MICKAI
Article · 14 June 2026

The Substrate Is the Choice: Sovereign-AI Procurement in the United Kingdom in 2026

RM6263 gives UK buyers the doorway. Whether what they buy can ever be audited, contained, or replaced is decided by the requirement they write, not the framework they use.

The Substrate Is the Choice: Sovereign-AI Procurement in the United Kingdom in 2026
Author
Micky Irons
Published
14 June 2026
Follow Micky Irons
LinkedInX
sovereign AIpublic procurementRM6263DSITNCSC

A procurement form is a security architecture in disguise

When a United Kingdom (UK) government buyer fills in a framework call-off for an artificial intelligence (AI) system, they think they are buying a capability. In truth they are signing a security architecture. The questions a buyer asks, and the ones they leave out, decide for the next decade who can read the data, who can change the model, who can prove what happened, and who has to be trusted on their word. I have sat on both sides of that table. The thing that strikes me every time is how much of the real decision is made by omission. The capability gets three pages of scrutiny. The substrate underneath it, the part that determines whether you can ever audit, contain, or replace the system, gets a tick-box.

In 2026 the UK has the frameworks to do better. The Crown Commercial Service (CCS) runs RM6263, the Artificial Intelligence Dynamic Purchasing System, alongside the wider technology and cloud agreements. The Department for Science, Innovation and Technology (DSIT) sets the sovereign-AI direction. The National Cyber Security Centre (NCSC) publishes the guidance that should anchor the security questions. The instruments exist. The question is whether buyers use them to ask the hard thing or the easy thing. This essay is about the hard thing, and why the substrate, not the demonstration, is the choice that actually gets made.

What the frameworks give you, and what they quietly do not

RM6263 is a route to market, not a security standard. That distinction matters more than it sounds. A Dynamic Purchasing System is good at one job: letting compliant suppliers onto a list and letting buyers run a fair competition among them. It is structurally agnostic about how the winning system is built. It will happily admit a sovereign, auditable substrate and a black-box hosted endpoint side by side, because admission is about supplier conformance and commercial terms, not about whether the model's behaviour can be independently verified after the fact. The framework is the doorway. It does not tell you what kind of house you are walking into.

That is not a criticism of the Crown Commercial Service. A framework that tried to mandate one architecture would freeze the market and be obsolete in a year. The point is that the discrimination has to happen in the buyer's requirements, in the statement of work and the evaluation weightings, not in the framework's existence. If a buyer runs an RM6263 competition with a specification that only describes outputs (accuracy, latency, uptime, price), the procurement will reliably select for the cheapest plausible black box. The framework did its job. The buyer skipped theirs.

DSIT's sovereign-AI agenda and the various compute and capability programmes push in the right direction, toward control of the stack and of the data. But strategy at the department level only becomes real at the level of a single call-off question. A national sovereignty ambition that is not expressed as a mandatory, weighted, testable requirement in the actual contract is a press release. The gap between the strategy and the schedule is where sovereignty is won or lost. I have watched genuinely good intentions evaporate in that gap, not through bad faith but through habit, because the person writing the schedule reaches for the template that worked last time and the template was written for buying laptops, not for buying systems that make decisions about citizens.

The substrate is the decision, not the model

Here is the contrarian claim, stated plainly. The model you are evaluating is the least durable part of the system you are buying. Models churn. A model that tops the benchmark today is mid-table in eighteen months and deprecated in three years. What persists is the substrate: where the system runs, who controls the keys, how identity and access are mediated, whether actions are recorded in a way you can later prove, and whether any of that survives the vendor walking away or being acquired. You are not buying a model for a decade. You are buying the ground it stands on.

At Mickai we build a Sovereign Intelligence Operating System (SIOS), and I will be precise about what that means rather than wave the word around. It is built and in production, not a roadmap. It means the AI does not run as a hosted favour you rent. It runs on a substrate the operator controls, called Poseidon, with fifty specialised brains on top, twenty-five domain and twenty-five operational. We are actively training our own models now, fine-tuning and specialising open foundations such as Llama 3.2 and Qwen 2.5 and building a sealed corpus, and funding scales that work toward fully native weights. I say this not as a sales line but to make a structural point. When the substrate is yours, model churn becomes a swap inside a controlled boundary rather than a renegotiation with an outside party who holds your data and your audit trail hostage.

A sovereign buyer should therefore evaluate the substrate first and the model second, which is the inverse of how most evaluations run. Ask where computation happens and under whose legal jurisdiction. Ask who holds the encryption keys and whether the vendor can technically be compelled to surrender data without the buyer's knowledge. Ask what happens to the running system if the contract ends or the supplier is bought by a foreign entity. These are not procurement footnotes. They are the whole game, and they are decided by the substrate, not the demonstration.

The question almost no one asks: can you prove what it did

Most AI procurement security sections obsess over keeping bad actors out. Access control, encryption in transit and at rest, penetration testing, supply-chain attestations. All necessary. All insufficient. They answer the question can someone break in. They do not answer the far harder operational question that comes up the day after deployment: can you prove what the system actually did, to whom, in what order, and can you prove it to someone who does not trust your supplier?

This is where almost every hosted AI offering quietly fails, and where the failure is invisible until the moment it matters. The standard answer is a log. But a log is a record the operator writes after the fact and can, in principle, edit. A log tells you what the system chose to tell you. In a dispute, an investigation, or a regulator's inquiry, a vendor-controlled log is exactly as trustworthy as the vendor, which is to say it is the thing under question. You cannot use the suspect's diary as the alibi.

A marble hand pressing a wax seal onto a stone tablet, lit by a single gold rim light against black, evoking a record committed before the act.
Sign before execute: the record is not a description written afterward, it is a precondition of the act.

At Mickai the answer to this is the Open Audit Record (OAR), and I will describe it concretely because the mechanism is the argument. Every AI action is signed before it executes, not logged after. The records are hash-chained and append-only, so you cannot insert, delete, or reorder an entry without breaking the chain in a way anyone can detect. The signatures are post-quantum, using the United States National Institute of Standards and Technology (NIST) standard Federal Information Processing Standard 204 (FIPS 204, the ML-DSA-65 parameter set), so the proof does not rot when cryptographically relevant quantum computing arrives. The audit root is anchored to the Bitcoin blockchain through Pantheon, our sovereign Layer 1 chain, so the history is pinned to an external timeline no single party controls. And, the part that matters most for a buyer, the whole record is verifiable offline, in an ordinary web browser, with no trust placed in the vendor at all. You do not phone Mickai to confirm what happened. You check the mathematics yourself.

Why sign-before-execute is the line that separates real audit from theatre

The ordering is the entire point, and it is the detail buyers consistently miss. A system that logs after acting can always, in the gap between acting and logging, do something it never records, or record something it never did. Sign-before-execute closes that gap. The action does not happen unless the commitment to record it has already been made and cryptographically sealed. The record is not a description of the past written by the actor. It is a precondition of the act. That inversion is what turns audit from a story the vendor tells into evidence a third party can test.

Pair that with offline verifiability and you have something genuinely rare: an accountability mechanism that does not depend on continued faith in the party being held accountable. The reason this is so unusual is that it is commercially uncomfortable. It removes the vendor's discretion over the story. A supplier whose audit trail can only be checked through their own dashboard has built a system that protects the supplier. A supplier whose audit trail can be checked in your browser, with their cooperation removed from the loop, has built a system that protects you. A sovereign buyer should treat that difference as the security question, not a feature comparison.

I want to be honest about the limit of this, because security-realism demands it. A signed, offline-verifiable record proves what the system did and the integrity of that history. It does not by itself prove the decision was wise, fair, or lawful. It proves the trail is true. That is a smaller claim than vendors usually make and a far more useful one, because almost every governance, liability, and incident-response problem downstream begins with not being able to establish the facts. Fix the facts and the rest of accountability becomes possible. Leave the facts contestable and no amount of policy language saves you.

The regulatory clock is already running

None of this is abstract or future-tense. The European Union (EU) Artificial Intelligence Act brings its high-risk obligations into force from August 2026, with requirements around record-keeping, traceability, human oversight, and technical documentation that a hand-edited log simply cannot satisfy with a straight face. UK-based suppliers serving EU users, and UK public bodies whose systems touch EU data subjects, do not get to opt out of that gravity. Meanwhile the migration to post-quantum cryptography is moving from advisory to expected, and AI liability is rising as courts and regulators stop accepting the algorithm did it as a defence. The direction of travel is unmistakable even where the precise numbers are not yet settled.

Read those trends together and they converge on one operational demand: durable, tamper-evident, future-proof proof of what an AI system did. A buyer who procures in 2026 without that capability is buying a system that will need re-engineering, at the worst possible moment, under regulatory pressure, when the costs and the scrutiny are both at their peak. A buyer who requires it up front pays for it once and is structurally ahead of the obligations rather than scrambling behind them. The cheap black box is only cheap until the regulator, the court, or the incident arrives. Then it is the most expensive thing on the books. I will add one disclosure here, because it bears on the durability point. The accountability mechanism I am describing is not a slide. The portfolio behind it runs to 101 filed UK patent applications, about 2,234 claims, owned by Mickai LTD, with me as the named inventor. I mention that not to impress but because a buyer choosing a substrate for a decade is entitled to know whether the thing has been built and protected or merely promised.

What a sovereign UK buyer should actually require

Strategy is cheap. The discipline is turning it into call-off questions with weightings attached, because an unweighted aspiration loses every time to a cheaper bid. So here, plainly, is what I would put in the specification, and what I would refuse to treat as optional.

  • Substrate control and jurisdiction: state where computation runs, under whose law, who holds the keys, and whether the supplier can be compelled to disclose data without the buyer's knowledge. Sovereignty that cannot be located on a map is not sovereignty.
  • Independent, offline verifiability of the audit trail: the buyer must be able to verify the record of system actions without trusting the vendor and without the vendor's infrastructure being online. If verification requires the supplier's dashboard, it is marketing, not audit.
  • Tamper-evidence by construction: append-only, hash-chained records where any alteration is detectable, with the commitment to record made before the action executes, not after.
  • Post-quantum integrity: signatures using recognised standards such as FIPS 204, so today's proofs survive tomorrow's cryptography.
  • Exit and continuity: a contractual and technical answer to what happens on termination, acquisition, or supplier failure, so the running system and its history outlive the commercial relationship.
  • Model portability inside the boundary: the ability to replace or upgrade the model without renegotiating data control or losing the audit history, because the model is the part that will change.

Notice that only one of those six is about the model. Five are about the substrate and the proof. That ratio is the whole argument of this piece rendered as a checklist. Notice too that none of these are exotic. They are testable, specifiable, and they can be made mandatory and weighted inside an RM6263 competition today. Nothing in the framework prevents a buyer from asking. The only thing that prevents it is habit, the pull toward the schedule that worked for buying something simpler. Break that habit once and the specification starts selecting for accountability instead of against it.

A gold-lit classical marble archway opening onto darkness, the threshold visible but the interior unknown, against a void black background.
The framework is the doorway. It does not tell you what kind of house you are walking into.

The honest caveats, and why they strengthen the case

Let me anticipate the objections, because a sovereign buyer should hear them from me rather than discover them later. Requiring offline-verifiable, post-quantum, sign-before-execute audit narrows the field of suppliers who can meet it. That is true. It is also the point. A requirement that every plausible bidder already satisfies is not a security requirement, it is decoration. The narrowing is the mechanism doing its job, separating systems built for the operator's accountability from systems built for the vendor's convenience.

Second objection: this costs more up front. Sometimes, yes. But the comparison is dishonest if it weighs only the build cost and ignores the re-engineering, the regulatory exposure, the unwinnable disputes, and the lock-in that a cheaper, unverifiable substrate guarantees later. Total cost of ownership for a system you cannot audit and cannot leave is not lower. It is deferred, and it compounds. I would rather a buyer pay the legible price now than the illegible one under duress.

Third, and most important to me as a builder: do not take any of this on my word. The entire design philosophy behind the Open Audit Record is that you should not have to. A claim of verifiability that you have to trust is a contradiction. Make every supplier, including mine, demonstrate it offline, in your own browser, before you sign anything. If a vendor cannot put the proof in your hands and step out of the room while you check it, that tells you everything the demonstration was meant to hide.

The choice, stated plainly

The UK sovereign-AI procurement choice in 2026 is not really between vendors or between models. It is between two philosophies of evidence. One says trust us, here is our log, here is our dashboard, and the integrity of the record rests on the integrity of the party you are trying to hold to account. The other says do not trust us, here is a record signed before each action, hash-chained, post-quantum, anchored to an external timeline, and checkable by you, offline, with us removed from the loop. Everything else in the procurement, the capability, the price, the user interface, is downstream of which philosophy the buyer chose, usually without realising a choice was being made at all.

RM6263, DSIT, and the NCSC give the UK buyer the instruments to choose the second philosophy. The frameworks will not make the choice for them, and the cheapest bid will always pull toward the first. So the responsibility lands exactly where it should, on the requirement the buyer writes. Specify the substrate. Demand the offline-verifiable, signed record. Make it mandatory and weighted, not aspirational. A system you can independently prove is a system you can govern, audit, contain, and replace. A system you can only believe is a system you have already, quietly, surrendered. Build on the ground you can verify, not the ground you are asked to trust.

ShareLinkedInXHacker NewsRedditMastodonBlueskyEmail
Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/substrate-is-the-choice-uk-sovereign-ai-procurement-2026. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles
15 Jun 2026
The Provenance of a Generated Molecule
A regulator and a court will both ask how an AI-generated drug candidate was derived. The molecule is the hypothesis. The signed, offline-verifiable record of its generation is the asset you can actually defend.
14 Jun 2026
The Logbook That Cannot Be Rewritten: Autonomous Vessels and the Discipline of the Signed Record
A ship's logbook was admissible in court because it was written in real time, in sequence, and could not be quietly rewritten after the fact. Autonomous vessels keep the data and throw away the discipline. Here is what the sea taught us about records, and why the only honest answer is a signed, hash-chained, offline-verifiable account of every decision a machine makes at sea.
13 Jun 2026
The Black Box AI Never Built: Why Every Machine Decision Needs a Flight Recorder
Aviation became the safest way to travel not because crashes stopped, but because every crash became investigable. The flight recorder turned disaster into evidence. Artificial intelligence makes millions of consequential decisions a day and keeps almost no equivalent record. I want to explain why that gap is the central safety problem of the next decade, and what a real fix looks like.
15 Jun 2026
When the Network Runs Itself: The Account Telecoms Regulators Will Demand
In modern telecoms, artificial intelligence makes thousands of operational decisions a minute, and almost none of them are written down in a form anyone can later check. That gap is about to become a regulatory problem. The fix is not a better dashboard. It is a signed, hash-chained, offline-verifiable account of what the network decided and why.
See all articles →