MICKAI
Article · 3 July 2026

The Compliance Studio: Continuous, Signed Evidence a Regulator Can Verify

We turn compliance from a quarterly scramble into a live, cryptographically signed record that any regulator can check independently.

The Compliance Studio: Continuous, Signed Evidence a Regulator Can Verify
Author
Micky Irons
Published
3 July 2026
Follow Micky Irons
LinkedInX
complianceregulatory technologyauditpost-quantumsovereign ai

Why most compliance evidence cannot be trusted

Ask most organisations to prove a control was working on a given Tuesday six months ago and you get a familiar answer. Someone exports a spreadsheet, takes a screenshot, or reconstructs a timeline from logs that anyone with the right access could have edited. The evidence looks plausible. It is also, in a strict sense, unverifiable. A regulator cannot tell the difference between a genuine record and a convincing reconstruction, because nothing in the artefact proves it was created at the time it claims, by the system it claims, and left untouched ever since.

We built Mickai as a Sovereign Intelligence Operating System (a SIOS) partly to close that gap. Compliance in a regulated business is not a document you produce once a quarter. It is a continuous state of affairs, and the evidence for it should be continuous too. The compliance studio inside Mickai treats every action the system takes as a fact that needs to be recorded, signed, and made independently checkable. Not summarised after the fact. Signed at the moment it happens.

What a compliance studio actually does

A studio in Mickai is a working environment where a group of specialist brains operate together on a class of problem. We run 50 specialist brains in total, 25 domain and 25 operational, all under deterministic governance, which means the rules that decide what is permitted are fixed and inspectable rather than improvised by a model in the moment. The compliance studio draws on the brains concerned with legal interpretation, policy, records, and risk, and it wraps their work in a discipline that ordinary software rarely applies to itself. It assumes it will be audited, and it prepares the proof before anyone asks.

Argus Panoptes, evoking continuous all-seeing capture of every regulated action
Argus never closes every eye at once, the way the studio watches each action that carries regulatory weight and captures its full context.

In practice, that means the studio does four things at once, continuously, while the business runs:

  • It watches the actions that carry regulatory weight, from a data access to a model decision to a change in a control, and it captures the full context of each one rather than a thin log line.
  • It signs each record cryptographically at the moment of creation, so the record carries its own proof of when it was made and that it has not been altered since.
  • It links records together so the sequence cannot be quietly reordered or have a gap papered over, which is where reconstructed evidence usually falls apart.
  • It keeps the whole chain on hardware the customer owns, so the evidence never leaves the building and never depends on a third party choosing to hand it back.
Themis, evoking deterministic governance and fixed, inspectable rules
Themis holds the rule steady and visible, the way deterministic governance fixes what is permitted rather than improvising it in the moment.

The Open Audit Record

The mechanism underneath all of this is what we call the Open Audit Record. Every action the system takes produces one. Each record is signed, so its integrity can be checked by anyone holding the corresponding public key, and the signature scheme is post-quantum, using ML-DSA-65. We chose a post-quantum signature deliberately. Compliance evidence has a long life. A record signed today may need to stand up to scrutiny in a decade, and a signature that a future quantum computer could forge is not evidence, it is a liability with a delay on it. We would rather the record be provably genuine for its whole useful life than merely convenient today.

The word open matters as much as the word audit. A signed record is only useful to a regulator if the regulator can verify it without trusting us. So the record is designed to be checked with standard cryptography and the public half of the key, independently of Mickai and independently of the customer. The verifier does not have to believe a vendor claim. They run the check themselves and either the signature holds or it does not.

The goal was never to persuade a regulator that we are trustworthy. It was to make trust unnecessary, so they can check the evidence for themselves and reach their own conclusion.

Micky Irons, founder of Mickai
Aion, evoking a signature built to hold for the whole life of the record
Aion carries time in an unbroken ring, the way a post-quantum signed record is built to stand up to scrutiny for its whole useful life.

Why the record has to stay on the customer's own hardware

There is a version of this idea that lives in a cloud service, and it would be far weaker. If the audit trail sits on infrastructure the customer does not control, then the chain of custody runs through whoever operates that infrastructure. The customer is once again trusting a promise. Mickai runs on the customer's own hardware, on premises and air gapped where the work demands it, with zero data egress and no public cloud round trip. The compliance evidence is generated, signed, and stored inside the same boundary as the work it describes.

That has a direct regulatory benefit. A supervisor examining a bank, an insurer, a hospital, or a public body wants to know that the evidence they are shown is the evidence that was created, not a curated copy that travelled through several systems on the way. When the record never leaves the customer's control, the chain of custody is short and legible. The memory belongs to the customer. We do not hold it, we do not need to hold it, and the absence of an outbound copy is itself part of what makes the record credible.

From quarterly scramble to continuous readiness

The practical change for a compliance team is a change of tense. Today, much of the work is retrospective. An examination is announced, and a team spends weeks assembling a story about the past from imperfect sources. With a compliance studio running continuously, the evidence already exists in a form that stands on its own. The question shifts from can we reconstruct what happened to which signed records would you like to check. That is a calmer place to run a regulated business from, and it is a far cheaper one, because the expensive part of compliance has always been the reconstruction, not the compliance itself.

Hades, evoking ownership, custody, and evidence that never leaves the boundary
Hades holds the key to what stays within his realm, the way the record is generated, signed, and kept on hardware the customer owns.

It also changes the relationship with the regulator. Continuous signed evidence lets a supervisor sample the record at any point rather than waiting for a scheduled window, and it lets them verify each sample independently. The conversation becomes less adversarial because there is less to argue about. The facts are signed. The timeline is linked. The keys are the customer's own.

Built to be examined, and being examined already

This approach is protected by a substantial body of intellectual property. We have 104 filed UK patent applications covering the architecture, comprising approximately 2,340 claims, with full specifications, claims, and figures, now building toward examination and grant. The compliance studio, the Open Audit Record, and the governance model that binds them sit within that filed portfolio. We describe them as filed applications because that is what they are, and because a regulated buyer values precision about status over enthusiasm.

Nike, evoking continuous readiness and a calmer footing with the regulator
Nike arrives already victorious, the way continuous signed evidence turns an examination into records ready to be checked rather than a story to reconstruct.

The market has started to notice the shape of what we are building. Our own public Crunchbase signal now places our founder at number 2 on Crunchbase, and the company Heat Score has reached 94 out of 100, having climbed from single digits. We cite that because it is a public, independently visible signal rather than a claim we control. It tells us that the idea of sovereign, verifiable intelligence is landing with the people who track where the next serious infrastructure is coming from.

Where this goes next

The direction of travel in regulation is clear enough. Supervisors want to see continuous assurance rather than periodic attestation, and they increasingly want to interrogate the systems that make automated decisions rather than accept a summary of them. A compliance studio that produces signed, linked, independently verifiable evidence on the customer's own hardware is built for exactly that world. As examination regimes tighten and as automated decisions come under closer scrutiny, the organisations that can hand a regulator a record they can check for themselves will move faster and worry less than the ones still assembling a story after the fact. We intend for Mickai to be how they do it, and we are building toward that with the evidence signed before anyone thinks to ask for it.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/the-compliance-studio-signed-evidence-for-regulators. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles