MICKAI
Security

Security by sovereignty. Sealed, attested, offline.

8 control domains, 40 specific controls, enforced by architecture inside the Mickai Sovereign Intelligence Operating System. It runs air-gapped on hardware you own with zero data egress, signs every action before it executes, seals it to a post-quantum Open Audit Record, attests the hardware it runs on, and hands the keys to the operator. The largest attack surface in conventional AI, the path to a vendor, is removed.

8
Control domains
40
Controls enforced
0%
Data egress
PQ
Signed audit (ML-DSA-65)
The control domains
The threat removed by construction, not by policy

Sovereign air-gapped architecture, zero egress

Sovereign architecture is the control that makes every other control possible: Mickai runs entirely on hardware you own, with no network required for inference, identity, governance or audit. Because the components physically cannot reach a vendor cloud, the data cannot leave the building, so the exfiltration threat is neutralised by construction rather than by a policy a vendor could revise. This is sovereign by architecture, not by policy: removing the network does not change how Mickai behaves.

5 controlsInspect the sovereign air-gapped architecture, zero egress controls →
Trust without trusting the vendor

Open Audit Record, tamper-evident post-quantum sealing

The Open Audit Record is the substrate of the Mickai SIOS: every agent action is hash-chained and signed under your operator-controlled ML-DSA-65 key, then made verifiable in any modern browser without trusting Mickai. It answers the question a regulator always asks, namely what the system did, on whose authority, on what inputs and in what sequence, with a cryptographic answer rather than a vendor's assurance. Because the ledger and the keys live on hardware you own, the record cannot be edited after the fact, and a third party can replay any run offline with no Mickai server in the loop.

5 controlsInspect the open audit record, tamper-evident post-quantum sealing controls →
Identity rooted in silicon you hold

Hardware attestation, TPM 2.0 and measured boot

Hardware attestation roots the whole system in silicon the operator holds: identity is bound to a TPM 2.0 device, secure enclave or hardware security module that cannot be exported, and every Mickai signature is produced by that key. Measured boot proves the platform started in a known-good state before any brain runs, so the environment producing the audit record is itself attested. Copying the software to another machine produces a fresh, unauthorised identity the system refuses to recognise, which means sovereignty is cryptographically tied to the device and cloning is mathematically refused.

5 controlsInspect the hardware attestation, tpm 2.0 and measured boot controls →
Every external string is adversarial by default

Agent safety and prompt-injection defence, Sentinel

Sentinel is the defence-in-depth shell around the brain layer, and it treats every external string as adversarial by default. It inspects retrieved context for prompt injection before that context can reach a brain, caps the blast radius of any compromised credential with per-tool rate limits, and gates high-impact actions behind a dry-run simulation the operator confirms. Where a cloud assistant executes instructions hidden in a document or a web page without a second thought, Mickai quarantines the injection before it ever reaches a destructive tool.

5 controlsInspect the agent safety and prompt-injection defence, sentinel controls →
Untrusted work runs in a controlled cell

Perimeter, sandbox and egress gateway

The perimeter, sandbox and egress gateway define exactly where Mickai touches the outside world and on what terms. When a workload genuinely needs connectivity, such as a research task or a browser session, it runs inside a sandboxed cell behind an allowlisted egress gateway, with an optional operator-selected VPN, rather than being given open access to your network. Nothing reaches an external destination without passing the per-tenant egress firewall, so the boundary between your regulated data and the internet is a single, audited, operator-controlled chokepoint.

5 controlsInspect the perimeter, sandbox and egress gateway controls →
You hold the keys, so no one else can

Key and identity sovereignty, operator-held keys and encryption at rest

Key and identity sovereignty means the operator holds every key that matters: the keys that sign each Mickai decision, the hardware that produces those signatures, the local audit ledger and the model weights, with the operator key encrypted at rest and backed up under the operator's control. There is no admin override a vendor can invoke and no leased component, so ownership is binary. Because the vendor never holds the signing material or the data, there is no third party that could be compelled to produce your activity, because the vendor never had it.

5 controlsInspect the key and identity sovereignty, operator-held keys and encryption at rest controls →
Clinical, enterprise and individual, cryptographically apart

Multi-tenant isolation and access control

Multi-tenant isolation lets one device serve several tenants, such as a clinical, an enterprise and an individual context, with cryptographic separation between them so nothing leaks across the boundary. Tenant switching is voice-gated and biometric-attested, ledger entries are partitioned per tenant, and access control descends to the row and column of a data store, gated per voiceprint rather than per shared username. Skills are gated behind five clearance levels with sessions that stale and require fresh re-authentication, so a forgotten unlocked terminal cannot be used to reach sensitive capability.

5 controlsInspect the multi-tenant isolation and access control controls →
Nothing loads unless it is signed

Model and supply-chain integrity, signed weights and licence provenance

Model and supply-chain integrity ensures that nothing runs inside Mickai unless it is signed: every binary, every brain, every model weight and every skill carries a signature, and loading an unsigned or tampered artefact fails closed. The operator can pin specific signed versions and refuse silent upgrades, so the deployment only ever runs the code and weights the operator has approved. Mickai runs its own specialised sovereign models with tracked licence provenance, so the origin and licensing of every artefact is known and defensible rather than an unverified download.

5 controlsInspect the model and supply-chain integrity, signed weights and licence provenance controls →
Questions
What is the Mickai security model?

Mickai's security model is sovereignty by architecture. The Sovereign Intelligence Operating System runs on hardware the customer owns, air-gapped by default with zero data egress, so the largest attack surface in conventional AI, the network path to a vendor, is removed by construction. Every action is signed before it executes and sealed to a tamper-evident, post-quantum Open Audit Record, hardware identity is attested through TPM 2.0 and measured boot, and a dedicated agent-safety layer quarantines prompt injection. The operator holds the keys.

How does Mickai defend against prompt injection and unsafe agent actions?

A dedicated agent-safety layer inspects every input and tool call, quarantines injection attempts, and enforces typed, allowlisted actions with a hard human-in-the-loop gate on anything consequential. Because the system runs behind the firewall with a gated egress perimeter, an injected instruction has nowhere to exfiltrate to, and every decision is sealed to the audit record for review.

Who holds the encryption keys and the audit trail?

The operator does. Keys are generated and held on the customer's own hardware, encrypted at rest, and never escrowed to Mickai or any cloud. The Open Audit Record ledger is the customer's own, verifiable offline with the operator public key alone, so security and accountability sit with the organisation that bears the liability, not a vendor.