MICKAI
Article · 1 July 2026

The Board and the AI Oversight Duty

Why signed, verifiable lineage is the only foundation on which a board can honestly oversee automated decisions

The Board and the AI Oversight Duty
Author
Micky Irons
Published
1 July 2026
Follow Micky Irons
LinkedInX
ai governanceboard oversightauditabilitysovereign aicompliance

Every board minute records the same sentence in one form or another: the directors reviewed the reports before them and were satisfied. For most of corporate history that was enough, because the reports were made by people who could be summoned, questioned, and held to account. Artificial intelligence has quietly broken that arrangement. When a model approves a payment, adjusts a limit, or rejects a claim, the board is asked to oversee a decision that no human made and that no one can fully reconstruct after the fact.

Oversight is not a feeling of confidence. It is a verifiable claim about what happened, who authorised it, and whether the record can be trusted. Directors can only oversee what they can verify, and most AI in production today offers nothing to verify. At Mickai we built our Sovereign Intelligence Operating System, a SIOS, around that single hard truth: if the board cannot check the lineage of an automated decision, the board is not overseeing it, it is hoping.

The duty has not changed, but the ground beneath it has

A director's duty of oversight is old and well settled. Boards must ensure that a functioning system exists to surface material risks and to catch failures before they become crises. Courts have been steadily raising the bar, and regulators from the EU Artificial Intelligence Act (EU AI Act) to the Digital Operational Resilience Act (DORA) now expect named accountability for automated systems that touch customers, capital, or safety.

What has changed is the object of oversight. A loan committee can interrogate a lending officer. A board cannot interrogate a probability distribution. When the decision-maker is a statistical model that produced an answer from millions of parameters, the traditional method, ask the human and read the file, simply returns nothing. The duty is unchanged. The evidence it depends on has vanished.

A towering marble statue of the blindfolded goddess Themis holding balanced scales, lit by a single beam of gold light against a black void.
Like Themis weighing every claim, oversight demands evidence that cannot be tilted after the fact.

Why dashboards are not evidence

Most organisations respond to this gap by buying a dashboard. A dashboard shows a number, and a number feels like control. But a dashboard is a summary produced by the very system it claims to monitor, rendered after the fact, and editable by whoever controls the pipeline. It answers the question the supplier chose to answer, not the question a regulator will ask under oath.

The questions that matter are unforgiving. Which model version made this decision? What data did it see? Who approved its deployment, and when? Has the record been altered since? A green tile on a screen cannot answer any of these, because it carries no proof of its own integrity. Oversight built on dashboards is oversight built on trust in a party who has every incentive to look competent. That is precisely the situation the duty exists to prevent.

A giant marble figure of Argus Panoptes covered in many watchful eyes, emerging from darkness under a thin gold light.
Argus watched with a hundred eyes, but a dashboard sees only what its maker chose to show.

Signed lineage makes oversight real

Real oversight needs an evidence trail that the overseen party cannot rewrite. In our SIOS, every automated action is bound to an Operation Attestation Record (OAR) that is signed BEFORE the action executes, not logged afterwards. The record captures which brain acted, on what inputs, under whose authority, and against which policy. Nothing runs without one.

Those records are chained together using SHA-3-512 hash-linking, so each entry seals the one before it. Change a single field anywhere in the history and every subsequent link breaks visibly. The signatures use post-quantum cryptography, the Federal Information Processing Standard 204 (FIPS 204) ML-DSA-65 scheme, so the proof survives even the arrival of quantum computers that could forge older schemes. The result is a tamper-evident, cryptographically-signed audit ledger. A director does not have to believe the supplier. The director, or an auditor, or a regulator, can verify the chain independently and offline.

Verification the board can perform without the supplier

The word offline carries the real weight. If verifying a decision requires logging into the same system that produced it, the system marks its own homework. Our attestation ledger verifies with public keys against a local copy, on hardware the board controls, with no call back to any live service. An independent auditor can take the ledger, check every signature and every hash-link, and confirm that the record is complete and unaltered without ever touching production.

A vast marble statue of the many-headed Hydra coiling upward from darkness, each severed neck sealed in gold light.
Break one link of a hash-chained record and, like the Hydra's necks, every joint above it shows the wound.

This is what turns a governance slide into a governance fact. When the board asks whether a particular automated decision was authorised, the answer is no longer a manager's recollection. It is a signature that mathematically ties the action to an approved policy, an approved brain, and, for high-stakes actions, to multi-brain plus voice-biometric approval by named individuals. The minute can now record something true: the directors verified the lineage, and here is the proof they relied on.

Sovereignty is what keeps the evidence admissible

Evidence that lives on infrastructure the customer does not control is evidence someone else can alter, withhold, or lose. Our SIOS runs on hardware the customer owns, air-gapped or on-premise, with zero data egress. The audit ledger never leaves the boundary the board is responsible for. That is not a rejection of the public cloud. The cloud giants are allies operating at a different layer, and they do superb work at scale.

A giant marble figure of Atlas straining to hold a great sphere on his shoulders, lit by gold light against a black void.
The board carries the weight like Atlas, so the evidence must rest on ground it alone controls.

Mickai serves the regulated boundary the public cloud cannot cross on the customer's own terms, the place where data cannot leave the building and where the board must be able to prove control to a supervisor. Brains are revocable, so a model that misbehaves can be withdrawn, and the withdrawal itself is attested. The capabilities behind this sit within 104 filed UK patent applications, about 2,340 claims, owned by Mickai LTD, each describing a mechanism for making automated action provable rather than merely plausible. Oversight, in this design, is a property of the substrate, not a promise on a slide.

The bottom line

A board cannot delegate its duty of oversight to a system it cannot inspect. As AI moves from advising humans to acting on their behalf, the difference between overseeing and hoping comes down to one question: can the directors independently verify what the machine did and who allowed it. Signed lineage, hash-linked and post-quantum sealed, on hardware the customer owns, is what makes the honest answer yes. That is the standard we built into Mickai, because in the end the board is accountable for the decision whether or not anyone can prove how it was made. We think they should be able to prove it.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/the-board-ai-oversight-duty. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles
4 Jul 2026
Sovereign AI for Central Banks
A central bank cannot send its rate deliberations or supervisory secrets to anyone else's cloud. We built Mickai, a Sovereign Intelligence Operating System, so monetary and supervisory intelligence runs entirely offline on hardware the bank owns, with independence proven, secrecy architectural and every decision signed before it acts.
4 Jul 2026
Sovereign AI for Defence Primes
Defence primes hold the most sensitive programme data in the world, and the public cloud cannot cross the boundary that protects it. We built Mickai as a Sovereign Intelligence Operating System that runs on hardware the prime owns, air-gapped, where every action is cryptographically signed before it executes and every brain can be revoked in seconds.
4 Jul 2026
Sovereign AI for Maritime and Shipping
Fleets and ports need intelligence that keeps deciding when the satellite link dies and keeps an honest record no one can edit. Mickai runs on the operator's own hardware, at sea and on the quay, with zero data egress and a post-quantum signed ledger. Autonomy where the connection ends, governance that never does.
4 Jul 2026
Sovereign AI for Aerospace
Aerospace cannot ship export-controlled geometry to borrowed cloud infrastructure or hand engineers unexplained answers. We built Mickai, a Sovereign Intelligence Operating System, to run design and safety-case intelligence on hardware the customer owns, with zero data egress and cryptographic provenance signed onto every artifact before it exists.