MICKAI®
Article · 12 July 2026

Why post-quantum signatures matter more than encryption for AI audit trails

An AI audit trail must be signed with post-quantum signatures, not merely encrypted, because its integrity has to outlive the confidentiality of its contents.

Why post-quantum signatures matter more than encryption for AI audit trails
Author
Micky Irons
Published
12 July 2026
Follow Micky Irons
LinkedInX
sovereign aipost-quantum cryptographyai audit trailsdigital signaturesfips 204

Post-quantum signatures matter more because a forged decision record destroys an audit trail's evidentiary value forever, while a decrypted stale secret often no longer matters.

Most quantum planning fixes on harvest-now-decrypt-later, a confidentiality threat. Audit trails face the opposite exposure. NIST finalised its post-quantum signature standards in 2024, and DORA, NIS2 and the EU AI Act all demand records that stay trustworthy long after the machines that made them retire. The ledger has to survive the cryptography that built it.

What is the difference between encrypting and signing an AI audit trail?

Encryption hides what a record says. Signing proves who produced it and that no byte changed since. An audit trail needs the second.

An encrypted log kept from prying eyes still tells you nothing about whether its entries are authentic. If an attacker or a careless integration rewrites a line, encryption neither notices nor objects. A signature does. Each entry carries a cryptographic seal that verifies against a known key, so any tampering shows up as a broken signature. For an AI system making consequential decisions, the question a regulator or a court asks is not was this secret, it is can you prove this is what the model actually did.

Why post-quantum signatures matter more than encryption for AI audit trails, illustration 1

Why does the integrity risk outlast the confidentiality risk for AI records?

A secret loses value as it ages, but a decision record must stay provable for years. Quantum forgery of old signatures voids the whole chain.

Confidentiality decays gracefully. A routing rule or a prompt that leaks in 2032 may describe a system three generations retired. Integrity fails catastrophically. If a quantum-capable adversary can forge signatures on historic records, they can rewrite what a model decided, when, and on whose authority, and no reader can tell the forgery from the original. The audit trail is the one artefact whose value is entirely its trustworthiness, so it is the artefact quantum most threatens.

For an AI record the confidentiality clock runs down while the integrity clock runs up, which is why the ledger must be signed, not merely encrypted.

Why post-quantum signatures matter more than encryption for AI audit trails, illustration 2

Which post-quantum standards actually sign the audit ledger?

FIPS 204 ML-DSA and FIPS 205 SLH-DSA produce quantum-resistant signatures. FIPS 203 ML-KEM only encapsulates keys for encryption and never signs a record.

These are not interchangeable. ML-KEM, standardised as FIPS 203, solves key establishment: it lets two parties agree a shared secret over a hostile channel. That protects a transport link, which is confidentiality. It produces no signature and makes no claim about who wrote what. ML-DSA (FIPS 204) and SLH-DSA (FIPS 205) are signature schemes: they bind an identity to a record so anyone can later verify authorship and integrity. A team that encrypts its telemetry with ML-KEM and believes it has quantum-proofed its audit trail has protected the wrong property. The ledger needs 204 or 205 on every entry.

Why post-quantum signatures matter more than encryption for AI audit trails, illustration 3

Confidentiality or integrity: which quantum risk should you fund first?

Fund integrity first. Encryption protects data in motion for a season; signatures protect the evidentiary record across its full retention life.

PropertyConfidentiality (encryption)Integrity (signatures)
What it protectsThe contents of a record from being readThe authorship and integrity of a record from being forged
What breaks if a quantum computer arrivesOld ciphertext can be decrypted, exposing past secretsOld signatures can be forged, voiding the whole audit trail
Why it matters for an AI audit trailA leaked stale record often no longer describes the live systemA forged decision record makes every entry legally deniable
The Mickai mechanismML-KEM (FIPS 203) key encapsulation on a zero-egress perimeterML-DSA (FIPS 204) and SLH-DSA (FIPS 205) signing on every ledger entry
Why post-quantum signatures matter more than encryption for AI audit trails, illustration 4

How does Mickai keep an AI audit trail provable after quantum?

We sign every ledger entry with FIPS 204 and FIPS 205, bind each action to hardware-attested identity, and keep the chain verifiable offline.

Mickai is a Sovereign Intelligence Operating System, a SIOS, built and live, running offline on operator-owned hardware with every action cryptographically sealed. Its audit ledger is post-quantum signed at the point of writing, so a record's authorship is provable without any network round trip and without trusting an external certificate authority. Identity is hardware-attested and bound into the audit chain, so a signature answers not only what happened but which attested node did it. The inbound perimeter is zero-egress, so telemetry never leaves the operator estate to be harvested in the first place. Across the 50 brains, 25 domain and 25 operational, consequential outputs pass through cross-model consensus before they are sealed, so the signed record reflects agreement rather than a single model's guess. The architecture is covered by 104 filed UK patent applications and 2,340 claims, owned by Mickai LTD (Companies House 17166618), filed and patent pending.

What do 2026 regulations require for tamper-evident AI records?

Regulators increasingly assume records that cannot be silently altered. DORA, NIS2 and the EU AI Act all lean on durable, verifiable evidence, and jurisdiction matters.

DORA has been in force since January 2025 and expects financial entities to reconstruct what happened during an incident. NIS2 extends comparable duties across essential and important entities. The EU AI Act's high-risk Annex III obligations, once due 2 August 2026, were deferred by the Digital Omnibus to 2 December 2027, with embedded Annex I high-risk obligations moving to 2 August 2028 and Article 50 transparency duties largely unchanged. The extra time does not change the direction: high-risk systems will need logging and traceability that hold up under scrutiny. Public assistants like ChatGPT, Copilot and Gemini are excellent where the data is ordinary and convenience wins; for the most sensitive records a regulated buyer cannot send that material to a third-party service at all, which is a design boundary, not a criticism. Jurisdiction is the quieter risk, because the US CLOUD Act can compel a US-based provider to produce data regardless of where its servers physically sit, so a sovereign estate keeps both the records and the keys inside the operator's own control.

Frequently asked questions

If my data is encrypted, why do I still need signatures on my AI audit trail?

Encryption stops others reading a record; it does nothing to prove the record is genuine. If an entry is altered, encryption stays silent while a signature breaks. An audit trail's whole worth is that it is trustworthy, so it needs the guarantee only signing gives.

Does FIPS 203 protect my audit trail?

FIPS 203, ML-KEM, is key encapsulation. It secures a channel so a shared key can be agreed, which is confidentiality. It produces no signature and cannot prove who wrote a record or whether it changed. Signing the ledger needs FIPS 204 or FIPS 205.

What is harvest-now-decrypt-later, and is it the main quantum threat to AI records?

It is the practice of storing encrypted data today to decrypt once quantum computers mature. It is a real confidentiality risk, but for audit trails the larger danger is forgery of historic signed records. That is why post-quantum signing matters most for the ledger.

Can Mickai run this entirely offline?

Yes. Mickai is a SIOS that runs on operator-owned hardware with no dependence on external services. The audit ledger is post-quantum signed at the point of writing and verifiable offline, so proof of integrity never requires a network connection or an outside authority.

Why sign a ledger with both FIPS 204 and FIPS 205?

ML-DSA (FIPS 204) is a lattice scheme that is fast and compact for routine signing. SLH-DSA (FIPS 205) is hash-based and rests on different mathematical assumptions. Using both means a weakness found in one family does not collapse the integrity of the whole audit trail.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/why-post-quantum-signatures-matter-more-than-encryption-for-ai. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles