Agent safety and prompt-injection defence, Sentinel
Sentinel is the defence-in-depth shell around the brain layer, and it treats every external string as adversarial by default. It inspects retrieved context for prompt injection before that context can reach a brain, caps the blast radius of any compromised credential with per-tool rate limits, and gates high-impact actions behind a dry-run simulation the operator confirms. Where a cloud assistant executes instructions hidden in a document or a web page without a second thought, Mickai quarantines the injection before it ever reaches a destructive tool.
As soon as an AI agent can act, not just answer, the dangerous failure mode is no longer a wrong sentence but a wrong action: a prompt injection buried in a retrieved document, an email or a web page that persuades the agent to exfiltrate data, wipe a record or authorise a payment. Cloud agent platforms concentrate this risk, because the same shared model that reads your untrusted inputs also holds the tools that can act on your systems, and the customer has no visibility into how retrieved context is screened before it reaches the model. A single successful injection against a shared service can therefore have a wide blast radius across many tenants at once. Mickai contains the threat by architecture: Trust Agent classifies and inspects every inbound request, the Sovereign Security Framework screens retrieved context for injection before it reaches a brain, per-tool rate limits cap what any single compromised credential can do, and high-impact actions must pass a deterministic dry-run simulation and, where governance requires, a fresh voice-biometric quorum before they commit. Because all of this runs on hardware you own with a sealed audit record, a contained injection is not only stopped but evidenced, and the reversible-by-construction action model means even an action that slips through can be rolled back.
The 5 controls in this domain, each enforced by construction on hardware you own and mapped to the subsystem that provides it.
Prompt-Injection Inspection
Before any retrieved context reaches a brain, Sentinel inspects it for prompt-injection patterns and treats every external string as adversarial by default, so instructions hidden in a document, an email or a web page are caught at the boundary. This closes the most common agent-era attack, in which untrusted content persuades the model to act against the operator, by screening the content before it can influence a decision. Suspect context is quarantined rather than executed, and the event is sealed to the Open Audit Record. This defence is anchored in the filed Sovereign Security Framework patent.
Per-Tool Rate Limiting
Each tool the agents can call is governed by a per-tool rate limit that caps how often and how much it can be invoked, so even a successfully compromised credential has a strictly bounded blast radius. This turns a potential mass-exfiltration or mass-deletion event into a small, contained and immediately visible anomaly, because the cap trips long before wide damage is done. The limits are enforced before the call executes, not audited afterwards, and every trip is recorded. Rate limiting is part of the defence-in-depth shell in the filed Sovereign Security Framework patent.
Pre-Commit Dry-Run Simulation
Before any high-impact action is executed, Mickai runs it through a deterministic simulation of the target state and presents the operator with a diff, so the effect is reviewed before anything commits. Only on explicit confirmation does the action proceed, which eliminates a whole class of agent errors where an assistant does the wrong thing irreversibly. This is a hard gate that an injection cannot silently bypass, because the simulation surfaces exactly what would change. The dry-run mechanism is anchored in the filed Pre-Commit Dry-Run Simulation patent.
Compensating Rollback
Actions in Mickai are first-class entities that store their compensating inverse at the moment they execute, so any signed action can be retroactively undone and its side effects reverted. If an action ever slips through the earlier gates, the operator or a regulator can issue an undo and the system constructs the inverse chain to reverse it, which means a mistake or a contained attack does not have to be permanent. This reversible-by-construction model is a safety net beneath the preventive controls. It is anchored in the filed First-Class Actions with Compensating Rollback patent.
Voice-Biometric Quorum On High-Stakes Actions
For high-stakes actions such as financial transfers, contractual signatures and irreversible deletes, Mickai requires multiple brains to agree and a fresh voice-biometric match from the operator, verified on-device against a hardware-bound template. An attacker with full session access still cannot trigger a quorum-gated action without the operator's live voice, which closes the risk of a hijacked session authorising something catastrophic. The verification is deterministic and replay-resistant. It is anchored in the filed Multi-Brain Cooperative Intelligence and Voice-Gated Deterministic Tool Invocation patents.
The advantages hold across every control domain, and they are architectural, not promotional. The third-party cloud-exposure vector is removed; your own physical, insider and compliance controls remain yours.
The data never leaves your hardware, so no third party and no cloud-provider employee ever sees it. What happens in the server room stays in the server room.
You own the compute and the capability, so the system runs independent of the internet and of any cloud vendor's pricing, terms, or availability.
The data never crosses a geographical or digital border because it never leaves the building, which removes the cross-border-transfer and third-party-processing friction of UK GDPR, Schrems II, and the sector rules. You keep your own obligations.
Fine-tune and run retrieval on your deepest archives to build a hyper-customised co-pilot, with no risk of your proprietary edge training a public model or leaking.
After the hardware and licence, queries cost essentially electricity. A capital asset you own and depreciate, instead of volatile per-token cloud bills.
There is no third-party cloud path, so no competitor and no vendor insider can scrape, intercept, or subpoena your prompts or your fine-tuned weights from the internet. The trust vault is closed by architecture.
You own the software snapshot on your own hardware, so a change to a cloud vendor's terms, a model deprecation, or an outage cannot reach you. The system stays predictable and auditable on-premise as the rules evolve.
How does Mickai defend against prompt injection?
Sentinel treats every external string as adversarial by default and inspects retrieved context for injection patterns before that context can reach a brain, so instructions hidden in a document, an email or a web page are caught at the boundary. Suspect content is quarantined rather than executed, and the event is sealed to the Open Audit Record. Combined with per-tool rate limits and the egress firewall, the blast radius of a successful injection is contained even before it can reach a destructive tool. This is anchored in the filed Sovereign Security Framework patent.
What stops a compromised credential from causing wide damage?
Every tool the agents can call is governed by a per-tool rate limit that caps how often and how much it can be invoked, so even a compromised credential has a strictly bounded blast radius. A potential mass-exfiltration or mass-deletion event becomes a small, contained and immediately visible anomaly, because the cap trips long before wide damage is done. The limits are enforced before the call executes, not audited afterwards, and every trip is recorded to the audit ledger.
Can a high-impact action be executed without a human seeing it first?
No. Before any high-impact action commits, Mickai runs it through a deterministic simulation of the target state and presents the operator with a diff, and the action proceeds only on explicit confirmation. This eliminates the class of agent errors where an assistant does the wrong thing irreversibly, and it is a hard gate that an injection cannot silently bypass because the simulation surfaces exactly what would change. It is anchored in the filed Pre-Commit Dry-Run Simulation patent.
What if a harmful action slips through the gates?
Actions in Mickai are first-class entities that store their compensating inverse at the moment they execute, so any signed action can be retroactively undone and its side effects reverted. If something ever slips through, the operator or a regulator can issue an undo and the system constructs the inverse chain to reverse it, so a mistake or a contained attack does not have to be permanent. This reversible-by-construction model sits beneath the preventive controls as a safety net.
How are the most dangerous actions protected?
High-stakes actions such as financial transfers, contractual signatures and irreversible deletes require multiple brains to agree and a fresh voice-biometric match from the operator, matched on-device against a hardware-bound template. An attacker with full session access still cannot trigger a quorum-gated action without the operator's live voice, which closes the risk of a hijacked session authorising something catastrophic. The verification is deterministic and replay-resistant, and it is anchored in the filed Multi-Brain Cooperative Intelligence and Voice-Gated Deterministic Tool Invocation patents.
Why is agent safety stronger on-premise than in a shared cloud?
In a shared cloud agent platform, the same model that reads your untrusted inputs also holds the tools that can act on your systems, and a single successful injection can have a wide blast radius across many tenants at once, with no customer visibility into how context is screened. Mickai contains the threat by architecture on hardware you own: context is screened before it reaches a brain, tools are rate-capped, high-impact actions are simulated and quorum-gated, and every step is sealed to an audit record you hold. Containment is therefore both enforced and evidenced.
Review the agent safety and prompt-injection defence, sentinel controls with us.
Briefings are for organisations weighing a sovereign, on-premise deployment. Tell us about your estate and threat model and we will walk the controls, the attestation surface and the deployment that fits.