Autonomous AI agents have a trust problem nobody is fixing. Here is what sovereign agency actually looks like.

Your agent can wipe your inbox. There is no signed record of who told it to. There is no way to prove the instruction came from you, no way to dry-run the destructive step, no compensating inverse to apply if the agent gets it wrong. The vendor will tell you the agent had "user consent." The vendor cannot show you the cryptographic artefact that proves it. There is nothing to show.

That is the state of the autonomous agent in early 2026. The labs shipped the planners. They shipped the tool routers, the multi-step runners, the agentic browsers. They forgot the gate, the rollback, the audit. The trend piece headlines call this "the year agents grew up." The structural reality is that agents are running with credentials they were never issued, performing actions nobody can attribute, against systems nobody can revert.

Why the conventional approach fails by construction

OpenAI's Assistants run inside OpenAI's cloud. Anthropic's MCP routes through Anthropic's tool surface. Google's agents live inside Google's account graph. Microsoft's Copilot agents are a tenant inside Microsoft's identity tenant. Pick the vendor, the trust root is the same: the vendor is the trust root. If the vendor is compromised, the agent is compromised. If the vendor's logging is silently retained, modified, or subpoenaed, the agent's history is silently retained, modified, or subpoenaed. There is no separation between the actor that took the action and the party that gets to describe what happened.

The technical posture is worse than that. None of these stacks gates the destructive action at the syscall layer. None of them require a hardware-attested re-authentication before a high-blast-radius operation. None of them write the signed decision lineage to a ledger held by the user. The "consent" surface is a UX checkbox. The audit surface is whatever the vendor chooses to expose. The rollback surface is, in practice, a support ticket and a polite hope.

This is not a missing feature. It is a missing architecture. You cannot bolt sovereignty onto an agent stack whose trust root sits in someone else's data centre. The sovereignty has to be a property of the action ontology, the gate, the simulator, the ledger, and the rollback chain. All of it. By construction, at definition time, before the agent has a chance to do anything you cannot prove.

What sovereignty actually looks like for an agent

Micky Irons has filed twenty-one UK patents (application reference UK00004373277) on the structural primitives sovereign autonomous agents require. They are not an alternative agent framework. They are the layer underneath every agent framework, the layer the labs decided to skip. Below is the relevant subset for the autonomous-agent question.

**Typed-action ontology (GB2608766.8 / MWI-PA-2026-012).** Every action an agent can invoke is declared at definition time as a typed object: input schema, output schema, side-effect class, blast radius, compensating inverse, required clearance. Agents do not call APIs. Agents call typed actions. The free-text-to-API fan-out that lets a vendor agent issue arbitrary JSON to arbitrary endpoints is the original sin; the typed-action registry closes it.

**Per-skill clearance with verbal re-authentication (GB2608818.7 / MWI-PA-2026-021).** Each typed action carries a clearance level. High-blast-radius actions (delete, transfer, transmit to a non-user party, irreversible mutation) require not just a session token but a fresh hardware-attested re-authentication at invocation time. The agent cannot escalate its own clearance. The user re-attests, per skill, per high-risk call, with voice biometric in the loop.

**Voice-biometric-gated deterministic LLM tool invocation (GB2608799.9 / MWI-PA-2026-013).** The voice biometric is not a unlock token; it is a per-invocation gate on the deterministic tool call itself. The model proposes; the gate decides. A compromised model, a prompt-injected model, a fine-tuned-by-an-attacker model, none of them can issue the gated call without a fresh biometric attestation in the same wall-clock window. This is the structural answer to "the model went rogue."

**Pre-commit dry-run simulation (GB2608802.1 / MWI-PA-2026-015).** Before any irreversible action commits, the agent runs the action against a sandboxed copy of the affected resource, produces a structured diff of the simulated outcome, and presents the diff for approval. No diff, no commit. The agent does not get to "try it and see." The human (or the policy engine acting under human-defined rules) sees the consequence before the consequence becomes real.

**First-class actions with compensating rollback (GB2608800.5 / MWI-PA-2026-014).** Every action declares its inverse at definition time. The inverse is stored alongside the signed action record. If the action goes wrong, the operator issues a retroactive undo and the system constructs the inverse chain and applies it. Rollback is not a backup-restore exercise. It is a per-action, signed, ordered reversal that respects the dependency graph between actions.

**Decision lineage with ML-DSA-signed audit ledger (GB2608804.7 / MWI-PA-2026-016).** Every decision the agent makes, every retrieval that informed it, every tool it considered, every gate it cleared, written to an append-only ledger, signed at the moment of generation under FIPS 204 ML-DSA-65. The signing key lives in hardware the operator controls. The vendor cannot read the ledger. The vendor cannot rewrite the ledger. The signature survives quantum-era attack.

**Branch-based operational workflow and hive-mind federation (GB2608805.4 / MWI-PA-2026-019).** Agents operate on branches. Speculative work happens in isolation, gets reviewed against the diff and the lineage, and merges into the operational trunk only when the gate, the dry-run, and the policy all clear. Federated agents across institutional boundaries cooperate via the same branch discipline, with attestations at every cross-boundary merge.

This is what an autonomous agent looks like when the architecture takes the word "autonomous" seriously. Not "the model can call tools" but "the action surface is typed, the gate is biometric, the simulation is mandatory, the rollback is constructive, the lineage is signed, and the operator owns the keys."

A concrete worked example

A user tells their agent: "Clean up the inbox. Archive anything older than six months that is not flagged."

**On a conventional vendor agent stack.** The agent expands the instruction to "anything older than six months that does not have a star, a label, or a reply." The free-text plan emits a stream of mailbox API calls. Eight thousand four hundred messages move to archive. Hidden in the corpus are a tax notice the user had not flagged, a contract counterparty's only response from 2024, and a thread of medical correspondence the user had been meaning to label. The vendor's "audit log" shows that an archive operation occurred. It does not show why those specific messages were chosen, what the model's chain of consideration was, or how the user's instruction was interpreted. There is no rollback. The user files a support ticket.

**On a Mickai agent.** The agent resolves the instruction against the typed-action registry. The matching action is `mailbox.archive_bulk`, declared as side-effect-class `bulk-mutation`, blast radius `large`, requires clearance level 3. Per-skill clearance gating fires (GB2608818.7 / MWI-PA-2026-021). The user re-attests by voice (GB2608799.9 / MWI-PA-2026-013). Pre-commit dry-run runs against a sandboxed mailbox snapshot (GB2608802.1 / MWI-PA-2026-015). The structured diff shows: 8,400 messages selected, sample previews, the three messages flagged as anomalous because they appear in long-running threads with non-default labels. The user reads the diff, says "exclude the medical thread and the contract reply," and approves. The compensating inverse (`mailbox.unarchive_bulk` against the persisted action record) is stored alongside the signed action lineage (GB2608804.7 / MWI-PA-2026-016). Two days later the user discovers the tax notice was archived. One command issues the inverse against that single message; the dependency-aware rollback (GB2608800.5 / MWI-PA-2026-014) reverts cleanly. The signed ledger shows what was instructed, what was simulated, what was approved, what was committed, and what was reverted. End to end. Nobody has to take anybody's word for anything.

This is what "autonomous" should mean. The agent is autonomous within a structural cage that the operator built. The cage is the contribution.

What the wider field should build

The Mickai patent portfolio is filed and public. The patents are not an attempt to corner the market; they are an attempt to make the structural commitment explicit so the field has a referenceable shape to build to. The open standard the field needs is an Open Action Registry, a typed-action schema with declared inverses, clearance levels, and side-effect classes, that any agent framework can adopt. Mickai's working notes on what that registry should look like sit at mickai.co.uk/oar.

If you build agent infrastructure, the structural test is this. Can you point to the typed-action schema for every tool your agent can invoke? Can you produce the cryptographic artefact that proves the user authorised the destructive call? Can you replay the simulator output that was approved? Can you issue a retroactive undo and have the system construct the inverse chain? Can the operator hold the signing key the vendor cannot reach? If any answer is no, the agent is not sovereign. It is a vendor agent with a sovereignty-themed marketing layer.

Closing

Mickai is built and filed by one person. Micky Irons, sole inventor and sole applicant of all twenty-one filed UK patents, acting in person, no patent attorney, no law firm, no corporate backing, based in Workington, Cumbria. The structural design choices in this article are not the output of a research lab; they are the output of one inventor deciding the existing autonomous-agent stacks were not safe to give to a user and writing down what would have to be true for that to change.

If you are building agent infrastructure, regulating it, procuring it, or using it in a regulated environment, read the portfolio at mickai.co.uk/patents and the manifesto and procurement work at mickai.co.uk/articles. Strategic licensing, defence and public-sector engagement, and serious technical collaboration are open. The contact is press@mickai.co.uk. The work is filed; the conversation is the next step.