When the Agent Writes the Code

A merge request lands at two in the morning. The diff is clean, the tests pass, and the author field reads like a person. Somewhere upstream an autonomous coding agent took a one-line instruction, planned a change across nine files, and pushed it. By the time a human approves it, the chain of intent has gone cold. The reviewer can see what changed. Nobody can prove why, or whose words those lines actually were.

That gap is the defining governance problem of the 2025 to 2026 wave of generative tooling. Agents now open pull requests, draft policy memoranda, and produce first-pass contracts. The artefacts look authored. The accountability behind them is thin. When a defect ships or a clause is challenged, the question is no longer only whether the output was correct, but who is answerable for it, and in what order the machine and the human contributed.

Mickai treats that question as a recording problem rather than a trust problem. The Sovereign Intelligence Operating System assumes the agent will write a great deal, and arranges for every step of that writing to be captured, measured, and signed at the moment it happens. The result is an Open Audit Record, a hash-linked chain that a later verifier can replay in a browser without trusting the system that produced it.

The line is the unit of accountability

For source code, the relevant subsystem is described in a filed UK patent application for a sovereign code-synthesis audit trail with line-level lineage from spoken intent, GB2611888.5. Its premise is that the meaningful unit of accountability is not the file or the commit but the individual line.

For every line an agent generates, the subsystem constructs a lineage tuple. That tuple carries an intent hash derived from the captured operator utterance, a plan-step hash, the model identifier, a prompt hash, an operator-bound signing-key identifier, and a non-falsifiable timestamp. Each tuple is signed under ML-DSA-65, the module-lattice digital signature standardised in FIPS 204. The point of the post-quantum primitive is durability: a regulated record drafted today may be interrogated a decade from now, long after the agent and its model have been retired.

The signed tuples are emitted as git notes against the introducing commit and surfaced in the operator's development environment as hover attribution, so the person reviewing the diff sees, line by line, the intent and the model behind it. An export pipeline turns the same evidence into an SPDX-AI Software Bill of Materials suitable for submission under IEC 62304, DO-178C, ISO 26262, and IEC 60880. Those are the standards that govern software in medical devices, aircraft, road vehicles, and nuclear instrumentation, where the provenance of a generated line is not a nicety but a condition of certification.

“When an agent writes the code, the record has to answer which words came from the machine, which from a human, and in what order.”

Documents that can be unwound

Prose has the same problem in a different shape. A contract or a policy is rewritten many times by many hands, some of them now synthetic, and a clause that looked settled may need to be reversed weeks later without disturbing everything built on top of it.

A filed UK patent application for sovereign document composability with type-safe inversion, GB2611896.8, addresses this. Every edit is treated as a typed action that carries its own declared inverse. A type system validates that the inverse will restore the pre-edit state exactly, and the action is appended to a hash-linked CBOR ledger signed under an operator-controlled post-quantum module-lattice key.

The cleverness is in the unwinding. A dependency directed acyclic graph is built over the recorded actions, so that reversing a past edit does not naively roll back everything after it. Instead a compensating-inverse propagator walks the graph and emits the minimal sequence of compensating actions needed to restore the document, even where later edits depended on the one being reversed. The subsystem integrates as an adapter into Microsoft Word, Google Docs, and Notion, with an eIDAS-bridge for qualified-signature legal authoring, so the audit trail lives inside the tools people already draft in.

Keeping the paths not taken

Generated work is iterative, and the discarded attempts carry information. A filed UK patent application for sovereign edit-distance tracking with per-iteration signed lineage, GB2611897.6, captures the whole arc rather than only the destination.

Each iteration of a refined asset is measured under a domain-appropriate edit-distance metric and signed at the moment it is produced. The parent-child relationship between versions is recorded as an edge of an iteration tree, signed in operator-controlled hardware. Abandoned branches are not deleted. They are retained under a configurable policy, themselves signed and hash-linked into the same lineage.

Given the final asset, its manifest, and the operator public key, a verifier can walk backwards through every accepted and every abandoned iteration to the first generation. That matters for derivative-work copyright clearance, for determining authorship of an AI output, and for forensic reconstruction of how a final artefact was actually reached when someone later asks.

Down to the token, across languages

Translation is where provenance becomes most granular, because a single mistranslated phrase in a regulatory filing or a treaty draft can carry real consequence. A filed UK patent application for sovereign translation provenance with per-token bilingual lineage, GB2611899.2, signs the output one token at a time.

For every output token, a signed lineage record identifies the source tokens it derives from, extracted by cross-attention. The record carries a confidence scalar computed from softmax-margin or ensemble disagreement, and, where a bilingual dictionary exists, an alignment score corroborating the choice. The per-token records are bound into a translation manifest signed under an operator-controlled module-lattice key in hardware and hash-linked into the Open Audit Record.

The verification model is the same one that runs through all four subsystems. A challenger can interrogate any individual phrase offline, without re-translating the document and without contacting the system that produced it. The arrangement covers at least 450 living languages and handles one-to-many, many-to-one, zero-to-one, and reordered alignments, which is where naive word-for-word provenance tends to fail.

Why the record has to be portable

These four subsystems share one design choice that decides whether any of it is useful. Verification does not depend on the originating system being online, honest, or even still in existence. The evidence travels with the artefact:

• A signed lineage record for the unit that matters, whether a line, an edit, an iteration, or a token.
• A post-quantum signature under an operator-controlled key, so attribution survives the retirement of the model.
• A manifest that hash-links into the Open Audit Record and replays end-to-end in a browser.

For a regulated industry, that is the difference between asserting a process was followed and demonstrating it. For public-sector procurement, it lets a buyer require provenance as a delivered artefact rather than a vendor promise. And for the broader question of accountability when an autonomous agent acts, it shifts the answer from trust to proof. These capabilities sit among 57 filed UK patent applications behind the Mickai SIOS, all naming the inventor Micky Irons on the UK Intellectual Property Office register from GB2607309.8 onward. They are filed applications, not granted monopolies. What they describe is already the shape of the question every organisation now letting a machine write on its behalf will be asked to answer.