent can be taken back

There is an old test in security work. Before you trust a system, ask one simple question. What happens the day the other side decides to stop being friendly? Not the day they attack you, that is a separate problem, but the quieter day when a supplier changes a price, a licence, a policy, or a government changes a rule, and the thing you depend on simply behaves differently than it did the morning before. If your honest answer is that you would be in serious trouble, then you do not own that capability. You are renting it. And rented capability, however good it feels while the bill is being paid, is not a foundation you can build a country on.

I want to make the case, plainly, that artificial intelligence (AI) model weights are now exactly this kind of capability. The weights, the trained numerical parameters that hold what a model has learned, are becoming the engine of how organisations think, decide, write, and increasingly act. When those weights live behind another nation's application programming interface (API), behind their export controls, their terms of service, and their political weather, you have built your decision-making layer on someone else's land. This is not a moral argument and it is not a complaint about competition. It is a strategic one, about who holds the off switch. And it is the argument I built Mickai to answer.

Intelligence has quietly become infrastructure

We are casual about the word infrastructure until something breaks. Then it becomes very clear that electricity, water, payment rails, and telecommunications are not features. They are the conditions under which everything else is possible. A hospital does not advertise that it has power. It assumes it. The assumption is the whole point of infrastructure. You stop thinking about it, which is precisely what makes its failure so catastrophic, because you have arranged your entire operation around the assumption that it will always be there when you reach for it.

Large AI models are crossing into that category now. Look at where they are being wired in. Drafting legal and policy text. Triaging clinical notes. Summarising intelligence reporting. Writing and reviewing code that runs critical services. Screening applications, claims, and transactions at scale. None of this is a novelty toy any more. It is becoming the substrate beneath knowledge work, and knowledge work is most of what a modern state and a modern economy actually do. The European Union (EU) AI Act recognised this trajectory when it placed strict obligations on high-risk AI systems, with the heavier duties for general-purpose and high-risk uses arriving through 2026. Regulators do not write rules like that for toys. They write them for infrastructure, for the systems whose failure or misuse lands on the public.

Here is the uncomfortable part. We have allowed a piece of national infrastructure to be delivered, for most organisations, as a metered service from a small number of foreign providers. Imagine if a country had outsourced its entire electricity grid to two firms in another jurisdiction, on terms those firms could revise at will, with a meter only they could read and a switch only they could throw. We would call that a national vulnerability, and we would be right to. The fact that the meter measures tokens rather than kilowatt-hours does not change the shape of the risk. It only makes the risk harder to see, because the dependency hides inside something that feels like a convenience rather than a chokepoint.

A dependency is not a deal, it is a leash

People hear the word sovereignty and assume the speaker is anti-trade or anti-foreign, looking for an excuse to wall things off. That is not my position. Trade is good. Open foundations are good, and I use them every day. The distinction I care about is narrow and specific. There is a difference between buying something and depending on something. You buy steel and you own the steel. It sits in your yard whatever the seller does next. You depend on a cloud-hosted model and you own nothing, you hold a permission that can be revised, throttled, repriced, or revoked, often without you having any standing to object and frequently with no warning at all.

Consider what the holder of the weights can actually do to you, without ever doing anything you would recognise as hostile. They can change the model under you, so the system that approved your process last quarter quietly behaves differently this quarter, and you cannot diff the change because you never had the artefact to diff against. They can deprecate a version you validated and certified against, forcing you to re-validate on their schedule rather than yours. They can raise prices once you are locked in deeply enough that switching becomes a multi-year programme. They can be compelled, by their own government's export controls, sanctions, or emergency powers, to cut you off entirely. None of these moves require malice. They require only that your interests and theirs diverge once, on one day, on one issue. Over a long enough horizon, between two sovereigns, they always do.

This is the heart of the strategic-dependency problem, and it is far older than AI. The energy shocks of the last century taught it. The supply-chain seizures of the pandemic years taught it again, when ordinary goods became suddenly unobtainable because the capacity to make them sat somewhere else. The lesson each time was the same. A capability you cannot produce, store, inspect, and run on your own terms is a capability someone else controls, and they will, eventually, exercise that control at the moment it costs you the most, because that is precisely the moment it is worth most to them. Renting intelligence from a foreign power is the newest and possibly the most consequential version of this lesson, because intelligence sits upstream of every other decision a state or an enterprise makes.

What weights actually are, and why owning them matters

Let me be precise about the object, because the abstraction hides the stakes. Model weights are the parameters produced by training, the distilled result of enormous compute applied to enormous data. They are the closest thing there is to the mind of the system. Everything else, the serving code, the interface, the safety layer, is scaffolding arranged around the weights. If you hold the weights, you hold the capability itself. You can run it offline, inspect it, fine-tune it, freeze a version forever, and audit exactly what informed a decision. If you only hold an API key, you hold a promise of access to a capability that lives somewhere else, on hardware you cannot see, under rules you did not write and cannot read in full.

This is why the policy conversation about open versus closed weights is really a conversation about national resilience wearing a technical costume. Closed weights, served only through a provider's endpoint, concentrate control in the provider. Open and ownable weights distribute it back to whoever runs them. A country that can take strong open foundations, specialise them on its own sealed corpus, run them on its own silicon, and hold the resulting artefacts as property has converted a rental into an asset. It has critical infrastructure it actually possesses rather than merely accesses, and possession is the difference between a system you can defend and a service you can only hope continues.

At Mickai this is not a slogan, it is the build. We are actively training our own models now. We fine-tune and specialise strong open foundations, the Llama 3.2 and Qwen 2.5 families among them, on a sealed corpus we control, and we are building toward fully native weights as funding scales. The point of that path is sovereignty over the most strategic layer there is. The weights are ours to run, ours to inspect, ours to freeze, and ours to defend. There is no foreign endpoint sitting between a decision and the model that informed it, which means there is no foreign hand on the switch that the rest of the system depends on.

Sovereign weights are necessary but not sufficient

Now I have to be honest about the limit of my own argument, because a case that only flatters its own conclusion is not worth much. Owning the weights solves the availability problem. It does not, by itself, solve the trust problem. You can hold a model entirely under your own control and still be unable to prove what it did, when, in what order, and on whose authority. A sovereign black box is still a black box. If a regulator, a court, an auditor, or your own successor asks you to demonstrate that a high-risk decision was made within policy, the answer cannot be that you own the machine that made it. Ownership of the engine is not the same as evidence of the journey, and it is the journey that gets contested when something goes wrong.

This matters more every year, not less. The regulatory direction is unmistakable. High-risk AI obligations are arriving. Liability for automated decisions is rising across jurisdictions. The expectation is shifting from trust us to show us, and that shift is structural, not a passing mood. At the same time, a second clock is running. The cryptographic signatures and audit trails most organisations rely on today were designed for a world without large-scale quantum computers, and that world has an expiry date. A log that is cryptographically sound today may be forgeable tomorrow, which means a record of a decision made now could be repudiated years later, in a dispute, when the ability to prove what happened is the only thing standing between you and liability. Post-quantum migration is not a far-future concern for anyone who has to keep records that must survive a decade of scrutiny.

So the sovereign-weights case, taken to its honest end, demands a second pillar. You need the model under your control, and you need a record of what it did that is independently verifiable, tamper-evident, and durable against the next generation of attacks. Without both, you have either a capability you cannot trust or a record you cannot keep. One without the other leaves a gap that an adversary, a regulator, or simply time will eventually find. Strategic autonomy requires the pair, designed together, not bolted together after the fact.

The record has to be signed before the act, not narrated after it

This is the design problem I find most people get backwards, so let me draw the distinction sharply. Most logging is a story told after the fact. The system does something, then writes a line describing what it did. The trouble is that whoever can write the log can also rewrite it, reorder it, or quietly omit the one line they would rather no one ever saw. An after-the-fact narrative is only as trustworthy as the party doing the narrating, which in a dispute is exactly the party you cannot afford to rely on. A log you control is a log you can edit, and a log you can edit proves nothing to anyone who does not already trust you. That is the opposite of evidence.

The fix is to invert the order. Sign the intended action before it executes, not after. In Mickai this is the Open Audit Record (OAR). Every AI action is signed before it runs, then hash-chained into an append-only sequence where each entry binds cryptographically to the one before it, so you cannot remove or reorder an event without breaking the chain in a way anyone can detect. The signatures use a post-quantum scheme, the United States National Institute of Standards and Technology (NIST) standard FIPS 204, the ML-DSA-65 algorithm, so the record is built to survive the cryptographic transition rather than be quietly invalidated by it the day the old assumptions break.

The property I care about most is the last one, and it is the one that turns a sovereign model from a black box into an accountable system. The record is verifiable offline, in an ordinary web browser, with no trust in the vendor. You do not call our servers to check whether we are telling the truth. You verify the chain yourself, against open standards, on a machine we never touch and cannot reach. That is the difference between please believe us and check it for yourself. For a state, a regulator, or any organisation whose decisions must stand up years later in front of people with every incentive to doubt them, that difference is not a feature. It is the whole game.

How the pieces fit, and where I will not overclaim

Let me describe the architecture plainly so the thesis is concrete rather than abstract. Mickai is a Sovereign Intelligence Operating System (SIOS), built and in production. It runs fifty brains, twenty-five domain and twenty-five operational, on the Poseidon silicon substrate. Those brains are the specialised models I described, run under our control rather than rented from anyone. Every action they take passes through the Open Audit Record before it executes, so the capability and the accountability are not two products bolted together but one system designed as a whole from the start. The model you own and the proof of what it did are cut from the same fabric, which is the only arrangement that holds up when both are challenged at once.

There is a further layer for anchoring trust beyond any single organisation, and here I will be careful to say what is built and what is being built. Pantheon is a sovereign Layer 1 blockchain designed to anchor the audit root to Bitcoin, with a token, PAN, of fixed supply, five billion. Anchoring the root of an audit chain to an external, widely-witnessed ledger means that even the operator of the system cannot quietly rewrite history, because the fingerprint of that history is published somewhere they do not control and cannot reach back into. The Pantheon chain is the one part of this stack still in build. I would rather tell you that plainly than imply everything is finished, because the entire point of this essay is that records should be honest and checkable, and that standard has to apply to my own claims first or it is worth nothing.

On the intellectual property, so the foundation is clear and so you can check it. The work is protected by 101 filed United Kingdom patent applications, about 2,234 claims, owned by Mickai LTD, with myself as the named inventor. They are filed. That is the accurate word, and I use it deliberately rather than dressing it up as more than it is. A claim is not a grant, and I will not pretend otherwise, for the same reason I will not pretend the audit log can be trusted on my say-so.

The choice in front of every serious organisation

Strip away the technology and the question is about who controls your ability to think and to prove. Today the default answer, for most governments and most enterprises, is that a handful of foreign providers control both. They hold the weights, so they control the capability. They hold the logs, so they control the record. You are renting your intelligence and borrowing your evidence, and you are doing it from parties whose interests will, on some day you cannot predict, diverge from yours. When that day comes, the meter, the licence, the export rule, and the unverifiable log will all be sitting on their side of the table, and you will have nothing on yours.

The sovereign alternative is not isolation and it is not nostalgia for a simpler era. It is owning the strategic layer outright. Take the strong open foundations, specialise them on a corpus you control, train toward your own native weights, run them on your own silicon, and bind every action they take to a record that is signed before the fact, hash-chained, post-quantum, and verifiable offline by anyone, with no trust in the vendor, including no trust in me. That is what critical infrastructure looks like when you actually own it rather than rent it. The weights make the capability yours. The signed, offline-verifiable record makes it accountable. A nation that holds both has its intelligence and its evidence on its own land, and no one on the far side of an API can take either one back.