MICKAI
Article · 19 June 2026

When the Inference Itself Must Carry a Signature

Signed output is not enough. The act of thinking has to be sealed.

When the Inference Itself Must Carry a Signature
Author
Micky Irons
Published
19 June 2026
Follow Micky Irons
LinkedInX
signed inferencepost-quantumml-dsa-65open audit recordai accountability

A signature is a promise about the past. When I sign a document, I am telling a future reader that I, and not someone else, stood behind these words at this moment. We have spent forty years building the cryptography to make that promise unforgeable. Yet as machines began to write, to decide and to act, we quietly accepted a far weaker promise, and almost nobody noticed the swap.

Here is the swap. We learned to sign what a machine produced, and we forgot to sign that the machine produced it, under what mandate, from which inputs, running which version of its own mind. We signed the noun and left the verb naked. The artefact carries a seal. The act of thinking does not. In an age where the thinking is the product, that gap is not a detail. It is the whole argument.

The artefact is not the event

Consider what most signed-AI claims actually do today. A model returns an answer, a wrapper hashes the text, a key signs the hash, and a green tick appears. The text is now tamper-evident. Change a single character and the signature breaks. This is genuinely useful and I do not want to wave it away. But ask the harder question, the one a serious adversary or a serious auditor will ask. What exactly has been proven.

It has been proven that this string of characters existed and was signed by this key. It has not been proven which model wrote it, which version of that model, on which inputs, under whose authority, or whether the reasoning that produced it was the reasoning the operator was entitled to run. All of that, the entire causal story of the decision, sits outside the signed envelope. It is deniable by construction.

Deniability is the point I want to press. A signed artefact with an unsigned inference path lets everyone keep their options open. The vendor can say the output was tampered downstream. The operator can say a different model produced it. The regulator cannot prove which version ran. The artefact survives, and the truth of the event evaporates. We have built a seal that protects the words and abandons the witness.

A void-black forge lit by satin gold fire, Hephaestus raising a hammer over a blade that glows white hot on the anvil, a seal die held ready against the molten edge
The seal goes in while the metal is still molten, not scratched on afterwards once it has cooled.

What a real verifier needs in 2035

Set the scene a decade out. A dispute reaches an arbiter in 2035. The question is not what the answer said, the answer is on file. The question is whether a particular machine, under a particular mandate, on a particular day, truly produced that decision, or whether someone reconstructed a convenient version after the fact. The arbiter cannot call the model as a witness. The arbiter has only what was sealed at the moment of the act.

So what would let that arbiter rebuild the event rather than merely read the output. The binding has to reach further than the text. It has to tie the decision to its origins so tightly that the story cannot be retold.

  • The model itself, identified by a cryptographic measurement of the actual weights and runtime, not a version string a vendor can reassign.
  • The inputs the model saw, the prompt, the retrieved context, the tools it was permitted to call, hashed and bound into the same record.
  • The authority under which it ran, the mandate, the operator identity, the policy in force at that instant, so the act is tied to a right to act.
  • The output, of course, but as one bound field among several, not as the lonely object that carries the whole proof.
  • The time and the chain position, so the event sits in an ordered history that cannot be silently reordered.

Bind those together under one signature and you have sealed an event, not an artefact. The arbiter in 2035 can now state, with cryptographic confidence, that this machine, holding these weights, having seen these inputs, acting under this mandate, produced this decision at this moment. That is a different category of claim. That is signed inference, post-quantum, and it is the claim I think the next decade will demand.

Why the signature must outlive today's cryptography

There is a second failure hiding inside the first. Even teams who do bind more than the output usually sign with the classical curves we all grew up on. Those signatures are strong against the computers we have. They are not durable against the computers we expect. A decision sealed today may need to be defensible in 2035 or 2045, well inside the window where a cryptographically relevant quantum machine changes the threat model entirely.

An adversary does not need that machine to exist today to defeat you tomorrow. The harvest-now, decrypt-later posture is already rational. Capture the signed records now, wait for the hardware, then forge or repudiate at leisure. A signature that protects a high-stakes decision has to be chosen for the cryptography of the year it will be challenged, not the year it was made. Anything less is signing in disappearing ink.

We are not signing text. We are sealing a witness statement from a machine, and that statement has to hold up in a courtroom that does not exist yet.

Micky Irons

This is why I keep insisting the two failures are really one. Binding the whole event and binding it with post-quantum strength are not separate features you can bolt on in either order. They are the same commitment to a single idea, that the record must mean, in the future, exactly what it meant at the moment of the act, and that no advance in mathematics and no sleight of hand in version control should be able to loosen that meaning.

Close detail of a glowing blade edge with a gold sigil being pressed into the molten steel, the mark sinking and fusing into the metal rather than sitting on the surface
A mark that fuses into the metal cannot be ground off later without destroying the blade.

Engraving versus forging

The cleanest way to feel the difference is the old image of the forge. There are two ways to put a maker's mark on a blade. You can wait until the blade is finished, cooled and polished, then engrave a mark on the surface. It looks identical to the other method and it is far cheaper. But an engraving sits on top of the metal. A patient forger can grind it off and cut a new one, and the blade itself never objects, because the mark was never part of the blade.

Or you can strike the seal into the steel while it is still molten, so the mark fuses into the body of the blade as it cools. Now the mark is not on the blade, it is of the blade. You cannot remove it without destroying the thing it authenticates. That is the difference between signing the output and signing the inference. Signed output is the engraving, applied after the act, removable without trace. A sealed decision event is the seal struck into molten metal, fused into the very act of thinking that produced it.

Why the timing is the whole point

Notice that the difference is entirely about when the seal is applied. The engraver works after the metal has cooled, when the artefact is already separate from the act that made it. The smith works during, while the blade is still being made, while the act and the object are one thing. To seal the inference rather than the output, you have to be present at the moment of thinking, not standing at the loading dock afterwards stamping crates. The signature has to be a participant in the decision, not a clerk who arrives once it is over.

How Mickai seals the act of thinking

This is the principle the Sovereign Intelligence Operating System is built around, and it is why I describe Mickai as a SIOS and not an application. Mickai runs fifty specialised brains on the operator's own hardware, fully offline-capable, and every consequential action one of those brains takes is sealed at the moment it happens into an Open Audit Record. The record is not a log written afterwards. It is the smith's seal struck into the molten decision.

Each Open Audit Record binds the decision event as a whole, the measurement of the model that ran, the inputs it was given, the authority and mandate it acted under, the output it produced and its position in an ordered chain. We seal it under FIPS 204 ML-DSA-65, the post-quantum signature standard, so the record is chosen for the courtroom of 2035 rather than the convenience of today. A verifier does not have to trust our word, our brand or our continued existence. The verifier checks the seal and reconstructs the event.

The architecture is filed, not aspirational. The approach runs through our portfolio of 101 filed UK patent applications, around 2,234 claims, and it is anchored to Pantheon, our sovereign Bitcoin-anchored Layer 1, so the chain of records inherits a settlement guarantee outside any single operator, including us. The decision event, the authority and the timeline are sealed together, and the seal is built to survive the cryptography that has not yet arrived.

Rows of finished blades hanging in a void-black armoury, each bearing the same gold seal fused into the steel, a ledger of identical marks receding into darkness
Every decision leaves an armoury of sealed records, each mark struck into the act, not onto it.

What this buys the people who depend on it

Let me bring this back to the operator, because abstraction is cheap and consequences are not. If you run AI where decisions matter, defence, governance, health, regulated finance, then one day someone will challenge a decision your machines made. Not the output, the decision. They will ask whether that specific model, under that specific authority, on those specific inputs, really produced it. With signed output alone, your honest answer is a shrug dressed up as a green tick.

With a sealed decision event, your answer is a proof. You can show, without trusting the vendor and without the model present, that the act occurred as recorded. You can show that the authority was real and current at that instant. You can show the inputs were these and not others. And because the seal is post-quantum, you can show it not only today but in the decade where the challenge is most likely to land. The deniability that protected everyone now protects the truth instead.

The objection I take seriously

The fair objection is cost. Sealing the whole event is heavier than hashing a string. You are measuring the model, binding the inputs, capturing the authority and signing it all with a lattice scheme that produces larger signatures than the classical curves. None of that is free, in compute, in storage or in engineering discipline. I will not pretend otherwise.

My answer is that we already accept this trade everywhere the stakes are real. We do not sign mortgages with a casual initial because a full signature takes longer. We do not skip the chain of custody on evidence because the paperwork is tedious. When a decision can cost a life, a mandate or a market, the witness statement has to be heavier than the gossip. The cost of sealing the act is the cost of being able to defend it, and for the decisions that matter, that has never been the expensive option. The expensive option is the one with no proof when the question finally comes.

Sign the verb, not just the noun

So this is my argument, plainly. Stop signing the artefact and calling it accountability. The output is the cooled blade, and an engraving on a cooled blade can always be ground away and recut. Seal the act of thinking instead, while it is still molten, the model, the inputs, the authority and the output fused into one record, struck under cryptography chosen for the year it will be challenged rather than the year it was made.

A machine that can act in the world owes the world a witness statement it cannot later disown. Not the words it said, but the proof that this mind, under this mandate, on these inputs, truly said them. Sign the inference, not just the output. Strike the seal while the metal still glows, so that no future hand, and no future computer, can ever claim the blade was never marked.

Hephaestus lifting a cooled blade to the light in a darkened forge, the fused gold seal catching the last of the fire, the smith inspecting his own unremovable mark
The forge goes cold, the fire dies, and the mark remains, fused into the act it was struck to prove.
ShareLinkedInXHacker NewsRedditMastodonBlueskyEmail
Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/when-the-inference-itself-must-carry-a-signature. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles
19 Jun 2026
Digital Independence Is Earned at Execution, Not Declared
I keep reading governments declare digital sovereignty in strategy documents while their keys, weights and logs sit offshore. Independence is not a press release with a flag on it. It is earned at execution, on owned hardware, under owned keys, every single time.
19 Jun 2026
The Depreciation Schedule for a Model You Own
I keep asking finance directors what they own after five years of a cloud AI subscription. The honest answer is nothing. Here is why an owned, sealed, auditable model belongs on the balance sheet, and a rental never will.
19 Jun 2026
Watts Per Decision: The Energy Envelope of Sovereign AI
I think the joule is the number frontier labs work hardest to hide. I argue watts per decision is the honest unit of regulated AI, and that sealing the energy a decision drew into the audit record is itself a sovereignty claim.
19 Jun 2026
The Real Total Cost of Renting Intelligence
I have read enough cloud AI invoices to know the headline rate is the smallest number on the page. Here I cost the egress, the missing audit record and the migration you cannot afford, and I show why ownership wins.
See all articles →