MICKAI
Article · 1 July 2026

Zero-Trust AI Architecture

Trust nothing, verify everything, with signed identity and per-action attestation on hardware you own

Zero-Trust AI Architecture
Author
Micky Irons
Published
1 July 2026
Follow Micky Irons
LinkedInX
zero-trustai-securityattestationsovereign-aipost-quantum

Every breach that matters starts the same way. Something inside the perimeter was trusted when it should not have been. A credential, a service account, an agent acting on behalf of a person who never approved the action. The old security model assumed that once you were through the wall, you belonged. Artificial intelligence has quietly detonated that assumption, because an autonomous agent inside your network can move faster, wider and more convincingly than any human intruder ever could.

Zero-trust AI architecture answers the only question that now counts. Not who is at the gate, but what is about to happen, on whose signed authority, and whether that authority can survive scrutiny after the fact. At Mickai we built our Sovereign Intelligence Operating System, a SIOS, around a single unforgiving rule. Trust nothing, verify everything, and prove it later. This is how that rule becomes architecture rather than a slogan.

The perimeter was always a fiction

Traditional security drew a line and called everything inside it safe. That worked when the things inside were laptops and file servers moving at human speed. It collapses the moment you introduce intelligence that can reason, plan and act on its own initiative. An AI brain does not phish one inbox and wait. It can touch a thousand records, draft a hundred decisions and trigger a chain of downstream actions before a human notices the login was unusual.

Zero trust discards the perimeter entirely. There is no inside and no outside, only a continuous demand for proof at every step. A brain that read a customer file five minutes ago holds no standing credit to write to a payment system now. Every action is a fresh negotiation. Identity is checked, authority is checked, context is checked, and nothing is granted on the strength of what came before. The wall did not fall because we abandoned it. We replaced it with something that verifies at the level of the individual act.

Signed identity, not borrowed trust

In most systems an AI agent inherits the identity of whoever launched it, and that borrowed trust becomes the single point everything hangs on. Compromise the token and you inherit the empire. We refuse that shortcut. In our SIOS every brain carries its own cryptographic identity, bound to hardware the customer owns, and that identity cannot be lifted, replayed or spoofed by another process pretending to be it.

A colossal marble statue of a two-faced guardian looking in opposite directions, lit by gold light against black
Like Janus watching both ways at once, zero trust knows there is no safe inside and no safe outside

The signatures are post-quantum by design. We sign with FIPS 204 ML-DSA-65, the Module Lattice Digital Signature Algorithm standardised for the era when today's encryption starts to fray. An adversary harvesting signed traffic now, hoping to break it with tomorrow's machines, finds nothing worth keeping. Identity in a zero-trust AI system is not a badge you wave at a door. It is a mathematical fact that travels with every request and can be independently confirmed by anyone holding the public key, with no call home required.

Every action attested before it runs

Here is where most zero-trust talk stops and where the hard engineering begins. It is not enough to know who is asking. You must know precisely what they intend to do, and you must capture that intent before a single byte moves. Our answer is the Operation Attestation Record, the OAR, and it is the beating heart of the whole architecture.

A colossal marble smith figure pressing a glowing seal into a tablet, gold light on his hands against black
Hephaestus sets his mark before the work begins, as every action is attested before it runs

Before any consequential action executes, the SIOS writes an OAR. It states which brain is acting, what it proposes to do, on what data, under whose authority and against which policy. That record is signed and committed first. The action only proceeds once the attestation exists. This inversion matters more than it sounds. In conventional systems the log is written after the fact, by the same system that might already be compromised, which is exactly why attackers delete logs. An OAR that must exist before the operation runs cannot be edited into innocence afterwards, because the evidence precedes the act rather than trailing it.

The ledger that cannot be quietly rewritten

Attestations are only as trustworthy as the place they live. If an intruder can slip into the record store and rewrite history, the whole edifice is theatre. So we chain every attestation into a tamper-evident ledger, each entry hash-linked to the one before it using SHA-3-512. Change any single record and every hash downstream breaks, announcing the tampering to anyone who checks.

Because the chain is cryptographically self-describing, verification needs no live connection to us and no trusted third party. An auditor, a regulator or the customer's own security team can take the ledger offline, air-gapped, and confirm its integrity from first principles. This is what sovereignty means in practice. The proof of good behaviour belongs to the customer, sits on infrastructure they own, and does not depend on our word or our uptime. For anyone living under the EU AI Act, the Digital Operational Resilience Act, DORA, or the Network and Information Security Directive, NIS2, a portable and independently verifiable audit trail is no longer a nice-to-have. It is the difference between passing an inspection and failing one.

High stakes demand more than one witness

Not all actions carry the same weight. Reading a document is not the same as moving money, changing a clinical record or deleting a dataset. Zero trust should scale its scrutiny to the consequence, and ours does. For high-stakes operations a single signed identity is not sufficient. We require multiple brains to independently agree, and for the most sensitive actions we bind approval to a human presence confirmed by voice biometrics.

A colossal marble figure of a titan bearing an unbroken chain of linked stone tablets on his shoulders
Atlas holds the unbroken chain, and if one link is altered the whole weight betrays the tampering

This is separation of powers rendered in cryptography. One brain proposes, others must corroborate, and a person the system can actually recognise must consent. Every brain is revocable, so authority that turns rogue or is suspected of compromise can be pulled instantly and cleanly, with the revocation itself recorded in the ledger. The result is a system where no single point, human or machine, can unilaterally do irreversible harm, and where every consequential decision leaves a signed record of exactly who and what agreed to it.

Built for the boundary the cloud cannot cross

None of this is a critique of the public cloud. The hyperscalers, OpenAI, Microsoft, Amazon Web Services, Google and Oracle among them, are allies operating at a different layer, and they do that layer superbly. But there is a boundary they cannot cross on the customer's terms. A defence programme under International Traffic in Arms Regulations, ITAR, a bank under the Basel framework and the Markets in Financial Instruments Directive, MiFID II, a hospital under the Health Insurance Portability and Accountability Act, HIPAA, cannot let sensitive reasoning leave their walls.

A colossal marble figure of a three-bodied warrior standing guard in unison, gold light across three torsos
Geryon guards with three bodies in agreement, as high-stakes actions demand more than one witness

Our SIOS is built for exactly that boundary. It runs on hardware the customer owns, air-gapped or on-premise, with zero data egress, and it holds 104 filed UK patent applications, about 2,340 claims, owned by Mickai LTD, describing the capabilities that make signed, attested, offline-verifiable AI possible. Zero trust is not a feature we bolted on. It is the substrate. The intelligence and the proof of its behaviour occupy the same sealed space, aligned with ISO 42001 and the NIST AI Risk Management Framework, so the organisation gets autonomy and evidence together rather than trading one for the other.

The bottom line

Zero-trust AI architecture is not a stricter password policy. It is a wholesale refusal to grant standing trust to anything, including your own intelligence, followed by a demand that every action prove itself in advance and remain provable forever. Signed identity says who. The OAR says what and why, written before the deed. The hash-linked ledger keeps that proof honest, offline and in the customer's hands. And for the decisions that could hurt, more than one witness must agree.

We built our SIOS this way because the alternative, trusting AI on the strength of a login, is a bet no regulated institution can responsibly make. Verify everything, attest before you act, and keep the receipts where no attacker can reach them. That is not paranoia. In the age of autonomous intelligence, it is simply the price of trust.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/zero-trust-ai-architecture. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles
4 Jul 2026
Sovereign AI for Central Banks
A central bank cannot send its rate deliberations or supervisory secrets to anyone else's cloud. We built Mickai, a Sovereign Intelligence Operating System, so monetary and supervisory intelligence runs entirely offline on hardware the bank owns, with independence proven, secrecy architectural and every decision signed before it acts.
4 Jul 2026
Sovereign AI for Defence Primes
Defence primes hold the most sensitive programme data in the world, and the public cloud cannot cross the boundary that protects it. We built Mickai as a Sovereign Intelligence Operating System that runs on hardware the prime owns, air-gapped, where every action is cryptographically signed before it executes and every brain can be revoked in seconds.
4 Jul 2026
Sovereign AI for Maritime and Shipping
Fleets and ports need intelligence that keeps deciding when the satellite link dies and keeps an honest record no one can edit. Mickai runs on the operator's own hardware, at sea and on the quay, with zero data egress and a post-quantum signed ledger. Autonomy where the connection ends, governance that never does.
4 Jul 2026
Sovereign AI for Aerospace
Aerospace cannot ship export-controlled geometry to borrowed cloud infrastructure or hand engineers unexplained answers. We built Mickai, a Sovereign Intelligence Operating System, to run design and safety-case intelligence on hardware the customer owns, with zero data egress and cryptographic provenance signed onto every artifact before it exists.