MICKAI
Article · 8 July 2026

Signing Decisions for a Quantum Future: Post-Quantum Audit for AI

Why AI decisions made today should be sealed with post-quantum signatures so they still verify long after quantum computing arrives.

Signing Decisions for a Quantum Future: Post-Quantum Audit for AI
Author
Micky Irons
Published
8 July 2026
Follow Micky Irons
LinkedInX
post-quantumml-dsaai-auditcryptographysovereign-ai

An AI system that approved a mortgage, triaged a patient or flagged a transaction in 2026 will not be asked to justify that decision in 2026. The question comes later, when a regulator opens a file, a court hears a claim or an acquirer runs diligence. What matters then is whether the record of what the system did can still be trusted, and whether its signature still means anything.

That is where the timelines collide. The EU AI Act reaches full application on 2 August 2026, and its logging and traceability obligations for high-risk systems set a minimum retention of at least six months, and in regulated sectors the practical retention of decision records often runs to many years. Over roughly the same horizon, most credible assessments expect a cryptographically relevant quantum computer capable of breaking the elliptic-curve and RSA signatures that secure almost every audit trail in production today. Signing today's AI decisions with post-quantum ML-DSA under FIPS 204 is how a record avoids that quiet expiry date on its own proof of authenticity.

The retention window is longer than the cryptography

The arithmetic is simple. Regulated AI decisions carry retention obligations measured in years, often five, seven or ten, yet the signature schemes protecting them were designed for a world without large-scale quantum computers. When such a machine arrives, it will not only threaten data recorded after that date. It will retroactively undermine the integrity of everything signed before it, because a forged signature on an old record is indistinguishable from a genuine one once the underlying mathematics falls.

This is the harvest-now, decrypt-later problem restated for integrity rather than confidentiality. An adversary does not need to break a signature the day it is created; they need only wait until the tools exist, then rewrite history in a way no verifier can detect. For an AI audit trail, that is the difference between a decision that can be proven and one that can merely be asserted.

The defence is to sign now with algorithms chosen to withstand quantum attack. The US National Institute of Standards and Technology finalised those algorithms in 2024. FIPS 204 specifies ML-DSA, a lattice-based digital signature standard built to remain hard for both classical and quantum computers. Adopting it is not speculative hardening; it brings the cryptography into line with the retention period the law already demands.

Signing Decisions for a Quantum Future: Post-Quantum Audit for AI, illustration 1

What a sealed decision actually contains

Signing a decision only helps if the thing being signed is complete, and a bare output, approved or declined, tells a future auditor almost nothing. Within Mickai, the Sovereign Intelligence Operating System, every action is sealed as a structured record: the inputs the system saw, the model identity and version that acted, the reasoning trace, the policy in force at that moment and the resulting decision. The seal binds these together so that no element can be altered without invalidating the whole.

Each record is then chained to the one before it. Every entry carries a cryptographic reference to its predecessor, so the log forms an ordered, tamper-evident sequence rather than a loose pile of files. Removing or reordering an entry breaks the chain in a way verification exposes immediately. The signature over each record is produced with ML-DSA, so the chain remains verifiable after the quantum transition, not just until it.

A decision is only genuinely auditable if the proof of what happened outlives the cryptography that was used to record it.

Signing Decisions for a Quantum Future: Post-Quantum Audit for AI, illustration 2

Verification without trusting the vendor

A signature is worth as much as the independence of the party checking it. Much of the current market for AI governance asks the buyer to trust a supplier's dashboard, hosted on the supplier's infrastructure, reporting on the supplier's own behaviour. That is attestation by assertion: if the records live where the vendor controls them, the vendor is both the witness and the guardian of the evidence.

Offline verifiability breaks that dependency. Because Mickai runs on operator-owned hardware with no outbound connection required, the signed audit chain sits inside the operator's own perimeter. A regulator, an internal auditor or an acquirer's technical team can verify the ML-DSA signatures with the public verification keys and open standards, on their own machines, without seeking permission and without any external servers involved. Trust rests on mathematics that anyone can check, not on a relationship with the party being audited.

This is also why the identity attached to each signature matters. Signatures are bound to hardware-attested identity, so a record does not merely claim to have come from a given system: it carries evidence of the specific attested environment that produced it, which makes impersonation and after-the-fact substitution harder to sustain.

Signing Decisions for a Quantum Future: Post-Quantum Audit for AI, illustration 3

Why the signer needs a defensible boundary

Post-quantum signatures protect a decision after it is made. They do nothing for the integrity of the decision itself if the system that produced it was tampered with while running. A perfectly signed record of a corrupted process is a well-preserved falsehood, so the signing layer is only as strong as the perimeter around the signer.

Mickai is built with a zero-egress inbound perimeter: the system does not reach out, and inbound pathways are tightly constrained and inspected. That containment matters for audit because it narrows the surface through which reasoning could be poisoned or logs manipulated before they are sealed. In defence, health and critical national infrastructure, the concern raised across the UK Sovereign AI programme and in NHS data-sovereignty debates is precisely that decisions and data leak to systems outside national or organisational control. A closed perimeter there is not a feature bolted on for audit; it is the precondition that makes the signed record credible.

Signing Decisions for a Quantum Future: Post-Quantum Audit for AI, illustration 4

Consensus makes the record worth signing

What is committed to a permanent log warrants care. If a single model can hallucinate, its sealed decision becomes a durable record of a possible error, because permanence amplifies both good process and bad.

To raise the quality of what gets sealed, Mickai can route consequential decisions through cross-model consensus, comparing the outputs of several sovereign models before an action is committed. Divergence between them is itself recorded, so the audit trail captures not just the answer but the degree of agreement behind it. When the record shows that multiple independent models concurred, and preserves the cases where they did not, the artefact a future auditor inspects is more informative than a lone verdict, and post-quantum signing guarantees it survives the shift intact.

Where this leaves the serious buyer

None of this claims that quantum computers will break anything tomorrow. The arrival date is uncertain; the retention obligations are not. When a regulated organisation must keep AI decision records verifiable for a decade, and the cryptography protecting those records is on a schedule to weaken within that same decade, the prudent course is to sign with algorithms designed for the later world, starting now. Migrating a live audit estate to post-quantum signatures after a break is discovered is not a migration; it is a reconstruction with no trustworthy foundation to build on.

This work sits within a wider body of 104 filed UK patent applications and approximately 2,340 claims owned by Mickai LTD, spanning sealed audit chains, attested identity and the inbound perimeter around them. What any CISO, regulator or public-sector buyer should ask of any AI system now is narrow and answerable: what exactly is signed, with which algorithm, and can the signature be verified without trusting the supplier. Post-quantum audit is not a distant standard to plan for; it is the difference between a decision provable in 2036 and one that can only be hoped no one questions.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/signing-decisions-for-a-quantum-future-post-quantum-audit-for-ai. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles