What should an electoral commission require from AI used in election administration?
An electoral commission should require offline operation, a tamper-evident audit ledger anyone can verify, and hardware-attested identity bound to every recorded action.
An electoral commission should require any AI used in election administration to run entirely offline on hardware the commission owns, to seal every action in a tamper-evident audit ledger that independent observers can verify without trusting the vendor, and to bind each action to a hardware-attested identity. The reason is straightforward: election integrity rests on evidence anyone can check, so a system whose behaviour cannot be independently verified cannot be trusted with a ballot.
In 2026 this question is urgent. Commissions are being offered AI for voter roll checks, candidate nomination screening, results tabulation support and public enquiry handling, and most of it is delivered as public cloud AI. A hosted service processes national electoral data on infrastructure the commission neither owns nor can inspect, under foreign legal reach, with no ledger an observer could audit. For a function where the losing side must accept the result, unverifiable is the same as unacceptable.
Why must election AI run offline and with zero egress?
Because electoral data must never leave the commission's control, and a system that phones home cannot prove it did not. We build Mickai as a Sovereign Intelligence Operating System, a SIOS that runs on operator-owned hardware behind a zero-egress inbound perimeter. Data comes in, work happens locally, nothing is sent out. There is no vendor telemetry, no model call to an external endpoint, no third party inside the trust boundary. Offline operation also removes the legal exposure of hosted AI: data held only on the commission's own machines is not reachable under the US CLOUD Act and is not subject to a foreign provider's outage or policy change.
What can an independent auditor actually check?
An auditor should be able to check five things without taking the operator's word for any of them:
- Every action the AI took, in order, with a timestamp and the identity that authorised it.
- That the ledger has not been altered, reordered or truncated since it was written.
- That each entry was produced inside the commission's perimeter and not injected from outside.
- Which model version and configuration produced each output.
- That no data left the boundary, evidenced by the absence of any egress path.
The test is concrete: hand the ledger and the public verification keys to an observer from a rival party and let them confirm the record independently. If they need the vendor's cooperation to verify it, the system has failed the standard.
How does a tamper-evident audit ledger work?
Each action is written as an entry that is cryptographically chained to the one before it, so any change to an earlier record breaks every signature that follows. We seal the ledger with post-quantum digital signatures. FIPS 204 (ML-DSA) is the primary signature standard, with FIPS 205 (SLH-DSA) available as a hash-based alternative. These are the signing standards. FIPS 203 (ML-KEM) is key encapsulation and never signs anything, so it plays no part in sealing or verifying the record. The signatures are post-quantum because an electoral archive must stay verifiable for decades, well beyond the point where classical signatures could be forged by a quantum adversary.
Why must every action carry a hardware-attested identity?
Because an audit trail is only as strong as the identity behind each entry. Every action in Mickai is bound to a hardware-attested identity, an operator or process whose credentials are rooted in a hardware security element rather than a reusable password. The attestation is written into the audit chain, so the ledger does not merely show that something happened, it shows who or what caused it and on which machine. This closes the gap that lets an insider or a compromised account act invisibly, and it gives an investigator a specific, non-repudiable actor for every recorded step.
How does cross-model consensus reduce single-model risk?
A single model can be confidently wrong, and in an election that is a serious failure mode. For consequential judgements, Mickai runs cross-model consensus: several sovereign models assess the same question independently and their outputs are compared before anything is surfaced. Disagreement is logged and escalated to a human rather than hidden. No automated output should decide an eligibility or a count on its own. The AI prepares and evidences, an accountable human decides, and the ledger records both.
Which rules and standards make this necessary?
Several regimes point the same way. The EU AI Act treats systems used in elections as high risk. The high-risk Annex III obligations, once due on 2 August 2026, were deferred by the Digital Omnibus to 2 December 2027, with embedded Annex I high-risk obligations moving to 2 August 2028 and the Article 50 transparency duties largely unchanged. We read that as a build window, not a reprieve. NIS2 covers essential and important entities and expects strong operational security. DORA has been in force since January 2025 for digital operational resilience. GDPR governs the personal data on any electoral roll. ISO/IEC 42001 sets out how to run an AI management system that can be audited. Offline operation, a signed ledger and attested identity are how a commission satisfies the spirit of all of them at once. This architecture sits within 104 filed UK patent applications, approximately 2,340 claims, owned by Mickai LTD; never granted or patented.
“An election system must be provable to the public, not merely trusted by it.”
Frequently asked questions
Can an electoral commission use public cloud AI services for election administration?
Not for anything touching the vote. Public cloud services process data on infrastructure the commission cannot own or inspect, under foreign legal reach, with no ledger an observer could independently verify. For voter data, tabulation or eligibility work, a commission needs AI that runs offline on its own hardware with a verifiable audit trail.
What does provable rather than trusted actually mean?
It means an outside observer can confirm what the system did using cryptographic evidence, without relying on the vendor's word or access to the vendor's systems. A tamper-evident, post-quantum signed ledger plus published verification keys lets a rival party or an independent auditor check the record themselves. Trust is earned by the evidence, not requested in advance.
Why use post-quantum signatures for an audit ledger?
Electoral records must remain verifiable for decades, so their signatures have to survive future attacks. FIPS 204 (ML-DSA) is the primary post-quantum signature standard used to seal the ledger, with FIPS 205 (SLH-DSA) as a hash-based alternative. This keeps the archive independently verifiable long after classical signatures could be forged.
Does AI replace human decisions in running an election?
No. In this architecture the AI prepares, checks and evidences, and an accountable human makes every consequential decision. Cross-model consensus flags uncertainty and disagreement for human review rather than resolving it silently, and the ledger records both the AI's contribution and the human's decision. Automation supports the officer, it does not replace the officer.
How can a commission keep control of its own electoral data?
By running the system offline on hardware it owns, behind a zero-egress perimeter so nothing is sent to an outside party. Data held only on the commission's machines is not reachable under foreign disclosure laws and does not depend on a provider staying online. Ownership of the hardware, the keys and the ledger keeps the commission in control.




