The Law Closed the "The AI Did It" Defence. Now You Need the Proof

The excuse expired on 1 January 2026

On 1 January 2026, California Assembly Bill 316 (AB 316) came into force, and it does one precise thing: it bars a defendant from using an artificial intelligence (AI) system's autonomous operation as a defence to liability. You can no longer stand before a court and say the model acted on its own, so the harm is not yours. In the same month, Singapore launched the first national agentic-AI governance framework, holding organisations accountable for the actions of their software agents whether or not they signed up to any code of practice. Across the Atlantic, the European Union (EU) Artificial Intelligence Liability Directive lowers the burden of proof for people harmed by an automated decision, shifting the weight of explanation onto the operator. Three jurisdictions, one direction of travel. Autonomy has stopped being a shield.

What the three measures actually say

It is worth being exact, because the engineering consequence follows from the wording. AB 316 does not regulate how a model is built. It removes a category of argument. Where a person is injured by a system that operated without direct human instruction in the moment, the operator cannot point at the system's independence as the reason they are not responsible. The responsibility attaches to the party who deployed the agent and benefited from it.

Singapore's framework takes the agentic case head on. An agent is not a single inference. It is a loop that plans, calls tools, reads and writes data, and takes consequential actions in the world. The framework says that when an organisation puts such an agent into operation, the organisation answers for what the agent does, full stop, whether or not it adopted any optional guidance. The EU Artificial Intelligence Liability Directive comes at the same problem through procedure: it makes it easier for a claimant to establish causation, because the operator, not the victim, holds the information about how the system behaved. If you cannot produce that information, the inference runs against you.

The common thread is evidence, not intent

Read together, these measures move the contest from a question of philosophy to a question of records. The old debate asked whether a machine can be said to act and whether a sufficiently complex system is anyone's responsibility at all. The new regime sidesteps all of it and asks three concrete questions. What did the agent do. Under whose authority did it do it. Could a human have stopped it before the consequence landed. Each is answerable only with a record a court or regulator will accept as faithful to what actually happened.

This is where most organisations are exposed and do not yet know it. Their agentic systems run inside a vendor's platform, and the log of what the agent did is the vendor's log. It lives in the vendor's database, under the vendor's control, formatted to the vendor's convenience, and editable by the vendor's staff. When liability turns on that record, you are in an impossible position. You cannot use it to defend yourself, because the other side can argue it was curated. You cannot use it to exonerate yourself, because you did not generate it and cannot prove it was not altered. An audit trail you do not own is not evidence. It is a story someone else can rewrite.

What an answerable record requires

If the law now demands proof, the proof has properties, and they are engineering properties, not policy aspirations. First, every action must be attributed to a named authority, so the record shows not just that something happened but that it happened on behalf of a specific human or role with standing to authorise it. Second, the record must be tamper-evident, so any later edit is detectable rather than silent. Third, it must be verifiable by a party who does not trust you, because evidence you can only check with your own tools persuades no one. Fourth, it must be replayable, so the sequence of decisions can be reconstructed rather than merely summarised. A log that lacks any one of these fails the test AB 316 and the EU Artificial Intelligence Liability Directive now impose.

The agentic case adds a fifth property. Singapore's framework cares not only about what was recorded after the fact, but about whether a dangerous action could have been stopped before it ran. That is a question about the moment of execution, not the moment of audit. A record proving a catastrophe was faithfully logged is small comfort if nothing stood between the agent's decision and the irreversible act. Accountability that only arrives in hindsight is incomplete.

Mickai's substrate was built for exactly this question

Mickai is a Sovereign Intelligence Operating System (SIOS). It is built, live, and production-ready, and its design assumes that every action an agent takes will one day have to be defended. Every action is signed before it executes, using the Federal Information Processing Standard 204 (FIPS 204) ML-DSA-65 algorithm, a National Institute of Standards and Technology (NIST) post-quantum standard, so the signature attaches to the act at the moment of the act rather than being stitched on afterward. Each signed action is attributed to a specific authority. The actions are hash-chained into the Open Audit Record (OAR), an append-only ledger where any later tampering breaks the chain and becomes visible. A browser-resident verifier, compiled to WebAssembly, checks any record offline with no network connection, so a regulator, an insurer, or an opposing expert can confirm its integrity without trusting Mickai, the operator, or any server. The operator holds the signing keys in a Trusted Platform Module (TPM) and owns the hardware, the keys, and the audit chain.

For the question Singapore poses, about stopping the act before it runs, Mickai includes Sentinel, a sub-component that stops AI agents wiping or exfiltrating data by gating dangerous operations at the moment of execution rather than after the fact. A destructive or exfiltrating action does not proceed on a single agent's say-so. Several brains must independently agree before it runs, and authority is checked at execution, not merely declared in a policy document. Mickai runs fifty brains: twenty-five domain specialists and twenty-five operational brains, the latter comprising the eight-brain Chronus Kernel cognitive core, the two Custodians MNEMOSYNE and AESCULAPIUS, and fifteen Specialists. They run on the Poseidon silicon substrate, and the independent agreement of several brains is the structural answer to whether a human could have stopped it.

Why the audit chain has to be the operator's

The whole edifice rests on ownership, the point most cloud agentic platforms cannot meet without dismantling their own business model. If the record sits in the vendor's infrastructure, the operator is accountable under AB 316 and the EU Artificial Intelligence Liability Directive but does not control the only evidence that could discharge that accountability. That is the worst of both worlds: you carry the liability and someone else carries the proof. Mickai inverts it. The signing keys live in your TPM, the hash-chained ledger on hardware you own, and the verifier needs no server, so your evidence does not depend on the cooperation, solvency, or good faith of any third party. This is what sovereign means here: the operator owns the hardware, the keys, and the audit chain. It is an honest boundary drawn around the AI activity, not a claim over your whole machine and not a claim to have trained frontier models from scratch. The brains build on open foundation models, Llama 3.2 and Qwen 2.5, specialised through fine-tuning and distillation, and Mickai is actively training its own models now.

The same ownership logic runs through Pantheon, the sovereign settlement layer being brought to mainnet. Pantheon is a Layer 1 blockchain written in Rust on the Polkadot software development kit, with the audit record as a native consensus object rather than an afterthought, fifteen Layer-2 application chains above it, and the audit root anchored to Bitcoin on a cadence so the chain of evidence is witnessed beyond any single operator. Its token, PAN, has a fixed total supply of five billion. The architecture behind all of this is documented in 101 filed United Kingdom patent applications carrying approximately 2,234 claims, all owned by Mickai LTD, with named inventor Micky Irons. Filed, and described by what they contain rather than any claim of grant.

The defence you can no longer improvise

The instinct of recent years was to treat audit as something you assemble when an incident forces you to: pull the logs, reconstruct the timeline, write the report. That instinct is now obsolete, because records that survive scrutiny cannot be created retroactively. A signature proving an action's authorship has to be applied at the moment the action runs, by a key only the operator holds. A chain proving nothing was altered has to be unbroken from the start. A verifier that convinces a hostile party has to be independent of the party producing the evidence. None of these can be manufactured after the harm, after the claim, after the subpoena.

AB 316, Singapore's agentic framework, and the EU Artificial Intelligence Liability Directive have settled the argument that autonomy ends responsibility. It does not. What is unsettled, for almost everyone deploying agents today, is whether they can prove their own case. Mickai exists so the answer is yes: every action signed and attributed before it runs, hash-chained into a record the operator owns, gated at execution so the dangerous act can be stopped, and verifiable by anyone, offline, without trusting the people who made it. When the law asks what your agent did and on whose authority, that is the record that answers. The excuse is gone. The proof is the only thing left, and it has to be built before you need it.