MICKAI
Article · 3 July 2026

Sovereign AI in Defence and Critical National Infrastructure

Air-gapped intelligence for classified environments, where every decision is signed before it acts and no data ever leaves the wire

Sovereign AI in Defence and Critical National Infrastructure
Author
Micky Irons
Published
3 July 2026
Follow Micky Irons
LinkedInX
sovereign-aidefencecritical-infrastructureair-gappeditar

Defence ministries and the operators of critical national infrastructure share a problem that the mainstream artificial intelligence (AI) market has never had to solve. Their most sensitive work cannot leave the building. A grid control room, a naval command network, a nuclear regulator, an intelligence cell: none of these can pipe classified signals to a public inference endpoint and wait for a helpful answer to come back. The moment data crosses the wire, the assurance case collapses.

Yet the pressure to adopt capable machine intelligence in exactly these settings is now overwhelming. The gap between what a model could do for an analyst and what the security boundary will permit is where most projects stall. We built Mickai, a Sovereign Intelligence Operating System (a SIOS), to close that gap on the customer's own terms, inside the fence, with nothing leaving it.

The boundary the public cloud cannot cross

The hyperscale providers, OpenAI, Microsoft, Amazon Web Services, Google and Oracle, are formidable allies and they operate at a different layer of the stack. Their business is elastic capacity delivered over a network you do not own. That model is superb for a great deal of the economy and structurally wrong for a classified enclave. A sovereign environment is defined by what it refuses to connect to. You cannot buy your way into that posture with a private tenancy or a compliance certificate, because the fundamental dependency remains: someone else's control plane, reachable over someone else's network.

Mickai serves that regulated boundary rather than trying to abolish it. Every subsystem, every brain and every studio runs on hardware the customer owns. It can sit air-gapped in a bunker or on-premise behind a nation's own controls. There is zero data egress by design, not as a configuration setting that an administrator might forget to tick. The intelligence comes to the data, and the data never travels.

Colossal marble statue of Atlas bearing a great weight on his shoulders in darkness lit by gold light
Like Atlas holding the sky alone, sovereign infrastructure carries its own intelligence with no reliance on a distant cloud

Why ITAR makes offline the only safe answer

The International Traffic in Arms Regulations (ITAR), which govern defence-related technical data, have quietly become the sharpest argument for sovereign artificial intelligence. Under the deemed export rule, granting a foreign national access to controlled technical data counts as an export even if nobody leaves the country. Regulators and counsel are now applying that logic to autonomous agents. If an assistant reasons over controlled data while running on cloud infrastructure administered by foreign nationals, or routes a request through an external interface hosted abroad, the access itself can constitute a deemed export. The fact that a machine performed the action does not dissolve the obligation.

This is not a hypothetical for defence primes and their supply chains. An assistant that quietly calls an external service, or a vector store replicated to a region staffed by non-cleared personnel, can turn a routine query into a controlled-technology transfer. The only architecture that removes the risk entirely is one where the model, the retrieval index and the orchestration all live inside the accredited boundary, on machines the programme controls, reachable by cleared people alone. Fully offline operation is not a hardening step bolted onto Mickai. It is the starting assumption from which everything else is built.

Signed before it acts, not logged after

In the highest-assurance settings, an audit trail written after the fact is worth very little. By the time the log is flushed the action has already happened, and a sufficiently capable adversary inside the system can rewrite what the log says. We invert that order. Every action an agent proposes is captured in an Operation Attestation Record (an OAR), which is cryptographically signed before the action is permitted to execute. Nothing runs until it has been attested. The record states what was to be done, by which brain, under which authority, and it becomes the thing the platform will not proceed without.

Colossal three headed marble hound Cerberus guarding a threshold in darkness lit by gold light
Cerberus let nothing pass the gate, the same discipline a classified boundary demands of every action and every brain

Those signatures are post-quantum. We use the FIPS 204 standard, the Module-Lattice-Based Digital Signature Algorithm published by the United States National Institute of Standards and Technology, at the ML-DSA-65 parameter set, with the stronger ML-DSA-87 set available where national security systems require it. The choice matters because signatures made today must still be trustworthy in a decade, well inside the window in which a cryptographically relevant quantum computer is expected to arrive. A record signed with a lattice scheme cannot be forged retroactively once that machine exists. Each OAR flows into a tamper-evident, cryptographically-signed audit ledger that can be verified entirely offline, with no call to any external authority, which is exactly what an air-gapped accreditor needs.

Revocable brains and multi-party approval

A single monolithic model is a governance liability. If one component is compromised, misbehaves or simply falls out of accreditation, the operator needs to be able to remove it without tearing down the whole environment. Mickai is composed of discrete, revocable brains. A brain can be suspended, replaced or permanently withdrawn, and the moment it is revoked it can no longer sign an OAR, so it can no longer act. Trust is not a property the system assumes; it is a credential the operator grants and can take back.

For the actions that carry real consequence, moving a load on a grid, tasking a sensor, changing a control setpoint, one brain's assent is not enough. High-stakes operations demand multi-brain agreement together with voice-biometric approval from an authorised human. Several independent brains and a verified operator must concur before the OAR is signed and the action proceeds. This is separation of duties expressed in cryptography rather than in policy documents, and it means no single point of failure, human or machine, can unilaterally act on the most sensitive parts of the estate.

Colossal blindfolded marble statue of Themis holding level scales in darkness lit by gold light
Themis weighed every claim on its merits, the way a signed audit ledger lets a decision be judged long after it was made

Staying current without opening a door

Defence buyers increasingly expect the latest capability quickly. A recent United States Department of Defense procurement stance asks vendors to make current models available within a month of release. The obvious tension is that being current usually means being connected, and connection is the one thing a classified enclave forbids. Mickai resolves this with a disciplined offline update path. New sovereign brains are packaged, signed and verified against their signatures before they are admitted, then carried across the air gap through the operator's own controlled process. Capability moves inward; nothing sensitive moves outward. The estate stays current and stays sealed at the same time.

We also expose whether work runs on the central processor, the graphics processor or a hybrid split, so a programme can match its inference to the hardware it is actually permitted to field, from a hardened edge node in a forward location to a full on-premise cluster. Capability that a nation cannot run on equipment it owns is capability it does not truly control.

An architecture protected by filed patents

None of this is a slide deck. The attestation ledger, the revocable-brain model, the multi-brain plus voice-biometric approval path and the offline verification chain are working subsystems, and the capabilities they embody are protected by 104 filed UK patent applications carrying about 2,340 claims, all owned by Mickai LTD. We describe those filings by what they contain rather than as a legal trophy, because for a defence buyer the point is not the paperwork but the assurance that the mechanism guarding a classified action is a deliberate, documented invention rather than an afterthought. A nation adopting Mickai adopts a boundary architecture that was designed for the fence from the first line.

Colossal marble and bronze automaton Talos striding as a guardian in darkness lit by gold light
Talos walked the shore untiring and answerable to no outside hand, the model for intelligence a nation can wholly own

The bottom line

Sovereign artificial intelligence for defence and critical national infrastructure is not a stricter privacy policy layered over the same rented cloud. It is a different architecture built for a boundary the public cloud is not designed to cross. Intelligence that runs air-gapped on owned hardware, signs every action before it executes with post-quantum credentials, records those actions in a ledger that can be verified offline, and lets the operator revoke any brain at will, is intelligence a nation can adopt without surrendering control of its most sensitive work. That is the standard the highest-assurance settings require, and it is the standard we built Mickai to meet.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/sovereign-ai-defence-critical-infrastructure. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles