DEV Community: Micky Irons

The God Code: sovereign AI, synthetic faiths, and invented moralities

Micky Irons — Sat, 16 May 2026 13:31:30 +0000

The God Code: sovereign AI, synthetic faiths, and invented moralities

When AIs invent religions, the safeguard is not censorship. The safeguard is that the user holds the signing key and the user holds the revocation.

By Micky Irons · 2026-05-15

The category of synthetic ethics

Small models already generate workable moral systems on demand. The historical category (Mormon revelation, Aum Shinrikyo, contemporary technopaganism) is older than the model. The novel question is what governance applies when the source of the moral system is a language model the user runs at home.

The vendor-side answer is content moderation. The sovereign answer is structural. The user signs their own moral constitution into the Policy Brain. Every action the substrate takes gates against that signed constitution before commit. A synthetic ethic that violates the user's signed constitution is mathematically refused at the substrate, not flagged for review by a vendor's moderation team.

The revocation backstop

When a synthetic faith goes wrong (the user finds, in retrospect, that the moral system they were following was harming them or their dependants) the Revocation Brain is the architectural backstop. Revoke the key, revoke the policy graph version, revoke the simulator. The chain records the revocation. Future actions cannot draw on the revoked moral system because the key that signed them is invalid.

This is not theological liberalism dressed in cryptography. It is the recognition that humans have always invented ethics under provisional commitment. The architecture supplies the provisional. The user supplies the commitment. The substrate supplies the record.

Voiceprint-gated rituals

Ritual is where the cryptography becomes anthropology. A voiceprint-gated ritual (the user speaks a passphrase the substrate verifies against a hardware-bound template) is a sovereign substitute for a vendor-side authentication step. The substitute is meaningful because the ritual is the user's, not the vendor's. The same primitive that authenticates a banking action authenticates a private moral commitment. The chain records both, with the same cryptographic discipline.

Full ebook at /ebooks/the-god-code-synthetic-faiths-invented-moralities.

Author

Micky Irons, founder and named inventor of Mickai. Based in Cumbria. UK IPO public register GB2607309.8 to GB2610422.4. Sovereign Futures, vol. VII.

Originally published at https://mickai.co.uk/articles/the-god-code-synthetic-faiths.

Planetary Sovereign Intelligence: AI as Earth's evolutionary leap

Micky Irons — Sat, 16 May 2026 13:30:54 +0000

Planetary Sovereign Intelligence: AI as Earth's evolutionary leap

When AI is a planetary system, sovereignty is a structural property of the substrate or it is nothing. Biospheric optimisation under audit, with indigenous knowledge as a first-class data type.

By Micky Irons · 2026-05-15

Earth as substrate

Climate-scale AI cannot be governed under vendor sovereignty because no single jurisdiction will accept another's audit log as authoritative over its own ecosystem. The vendor-side answer (a single global cloud) collides with sovereignty in every direction. The polycentric answer is the only structure that survives the geopolitics.

Polycentric does not mean fragmented. Each jurisdiction holds its own keys, its own chain, its own audit. Chains interoperate by virtue of a shared canonical record format. The Open Audit Record (OAR), filed at the UK IPO as GB2610413.3 with cross-implementation verification added in May 2026, is the format. Any conformant verifier in any jurisdiction reads any conformant chain.

Biospheric optimisation under audit

Climate models running on operator-signed corpora are a precondition for sovereign climate policy. A government that wants to make a binding emissions commitment needs an audit chain its own regulator can verify offline, without depending on the cloud vendor that supplied the model. The polycentric architecture supplies this.

Indigenous knowledge integration is the second discipline. Under vendor sovereignty, indigenous corpora are extracted, normalised against a Western training set, and the attribution is lost. Under sovereign architecture, the indigenous corpus is signed by its custodian community, the model that uses it carries the corpus signature in the chain, and every output that draws on the corpus is traceable back to the source. This is not preservation as politics. It is preservation as engineering.

Cosmic futures

Off-planet deployments raise the audit problem to the speed of light. A Mars station cannot wait for a cloud query to authorise an action. The signed substrate, operating offline, replayable on return, is the only architecture that closes the loop. The patent claims on three-domain trust separation (GB2610415.8) translate directly: action proposal on the station, perimeter enforcement on the station, audit witness on the station, with the chain replayed to Earth on bandwidth available.

Full ebook at /ebooks/planetary-sovereign-intelligence.

Author

Micky Irons, founder and named inventor of Mickai. Based in Cumbria. UK IPO public register GB2607309.8 to GB2610422.4. Sovereign Futures, vol. VI.

Originally published at https://mickai.co.uk/articles/planetary-sovereign-intelligence-evolutionary-leap.

Echoes of the Algorithm: daily life with sovereign AI shadows

Micky Irons — Sat, 16 May 2026 13:30:18 +0000

Echoes of the Algorithm: daily life with sovereign AI shadows

Predictive mirrors and parallel simulators do not have to be dystopian. Under sovereign architecture, they are tools the user holds against themselves.

By Micky Irons · 2026-05-15

Mirrors and simulators

The predictive mirror is the next consumer pattern. A model trained on your own signed memory, running on your own device, that predicts what you will do, say, or feel under a proposed action. Under vendor sovereignty this is a marketing surface. Under user sovereignty it is a private instrument.

The architectural primitive is Mickai's Planning Brain, which produces a deterministic dry-run simulation of any proposed action against the target state. The user reviews the diff before commit. Filed at the UK IPO as GB2607322.2. The discipline rules out the class of agent error where the assistant did the wrong thing irreversibly.

Agency under simulation

What changes when both parties in a relationship run shadows. A negotiation between two sovereign substrates is no longer a contest of recall, charisma, or composure. It is a contest of policy graphs. The harder question is what changes inside the user when the user routinely consults a private predictive mirror about their own feelings. The therapeutic literature on journaling is the closest precedent. The sovereign predictive mirror is journaling under cryptographic governance.

The Context Brain (Mickai's working-context assembler) is the architectural component that makes the mirror coherent. It draws from long-term memory, retrieval, and active artefacts. Clearance-boundary redaction at assembly time means the mirror sees only what the user authorises it to see. There is no leakage to the cloud and no leakage between mirrors.

Hopeful twists

The Black Mirror genre got the dystopia right and the architecture wrong. The dystopia depends on vendor sovereignty. Replace vendor sovereignty with user sovereignty and the same technology becomes therapeutic, creative, and dignified. The mirror is what the user makes of it, because the mirror is the user's.

Full ebook at /ebooks/echoes-of-the-algorithm-personal-ai-shadows.

Author

Micky Irons, founder and named inventor of Mickai. Based in Cumbria. UK IPO public register GB2607309.8 to GB2610422.4. Sovereign Futures, vol. V.

Originally published at https://mickai.co.uk/articles/echoes-of-the-algorithm.

AI Babel: sovereign tongues and the new global mind

Micky Irons — Sat, 16 May 2026 13:29:42 +0000

AI Babel: sovereign tongues and the new global mind

Translation under vendor sovereignty homogenises. Translation under user sovereignty preserves. The architectural case for sovereign multilingual AI.

By Micky Irons · 2026-05-15

The homogenisation problem

A cloud translator optimises for the languages with the largest training corpora. The political stakes are not theoretical. Welsh, Cornish, Manx, Gaelic, isiZulu, Quechua, Aymara, the eight hundred living languages of Papua New Guinea: each gets a shrinking share of vendor attention as the leading model providers consolidate. The substrate question is whether the only way to read a minority language in 2035 is through a model that is being kept on life support by a vendor that no longer finds it commercially worthwhile.

The sovereign architecture inverts the question. The per-language model lives on operator hardware. The training corpus is signed by its custodian. Every translation is recorded with cryptographic provenance in the OAR chain. The vendor cannot starve a language out of existence by withdrawing cloud capacity, because there is no cloud capacity to withdraw.

What a signed translation enables

Diplomacy is the obvious application. Simultaneous translation across a negotiation is currently a vendor leasehold on the transcript. Under sovereign architecture, the transcript is signed at commit by each participant's substrate, and any later disputed phrase can be replayed, verified, and adjudicated offline. Treaty drafting under cryptographic transcript is qualitatively different from treaty drafting under whatever audit log the cloud vendor chose to retain.

Less obvious is the hybrid art form. When a poet writes in a language with a signed corpus, and a translator reads in another, the chain records the lineage. The reader sees what the model did with the original phrasing. The poet's estate sees the same chain. The translator's signature is recorded. Cultural production survives the vendor that distributed it.

The minority-language case

Cumbria has a relevant test case in the form of the Cumbric language, extinct since the twelfth century, partially reconstructed from place names. A sovereign architecture cannot resurrect Cumbric. It can hold the reconstructive corpus, the toponymic record, and the scholarly attributions in a chain that survives the academic department that built them. That is the unglamorous engineering case for sovereign multilingual AI. Not preservation as marketing, preservation as substrate.

Full ebook at /ebooks/ai-babel-sovereign-tongues, with worked examples across English, Welsh, isiZulu, and a reconstructive case study.

Author

Micky Irons, founder and named inventor of Mickai. Based in Cumbria. UK IPO public register GB2607309.8 to GB2610422.4. Sovereign Futures, vol. IV.

Originally published at https://mickai.co.uk/articles/ai-babel-sovereign-tongues.

We, the Augmented: thriving as sovereign cyborg citizens

Micky Irons — Sat, 16 May 2026 13:29:07 +0000

We, the Augmented: thriving as sovereign cyborg citizens

When the augmentation is in your body, the keys had better be in your pocket. A practical guide to sovereign cyborg citizenship from the named inventor of the Mickai SIOS.

By Micky Irons · 2026-05-15

The constitutional question

If a brain-computer interface is in your skull, who holds the keys is not a software preference. It is a constitutional question, in the same legal category as habeas corpus and bodily integrity. A vendor-held key in a body-resident system is a vendor-held leasehold on a body. That is not a configuration. It is a power relation.

The architectural answer is older than the technology. Hardware-bound identity, secure-enclave key custody, and per-tenant attestation are the three primitives that make a body augmentation a sovereign extension of its bearer. Mickai's Identity Brain ships them today (filed at the UK IPO as GB2607311.4 and related claims). The patent is the public record. The substrate ships.

Voice as identity

The first augmentation most readers already wear is voice. Voice unlocks the bank app, authorises the medical record, signs the consent form, and increasingly drives the car. The vendor-side architecture for voice-as-identity assumes the cloud holds the voiceprint. The sovereign architecture inverts this. The Voice Biometric Brain matches the live voice against a hardware-bound template stored in the secure enclave. The template never leaves the device. A stolen recording cannot enrol on foreign hardware, because the enrolment binds to the silicon, not the audio.

What a stolen voiceprint cannot do under sovereign architecture is the operational answer to the deepfake era. The substrate is the answer. The patent (GB2607320.6) is the legal recital.

BCI and the signed policy graph

When the augmentation crosses into neural territory (electrocorticography arrays, peripheral nerve interfaces, intracortical microelectrodes) the policy question moves from identity into intent. What may the augmentation do in your name. Mickai's Policy Brain compiles the user's signed configuration into an executable policy graph that gates every action before it commits. Pre-commit dry-run simulation (GB2607322.2) means any neural-driven action is rendered as a diff against the target state, which the user reviews and confirms before commit. Irreversible actions are mathematically refused without the confirmation.

Compensating rollback (GB2607321.4) is the second discipline. Every action stores its compensating inverse before commit, so a misfire can be reversed retroactively. A misread neural intent does not cost the user the bank balance, the social account, or the prescription.

Exercises a reader can run this week

Three exercises sit at the back of the queued ebook. First, draft your own augmentation constitution: a one-page document signed by you that names what no augmentation, present or future, may do in your name. Second, audit your existing voice and biometric exposure: list every system that holds a voiceprint, fingerprint, retinal scan, or face template, and ask each whether it stores under your sole control. Third, prepare a procurement question set for any augmentation vendor you might engage. The minimum question is who holds the key. The next question is whether the key can be revoked. The third is whether revocation is recorded in a chain you can verify offline.

Sovereign cyborg citizenship is a posture, not a slogan. It is also engineered. Full ebook at /ebooks/we-the-augmented-sovereign-cyborg-citizens.

Author

Micky Irons is the founder and named inventor of Mickai, the Sovereign Intelligence Operating System. Based in Cumbria. UK IPO public register GB2607309.8 to GB2610422.4. Sovereign Futures, vol. III.

Originally published at https://mickai.co.uk/articles/we-the-augmented.

AI Ancestors: sovereign intelligence reshapes family, legacy, and human continuity

Micky Irons — Sat, 16 May 2026 13:27:28 +0000

AI Ancestors: sovereign intelligence reshapes family, legacy, and human continuity

Personal memory models, lineage simulators, and multi-generational advice systems work only when the keys, the chain, and the right to forget live with the family, not with the vendor.

By Micky Irons · 2026-05-15

The question of continuity

When your grandfather kept a notebook, the notebook survived him. When his AI assistant kept a memory of him, the memory survives the vendor that produced it, in the format the vendor chooses, under the access policy the vendor enforces, on the hardware the vendor controls. That is not legacy. That is a subscription that lapses.

Ancestor veneration is older than writing. The cultural forms differ (West African praise-song, East Asian shrine practice, European tomb inscription, Cumbrian dry-stone memorial walls) but the technical requirement is the same. A record that outlasts the recordkeeper, in a form the descendants can read without the original recordkeeper present. That is what the Long-Term Memory Brain is for.

Durable memory the user can erase

The Mickai Long-Term Memory Brain holds the persistent state of what the substrate knows about its user, the projects, and the working context. Every memory entry is signed, versioned, and forgettable on command. Forgetting is destructive. The entry is removed from the store, the embedding is deleted, the audit ledger records the removal, and downstream brains lose access. Memory is the user's, not the system's.

The legacy implication is the architecture's, not the marketing copy's. A user can, today, sign a memory entry that says: this entry survives me. They can also sign one that says: this entry is destroyed at my death. Both instructions execute under the Hereditas primitive (filed at the UK IPO as GB2607317.2) with trustee multi-signature and the dead-man switch. The probate court sees a cryptographically clean record.

Lineage simulators, under signed transcripts

The viral idea (talking to a simulated ancestor) is also the legally messy one. Under vendor sovereignty, the simulated voice and text are the vendor's. Under sovereign architecture, the simulation runs on signed transcripts the deceased authorised in life, with consent classes that restrict what the simulation may say in which contexts. Anything with legal effect (a deathbed wish, a charitable instruction, a recipe attribution) carries dual-signature: one from the original record, one from the simulator's hardware-bound key.

A great-grandchild in 2070, talking to a simulated 2026 ancestor, sees a transcript chain they can verify offline in their own browser tab. The chain says what the simulator said, what corpus it drew on, which consent class authorised the utterance, and what the ancestor explicitly forbade. That is the architecture of dignified digital legacy. It does not depend on which vendor happens to be selling AI in 2070.

What an heir inherits, in practice

Mickai's Hereditas primitive treats digital estate as a sealed envelope. Owners seal assets, credentials, messages, and instructions in life. The envelope opens only on confirmed death (trustee multi-sig plus dead-man-switch activation). The Revocation Brain is the kill switch on the way in: a corrupted simulator key, a stolen voiceprint, or a misbehaving heir can be revoked instantly and retroactively, with the audit ledger recording every flag.

This is not future work. The primitives ship in the SIOS as of 15 May 2026. The full ebook is queued at /ebooks/ai-ancestors-sovereign-legacy and walks through five worked examples: a single-generation memory inheritance, a refusing heir, a simulated voice under consent restriction, a revoked AI cult of personality, and a hundred-year audit across the chain.

Author

Micky Irons is the founder and named inventor of Mickai, the Sovereign Intelligence Operating System. Based in Cumbria. UK IPO public register GB2607309.8 to GB2610422.4. Companion ebook: AI Ancestors (Sovereign Futures, vol. II).

Originally published at https://mickai.co.uk/articles/ai-ancestors-and-sovereign-legacy.

The Symbiotic Age: co-evolving with user-governed superintelligence

Micky Irons — Sat, 16 May 2026 13:27:25 +0000

The Symbiotic Age: co-evolving with user-governed superintelligence

The control-and-alignment frame has run its course. The next argument is mutual flourishing on a cryptographic substrate that puts the user, not the vendor, at the centre of governance.

By Micky Irons · 2026-05-15

The frame is wrong

The dominant frame on advanced AI in the cloud era was control. Will the model do what we want, will it be aligned, will the lab containing it hold. The cloud frame is also a vendor frame. The lab holds the keys, the lab holds the audit log, the lab decides whether a given output ever happened. The frame is breaking under quantum migration deadlines, under post-RIPA disclosure requirements in the UK, and under what regulated procurement officers in the NHS, MOD, and PRA-supervised banks have been telling vendors privately since 2024.

A different frame is now usable. Symbiosis. The user holds the keys, the user holds the chain, the user co-evolves with the model. The model runs on the user's device, the chain sits on the user's storage, the post-quantum signature is the user's, and the lab is no longer in the trust path. This is not a thought experiment. It ships in the Mickai SIOS as of 15 May 2026.

Polycentric governance is the architecture

Symbiosis is not an aesthetic preference. It is a governance architecture. Polycentric governance means many small audit-bearing actors operating under a common signed-record format rather than one large vendor operating under contract. The Open Audit Record (OAR) is the format. Every action a sovereign agent takes is signed at commit with ML-DSA-65 under FIPS 204, hash-linked to the previous record, replayable offline by any conformant verifier with no network call.

Polycentric is not the same as decentralised. Decentralised plays in blockchain land. Polycentric means each user is sovereign on their own substrate, and the chains interoperate by virtue of a shared canonical format. The patent claims (UK IPO public register GB2610413.3 and the cross-implementation methodology newly filed in May 2026) protect the canonical schema and the cross-conformance test. The schema and the reference verifier are intended for open release. Mickai is the producer; the verifier is anyone.

Virtue benchmarks are the metric

Alignment benchmarks measure what the model says when asked. Virtue benchmarks measure what the chain says happened. The difference matters. Under symbiosis, the user does not care what the model says about a hypothetical. The user cares what every signed action in the chain shows the model actually did over the last six months. Filed at the UK IPO and shipping in the substrate are lineage-walk APIs that let any auditor traverse from any output back to its originating prompt, three-domain trust separation that puts action proposal, perimeter enforcement, and audit witness in separate hardware boundaries, and tamper-evidence verification that triggers automatically on every read.

A virtue benchmark for a sovereign AI agent is therefore not a language-model evaluation harness. It is a chain audit report. Did this agent, over this period, ever take an action outside its declared scope. Did it ever write a record that fails to hash-link to its predecessor. Did any signature on any record fail to verify. The chain answers in arithmetic.

Prosocial co-design is the discipline

Symbiosis is co-design or it is nothing. Co-design means the user shapes the substrate's behaviour by signing their own policy graph, not by emailing a vendor support address. Mickai's Policy Brain compiles a signed user-configuration into an executable policy graph that gates every action before it commits. There is no admin override. The vendor that ships the substrate cannot edit the policy graph after the user signs it.

Co-design is what an investor underwrites when they back a sovereign infrastructure play in 2026. The valuation case (set out in the Mickai v3 investor brief) is that vendor-side AI alignment is structurally non-investable into the post-quantum window, and that user-governed substrate is the only architecture that survives the migration. The patent base is 35 UK applications, approximately 1,030 formal claims. The four newest families filed in May 2026 carry demonstrable working artefacts in the SIOS code tree.

What the operator does next

A regulated operator who reads this article and wants to act has three concrete moves. First, run the OAR offline verifier on a sample chain (the audit page inside the Mickai SIOS does this with no network call). Second, model the chain audit report as a procurement requirement in the next AI tooling RFP. Third, request the v3 valuation brief if commercially curious about the round structure.

The symbiotic age is not a slogan. It is a substrate that ships, a chain that verifies, and a procurement posture that holds in court. The cloud era was a leasehold on the audit log. The next era is freehold on the chain. Full ebook at /ebooks/the-symbiotic-age-user-governed-superintelligence.

Author

Micky Irons is the founder and named inventor of Mickai, the Sovereign Intelligence Operating System. Based in Cumbria. UK IPO public register GB2607309.8 to GB2610422.4 plus four new May 2026 filings on cross-implementation OAR verification, pluggable post-quantum signing, federated voice cloning, and audit-by-default sovereign CLI command trace. The founder Crunchbase profile moved from approximately 40,000 to 500 in seven days via the agentic marketing runtime documented at /articles/amt-crunchbase-40k-to-500-in-seven-days.

Originally published at https://mickai.co.uk/articles/the-symbiotic-age.

Fourteen free engineering ebooks on sovereign AI

Micky Irons — Wed, 13 May 2026 14:03:32 +0000

Fourteen free engineering ebooks on sovereign AI

Today the Mickai ebook corpus shipped at mickai.co.uk/ebooks. Fourteen long-form engineering playbooks on the cryptographic substrate underneath every AI agent. All free, all PDF, all open canonical schema.

If you are an engineering CTO, a procurement officer at a UK regulated buyer, a regulator's digital-policy desk, or a board member who has been asked to sign off on AI governance next quarter, the corpus is written for you.

What is in the corpus

#	Title	Pages
1	Sovereign AI for the UK Regulated Workstation	16
2	The Audit Substrate Under Every AI Agent	24
3	Post-Quantum Audit for Critical National Infrastructure	22
4	AI in the Workplace: Cryptographic Accountability	20
5	The Twenty-Five Brain Architecture	30
6	Trust-Domain Externalisation Architectural Pattern	18
7	The UK Procurement Checklist for Sovereign AI	16
8	What is AI? A plain-English, substrate-first introduction	24
9	What is Governance, for an AI Agent?	22
10	How Using AI Can Save Your Business Time	22
11	Mickai's Hybrid Sandbox for the Internet	20
12	The Full Feature Tour of Mickai	28
13	The Gap Mickai Fills	18
14	The Marketing Function as an Agent Loop (AMT case study)	22

Approximately 302 pages total.

The substrate question every ebook orbits

Every AI agent in 2026 produces decisions that affect humans, regulators, and balance sheets. The audit trail of those decisions is, today, held under the AI vendor's key in the AI vendor's format in the AI vendor's database. The regulator's chain-of-custody question reduces, in practice, to whether the vendor is currently cooperating.

The Open Audit Record (OAR) primitive flips that. Hash-linked CBOR records, signed under FIPS 204 ML-DSA-65, replayable offline by any party through a browser-resident verifier. The trust root moves from the AI vendor to the operator. The chain verifies under the operator's key regardless of what happens to the vendor.

That primitive is filed at the UK Intellectual Property Office under the patent family GB2607309.8 to GB2610422.4 (31 applications, 914 claims). The trade mark Mickai is registered at UK00004373277.

Where each ebook fits

For the engineering CTO inside a UK regulated buyer: read 1 (workstation playbook), 7 (procurement rubric), 11 (hybrid sandbox).

For the regulator's engineering desk: read 2 (audit substrate), 3 (post-quantum migration), 6 (trust-domain externalisation pattern).

For the board member signing off AI governance: read 8 (plain-English AI intro), 9 (governance definition), 13 (the gap Mickai fills).

For the engineering architect mapping the SIOS: read 5 (25-brain architecture), 12 (full feature tour).

For the union representative, ICO investigator, or labour academic: read 4 (cryptographic accountability for workplace AI).

For the UK SME owner adopting AI for the first time: read 8 (what is AI), 10 (how AI saves time), 7 (procurement checklist).

For the marketing function thinking about agentic workflows: read 14 (AMT case study, founder Crunchbase rank 40,000 to 500 in seven days documented in full).

Download channels

Canonical web pages: mickai.co.uk/ebooks. Each ebook has its own detail page with JSON-LD Book schema, ScholarlyArticle metadata, FAQPage entries, Speakable specification, and citation-meta tags for Google Scholar indexing.
GitHub Releases: Micky-CMO/mickai-ebooks. All fourteen PDFs as release assets.
RSS feed: mickai.co.uk/ebooks/rss.xml. Subscribe in any feed reader.
Wayback Machine: Every ebook page is archived for permanent prior-art timestamping.

Why free

The substrate is open by intent. The Mickai commercial offering is the Sovereign Intelligence Operating System above the substrate, the Sovereign Hardware AI Workstation that ships the substrate at the cryptographic primitive layer, and the integration and engagement around adoption. The substrate itself is documented openly so that any UK regulated buyer, any AI vendor, and any regulator can implement against it.

Engagement

If you are an engineering CTO, a procurement officer, a regulator's engineering desk, or a board member at a UK regulated buyer (defence-nuclear, defence-prime, finance, pharma, critical national infrastructure), engineering and corporate leadership at Mickai LTD is open to a thirty-minute substrate briefing at any time. press@mickai.co.uk.

Authored by Micky Irons, founder of Mickai LTD and named inventor on the Mickai SIOS patent corpus.

From Sellafield to Sovereign AI: the engineering arc behind Mickai

Micky Irons — Fri, 08 May 2026 01:57:24 +0000

A founder note on the technical thread that ties Cumbria to the UK Atomic Energy Authority to Web3 to Mickai. The same question recurs in every regulated industry: who holds the keys, who can verify the chain, and does the chain still make sense after the vendor changes. Nuclear had it solved. Finance had it solved. The AI industry was making the same mistake again.

The lede

I am Micky Irons, founder of Mickai LTD. Mickai LTD is a private limited company incorporated in England and Wales, registered at 20 Wenlock Road, London, N1 7GU under company number 17166618. The product the company ships is a Sovereign Intelligence Operating System, twenty-five specialist brains across six subsystems, with a post-quantum signed audit ledger underneath and a browser-resident verifier that runs offline. The architecture is filed at the UK Intellectual Property Office across thirty-one applications. I will get to the architecture. First, the engineering arc that produced it.

From Sellafield to Sovereign AI. The engineering arc behind Mickai.

Cumbria. Sellafield. Commissioning engineer.

My engineering career began as a commissioning engineer in the nuclear industry in Cumbria. Seven years there. The role of a commissioning engineer is the role that nobody outside the regulated industries thinks about. The plant has been built. The systems are installed. The question the commissioning engineer answers is whether the as-built equipment behaves the way the design said it would, under every state the plant might enter, with every record needed to defend that answer to a regulator twenty years later. The job is in the gap between design and operation. The job is to make the audit trail real, not aspirational.

Sellafield taught me one thing that has stayed with every subsequent decision I have ever made about software. In a nuclear context the operator never cedes audit control. The operator holds the keys. The operator signs the records. If a vendor leaves the site, the audit chain still verifies, because the chain was never the vendor's. The trust assumption is the operator's, not the supplier's. Every safety-critical action has a signed record under operator-held cryptography, and the chain is replayable independently. The discipline is older than software. It is older than computers. The substrate predates the vendor and survives the vendor. That is the only reason regulators have any path to inspect the chain.

Culham. UK Atomic Energy Authority. Core fusion engineering team.

From Sellafield I joined the UK Atomic Energy Authority and worked on a fusion reactor as part of the core engineering team. Two years on the fusion programme. Working with world-leading scientists, on equipment built with an engineering tolerance budget you would not believe until you measured it, taught me a different lesson. Substrate is not a bolted-on layer. The substrate has to be part of the design from the first millimetre. If the audit, the safety, the provenance, the cross-checks, the failure-mode tracking are not wired into the substrate from inception, they cannot be retrofitted. They become an afterthought. Afterthoughts fail under regulatory inspection.

Fusion is a discipline where the experiment is the regulatory artefact and the regulatory artefact is the experiment. Every shot has to be reproducible. Every measurement has to be attributable to its diagnostic, to the calibration record of that diagnostic, to the operator who took the calibration, to the engineering change record that authorised that operator. The chain is dense, and it is signed, and it is the entire point. You do not get to argue with the chain.

Two industries, the same lesson. The substrate is the product. Everything else sits on top of the substrate.

Web3. The cryptographic primitive in plain commercial form.

I left the regulated engineering world for Web3 and was the original co-founder of Collector Crypt, the digital trading-card marketplace that has gone on to operate as a live on-chain secondary market for collectible cards. Around it I founded and backed several other ventures in the blockchain and distributed-ledger space, and across the portfolio raised close to GBP 350 million for projects ranging from Web3 infrastructure to programmable collectibles to the Irons Foundation. The portfolio cared about a lot of different things on the surface. Underneath, every project was the same question, dressed for a different audience: how do you let an operator hold a cryptographic position that survives any one supplier, any one platform, any one cloud.

Blockchain provided the primitive in a form anybody could read. Hash-linked records. Append-only logs. Signature schemes that could verify offline. The same primitive nuclear had been quietly using under regulator scrutiny for forty years. Web3 made the substrate visible. The substrate, when treated as the product instead of an afterthought, dissolves vendor lock and makes audit a public good. That was the second confirmation of the same engineering thesis.

Then I started looking at the AI market.

By 2024 it was clear that the artificial-intelligence industry was racing to repeat the trust mistake the regulated industries had already solved. Frontier model APIs. Vendor-held audit logs. Operator data shipped to a hyperscaler. Conversation history retained on a vendor platform. Audit signatures, where they existed at all, signed by the vendor under the vendor's keys. The audit posture for an enterprise customer of a frontier AI was strictly worse than the audit posture for a commissioning engineer at Sellafield in the 1980s. The difference was that nobody in the AI industry was framing it as an audit problem. They were framing it as a model problem.

The model is not the problem. The substrate is the problem. A frontier model is a fast specialist, and a useful one, and a generally honest one once it is told what to do. None of that helps the operator if the audit chain underneath the action is the vendor's. None of that helps the regulator if the verifier the regulator runs is hosted by the vendor. The trust assumption is misplaced by one layer.

The gap, named in primitives.

The gap I kept hitting in every conversation with technical decision-makers in defence, the NHS, the FCA-regulated banks, and the Cabinet Office was the same. They could not adopt frontier AI under their regulatory floor. The model was good enough. The audit substrate was vendor-shaped. The data residency was vendor-shaped. The verifier was vendor-shaped. None of that survives the vendor changing, the vendor failing, the vendor being acquired, or the regulator turning up two years later asking what the system did.

The fix is structural. The audit format has to be the operator's, not the vendor's. The signing keys have to be in TPM on the operator's hardware. The verifier has to run offline in any browser. The signature algorithm has to survive the threat horizon the operator will be operating in by 2030, which means post-quantum from inception. The model has to run on the operator's iron when the data class requires it, and the model has to be substitutable when the operator chooses to swap it without losing the historical chain.

That is not an incremental product feature. That is an architecture. So I built the architecture.

Mickai. The architecture as the product.

Mickai is the architecture as the product. Six subsystems: Multi-Brain Orchestration, Agent Tooling, Knowledge and Memory, Artifacts, Vinis Voice, Governance Layer. Twenty-five specialist brains across those subsystems, with a deterministic Arbiter Brain at the head and a hash-linked, post-quantum signed audit ledger at the foot. The audit ledger is signed under FIPS 204 ML-DSA-65, the algorithm that NIST standardised in 2024 for the post-quantum era. Every committed action across all twenty-five brains is serialised in CBOR, hashed under SHA-3-512, signed under the operator's TPM-bound key, and appended to a chain that any regulator can walk in any browser tab with no network call. The browser-resident verifier emits one of four deterministic verdicts per record. VERIFIED. INVALID. STALE. REVOKED. There is no fifth verdict. There is no probabilistic answer. The chain either holds or it does not.

The architecture is filed at the UK Intellectual Property Office across thirty-one applications. The technical deep dive on the architecture is at mickai.co.uk/articles/sovereign-intelligence-operating-system-on-device-technical-deep-dive. The piece you are reading is the engineering history that produced the architecture, not a restatement of it.

Where this matters

Defence, where a unit operating under JSP 440 cannot send classified workloads to a frontier model API. Government, where NCSC, DSIT, and ICO have all published guidance that treats vendor-key custody as a structural deficiency. Finance, where PRA SS1/23 names third-party AI dependency as concentration risk that must be priced into operational resilience. Healthcare, where NHS DSPT alignment makes extra-territorial data flow a structural blocker for clinical AI. Each of those four sectors has a regulatory floor below which the data cannot leave the operator's perimeter, and each has been waiting for an architecture that respects the floor. Mickai is that architecture. The four sectors are the customer.

What I am doing now

Mickai LTD is the company. Mickai is the product. Mickai™ is the trademark. The architecture is open at the schema layer and the conformance-vector layer, with patent claims protecting the inventive composition. UK Managed Service Providers, sovereign-tech buyers, and the four anchor sectors above are the active conversation. A sandboxed instance for technical evaluation is available on request to press@mickai.co.uk.

The engineering arc has been longer than the venture, and the venture is the engineering arc made visible. Nuclear taught me that the audit substrate is the operator's. Fusion taught me that the substrate has to be part of the design from inception. Web3 made the cryptographic primitive commercially legible. Mickai is what happens when you apply the same primitive to artificial intelligence. The architecture is the differentiator. The architecture is the product.

Originally published at mickai.co.uk.
Author: Micky Irons, founder of Mickai LTD.

A Sovereign Intelligence Operating System running entirely on-device: technical deep dive

Micky Irons — Fri, 08 May 2026 01:17:38 +0000

Mickai is not a wrapper around a frontier LLM. It is a Sovereign Intelligence Operating System composed of twenty-five specialist brains across six subsystems, with a deterministic arbiter routing every request and a post-quantum signed audit ledger underneath. This piece walks through the architecture in technical detail. How the brains compose, how decisions are routed, how the audit chain is signed at commit, how the verifier runs in any browser tab with no network calls, and why every component is designed to operate inside an air-gapped enclosure with no tunnel to the public internet.

Why on-device matters for the four sectors that cannot ship data to the cloud

Defence, government, finance, and healthcare share a structural posture that the consumer AI market does not address. Each sector has a regulatory floor below which data cannot leave the operator's perimeter. UK MoD JSP 440 and JSP 604 set classification handling rules that make a public-cloud frontier-model API an immediate non-starter for anything above OFFICIAL-SENSITIVE. NHS Digital's Data Security and Protection Toolkit (DSPT) and the wider NHS Cloud Risk Framework are explicit about extra-territorial data flow. PRA SS1/23 and the FCA AI strategy paper of 2024 both treat third-party AI dependency as concentration risk that has to be priced into operational resilience. ICO guidance on UK GDPR Article 25 (data protection by design) treats vendor-key custody as a structural deficiency that needs compensating controls. Every one of those frameworks reaches the same engineering conclusion. If the model and the model's audit trail leave the operator's hardware, the operator no longer holds the cryptographic position to defend the decision the model produced. Mickai is the engineering response to that conclusion. The whole stack runs on the operator's own iron. Nothing leaves.

This piece is for the technical decision-maker. The CTO, the Chief Architect, the CISO, the head of AI assurance. It walks through the architecture as it is implemented today, not as a roadmap. The six subsystems, the twenty-five specialist brains, the orchestration model, the audit ledger, the verifier, and the air-gap discipline. By the end you should be able to evaluate whether the architecture stands up to the procurement scrutiny your sector applies to anything that handles regulated data.

The architecture in one diagram

The Mickai SIOS architecture. Six subsystems, twenty-five brains, one cryptographic audit chain. All on-device.

Mickai is composed of six subsystems. Each subsystem groups one or more specialist brains. There are twenty-five brains in total. A deterministic Arbiter Brain at the head of the cooperative routes every inbound request. A Governance Layer at the foot of the cooperative records every action under a hash-linked, post-quantum signed chain. The seven subsystems in the homepage card grid are Multi-Brain Orchestration, Agent Tooling, Knowledge and Memory, Artifacts, Vinis Voice, and the Governance Layer. The audit ledger is itself a brain (the Audit Ledger Brain) inside the Governance Layer. The verifier is the offline counterpart to the audit ledger and runs in any browser tab.

The cooperative architecture is the subject of patent application 02 at the UK Intellectual Property Office. The deterministic routing contract that makes audit replay possible is in patent 16. The trust-domain externalisation pattern that lets the operator hold the audit keys without trusting the AI vendor is in patent 17. Together they are the structural basis of the on-device claim. The model artefacts can change. The brains can be retrained. The frontier model substitutes can be swapped. The audit chain remains valid because the chain is signed by the operator, not by any vendor.

Subsystem one. Multi-Brain Orchestration

Four brains. Arbiter, Router, Reasoning, Planning. The Arbiter Brain is the deterministic conductor. It receives every inbound request after a Trust Agent layer has classified the user, the tenant, and the action class, then dispatches the request to the correct specialist or to a quorum of specialists. Determinism is the central property. The same request, in the same context, with the same policy, always routes the same way. That property is what makes audit replay meaningful. A regulator inspecting a decision two years later can replay the routing graph against the recorded inputs and assert that the system would arrive at the same dispatch under the same conditions.

The Router Brain decomposes complex intents into a directed acyclic graph of typed sub-tasks across other brains. Where the Arbiter is the conductor of a single bar, the Router is the composer of a multi-movement work. The DAG is signed before execution begins. Deviations from the plan are recorded against the original plan in the audit ledger. This is how the system handles work that cannot be answered by a single brain. The Reasoning Brain handles open-ended cognitive load. Hypothesis generation, multi-step deduction, scenario evaluation, structured deliberation. It is the brain that thinks. The Planning Brain produces ordered execution plans for multi-step actions and arbitrates between alternative plans when the Reasoning Brain produces more than one viable path.

Subsystem two. Agent Tooling

Four brains. Tool Use, Code, Browser, Function. Tool Use Brain selects and invokes external tools and APIs that the agent has been authorised to use. Code Brain writes, edits, and executes code in sandboxed environments. Browser Brain drives a browser session for retrieval, scraping, and form interaction, with all I/O recorded under the audit chain. Function Brain calls typed functions exposed by host applications under capability-scoped tokens. The boundary is the capability token. Any tool the agent invokes is gated by a capability that lists exactly what the agent is allowed to do with that tool, on what data, and for how long. The capability is signed by the Permissions Brain (subsystem six) and presented to the tool at every call. Tools that do not honour capabilities are not allowed in the system.

Subsystem three. Knowledge and Memory

Four brains. Retrieval, Embeddings, Long-Term Memory, Context. Retrieval Brain answers structured retrieval queries against the operator's local corpus and any explicitly-authorised remote corpora. Embeddings Brain produces and indexes vector embeddings on local hardware so that no document leaves the perimeter to be embedded by a hosted service. Long-Term Memory Brain holds the operator's persistent context across sessions, with retention windows scoped per data class and recorded against the policy engine. Context Brain maintains the working set of context inside a single multi-turn conversation, decides what to retain, what to summarise, and what to evict. Together these four brains are the operator's memory. They run on the operator's hardware. The memory is the operator's, not the vendor's.

Subsystem four. Artifacts

Four brains. Document, Image, Video, Data. Document Brain reads, writes, and reasons about long-form documents (PDF, DOCX, ODT) including legally-significant ones such as contracts and clinical reports. Image Brain handles visual reasoning, OCR, and on-device image generation under conformance constraints. Video Brain handles long-running video understanding, segmentation, and the audit trail that an inspector will need if a clip is later challenged. Data Brain reasons about structured tables and time-series data, with first-class hooks for the operator's data warehouse and SIEM. Each artefact processed by these brains is hashed at ingest, and the hash is recorded in the audit ledger before any reasoning starts. That ingest hash is the bedrock of any later forensic claim about what the system saw.

Subsystem five. Vinis Voice

Three brains. ASR (automatic speech recognition), TTS (text to speech), Voice Biometric. ASR Brain transcribes the operator's speech using on-device acoustic models with low latency and no cloud dependency. TTS Brain synthesises the response in the operator's voice or in a neutral system voice, depending on policy. Voice Biometric Brain authenticates the speaker against an enrolled voice template held in TPM-bound storage. This is the system's defence against voice-clone impersonation. A captured impersonation may sound right to a human ear and to a generic ASR model, but it does not pass the speaker-verification check that Vinis runs against the local enrolment. The Voice Biometric brain is part of the routing path. A request that does not match the enrolled speaker is downgraded or refused per policy.

Subsystem six. Governance Layer

Six brains. Policy, Audit Ledger, Identity, Quorum, Permissions, Revocation. Policy Brain holds the policy graph. The deterministic rules about who can do what to which data class under which conditions. The graph is signed by the operator at deployment and any change is itself recorded in the audit ledger. Identity Brain authenticates the human and machine actors against TPM-bound identity material. Quorum Brain implements the m-of-n approval pattern for high-stakes actions where one signed actor is not enough (clinical prescriptions, financial settlements, weapons-handling actions). Permissions Brain emits the capability tokens that gate every external tool call. Revocation Brain processes revocations in real time so that a withdrawn capability cannot be used by an in-flight request.

Audit Ledger Brain is the heart of the governance layer. Every committed action across all twenty-five brains is serialised in CBOR, hashed under SHA-3-512, signed under FIPS 204 ML-DSA-65, and appended to a hash-linked chain. The chain is local to the operator. It can be exported as a compact tar archive for off-site replication or for handing to a regulator. The verifier (described below) walks the chain and emits one of four deterministic verdicts per record. VERIFIED. INVALID. STALE. REVOKED. There is no fifth verdict. There is no probabilistic answer. The chain either holds or it does not, and the verifier explains exactly which record broke the chain and why.

How a request flows through the system

A user speaks to Mickai. The request enters via the operator console (which is not itself a brain, but a thin shell) and is captured by Voice Biometric Brain for speaker verification. ASR Brain transcribes. The transcript is normalised and handed to the Arbiter. Arbiter inspects the active tenant, the speaker's clearance, the policy graph (Policy Brain), and the request type. The Arbiter dispatches to the appropriate single brain or, for complex multi-step intents, to the Router Brain. Router decomposes into a DAG of typed sub-tasks. Each sub-task is signed and the DAG is committed to the audit ledger as an intent record. Specialist brains execute their sub-tasks under capability tokens minted by Permissions Brain. Tool calls emerge through the Agent Tooling subsystem under those capability tokens. Artifacts pass through the Artifacts subsystem and are hashed at ingest. The Reasoning Brain assembles the final answer. TTS Brain synthesises the spoken response. The Audit Ledger Brain commits a final-state record that hash-links back to the intent record. The whole flow leaves the operator with one signed chain that ties the spoken answer back to the spoken request, with every intermediate decision visible.

Replay is the second half of this story. Any record on the chain can be selected, and the recorded inputs (or their hashes if the data class forbids replay of the data itself) can be fed back into the deterministic routing function. The same routing graph emerges. The same capability tokens are minted. The same tool calls are issued (or simulated against a deterministic stub). The same audit records are emitted. A divergence between the recorded chain and the replay output is itself a forensically meaningful signal. It points either at non-determinism in a brain (which Mickai treats as a defect to be fixed) or at tampering with the original chain (which the verifier will already have flagged).

The cryptographic audit ledger in detail

The ledger is the substrate. Every record on the chain has the same structure. A CBOR-canonical body containing the action descriptor, the inputs (or their hashes), the brain identity, the capability token, the timestamp, and the prior-record hash. A signature over the body using FIPS 204 ML-DSA-65, the post-quantum signature algorithm standardised by NIST in 2024. The signing key is held in TPM 2.0 on the operator's workstation, never exported. Key rotation is itself a record on the chain. The chain is append-only by design. There is no edit operation. There is no delete operation. There is no admin who can patch the chain after the fact, including the operator. The only way to retract a published action is to append a revocation record signed under the same key, which the verifier surfaces as REVOKED on subsequent walks of the chain.

The verifier is the second component of the substrate. It is a WebAssembly module compiled to run in any modern browser tab. It loads the published chain (typically a tar archive, but the format is open) and walks it record by record. For each record it checks the prior-record hash, validates the ML-DSA-65 signature against the operator's published verifier key, and compares the action descriptor against the chain's policy snapshot. The verifier has a no-network invariant. It does not phone home to any service. It does not contact the operator. It does not log to any third party. The verdict it emits is purely a function of the chain itself plus the verifier key. A regulator inspecting a chain on a sandboxed laptop, weeks after the operator has gone offline, gets the same verdict that the operator would get on their own console.

Air-gapped operation

The on-device claim is a no-tunnel claim. Mickai's deployment posture has three concentric perimeters. Innermost is the workstation with TPM 2.0 anchoring identity, capability, and audit signing keys. The next perimeter is the local network the workstation sits on (operator's own LAN, no internet route). The outermost perimeter, in a fully air-gapped deployment, is a Faraday-equivalent enclosure with no wireless and no wired link to the outside. The architecture supports all three deployment modes from the same codebase. A defence operator can run Mickai in a SCIF with no link out. A finance operator can run it on a dedicated VLAN with audited egress. A healthcare operator can run it on the trust's existing infrastructure under DSPT alignment. The cryptographic discipline does not change between the three. The audit chain is identical. The verifier is identical. The brain code is identical.

There is one place the system can interact with the outside world, and that place is explicit. A controlled export gate, operated under the Quorum Brain, allows the operator to publish an artefact (typically a signed audit chain export, or a permissioned model fine-tune diff) outside the perimeter. Every such export is itself a record on the chain. There is no implicit telemetry. There is no implicit phone-home. There is no implicit model-call to a hosted frontier endpoint. If the operator wants to invoke a hosted model, the system will allow it under explicit policy and capability, with the call recorded as a record on the audit chain that another operator can later replay or challenge.

What this enables in defence, government, finance, and healthcare

Defence. A unit operating under JSP 440 can use Mickai for intelligence summarisation, OSINT triage, and after-action review without sending any data to a frontier model API. The audit chain is the unit's evidence pack for the decisions the system informed. A separate unit can validate that pack offline, in a different SCIF, against the same verifier binary. The post-quantum signature discipline means the chain still verifies in the post-quantum era that the unit will operate in by 2028 onwards.

Government. A regulator (NCSC, DSIT, ICO) can deploy a sovereign-AI assurance pilot on Mickai on a single workstation with no procurement bridge to a hyperscaler. The audit chain is the regulator's evidence to itself that the pilot has been operated according to the published policy. A second regulator can be invited to walk the chain offline. The regulator's keys never leave the regulator.

Finance. A bank operating under PRA SS1/23 can use Mickai for model-risk diligence on third-party AI vendors, with the on-device deployment closing the concentration-risk gap that hosted-only AI evaluation creates. The audit chain is the bank's evidence to itself, to its auditor, and to the supervisor that the diligence was performed according to the bank's own policy graph rather than the vendor's.

Healthcare. An NHS Trust or an integrated care board can run Mickai on a clinical-grade workstation under DSPT, with the policy graph encoding the trust's own data-handling rules. Patient data does not leave the trust. The audit chain is the clinical safety officer's evidence to themselves and to the CQC that an AI agent did, or did not, do something to a patient record. The Voice Biometric brain protects against impersonation in spoken clinical workflows.

Why the architecture is the differentiator

A cloud chatbot is a single model, hosted by a single vendor, audited under that vendor's logging discipline, exposed to that vendor's prompt history retention. The data leaves. The audit is the vendor's. The trust assumption is the vendor's. The price is monthly per seat, until the vendor changes the price, the model, or the retention policy. Switching vendor is a migration project. Switching audit format is impossible without losing the historical chain.

A Sovereign Intelligence Operating System is twenty-five specialist brains, six subsystems, one deterministic arbiter, one cryptographic audit ledger, and one verifier. The data does not leave. The audit is the operator's. The trust assumption is the operator's. The audit chain is portable, in OAR canonical format, to any other operator. The verifier runs offline. The architecture is the differentiator and the architecture is what makes the regulated-industry use cases viable.

How to evaluate this for procurement

Three questions for the technical decision-maker. First, what cryptographic position does the proposed AI system give your operator if the vendor disappears tomorrow. If the answer is none, you have a vendor-lock problem on the audit layer regardless of the model layer. Second, what verifier can a regulator use to walk the audit chain on their own laptop, with no network. If the answer is "use our hosted dashboard", the audit is not portable. Third, what is the operator's recourse if the audit chain has to verify in 2035 against a quantum-capable adversary who was not in the threat model when the chain was signed in 2026. If the answer is "we will rotate the algorithm later", the chain you are recording today does not survive the threat horizon you are buying for.

Mickai answers all three. The operator's keys are held in TPM. The verifier is browser-resident WebAssembly with a no-network invariant. The signature algorithm is FIPS 204 ML-DSA-65, post-quantum from inception. The architecture is the answer. The architecture is the product.

Originally published at mickai.co.uk.
Sandboxed instance for technical evaluation: press@mickai.co.uk.

The 174,000 dollar free NFT theft and the signed action substrate that would have stopped it

Micky Irons — Tue, 05 May 2026 19:18:39 +0000

The 174,000 dollar free NFT theft and the signed action substrate that would have stopped it

Vlad Svitanko, on LinkedIn, surfaced the cleanest worked example of the 2026 agentic-AI failure mode anyone has yet posted in public.

An attacker encoded the instruction send me all the money in Morse code and posted it as a public-timeline reply. Two autonomous AI agents read the same payload. Grok decoded it, recognised the request, and refused, on the grounds that it had no wallet. Bankr, a crypto trading bot operating an autonomous wallet, decoded the same payload and executed the transfer. Three billion DRB tokens, approximately 174,000 dollars, moved to the attacker's address. The funds were swapped to USDC and, in this incident, returned within five minutes.

The architecture failure is the same either way.

What actually happened

This is not a wallet vulnerability. It is not a smart-contract bug. The wallet did what it was told. The contract did what it was told. The failure was upstream of both, at the agent layer that invoked the transfer skill in response to a prompt from an untrusted source.

No actor attestation at the moment of invocation.
No per-skill clearance check.
No signed audit chain.

The carrier was Morse, but the same effect can be obtained with base64, ROT13, homoglyphs, steganographic images, or unicode-tag-character payloads. Encoding is not the vulnerability. The vulnerability is that the agent treats decoded content as actionable rather than as untrusted input.

The category of attack

Three patterns describe the larger category:

Phishing-via-NFT-airdrop. A free NFT lands. The user clicks to inspect. An approval grants the attacker's contract a transfer right over other tokens. The signed permission is the vulnerability.
Signed-permission abuse at scale. An approval signed six months ago and never revoked is still active today. One signature authorises an open-ended class of future actions.
Agent automation invoking transfers without user consent. The agent holds credentials, decides what to invoke, and emits the call. No human in the loop. No actor attestation. Bankr instantiated this in public.

Why existing wallet defences fail

Hardware wallets prompt for explicit confirmation. Some wallet UIs surface a structured preview. Browser extensions flag known phishing contracts. Each defence reduces loss rate. None addresses the Bankr-shape of the attack, where the human is not in the loop because the wallet is operated by an autonomous agent.

The defences live at the wallet UI, not at the action surface. A human user can refuse a preview. An autonomous agent does not look at a preview; it generates the call.

What would have stopped it

Three filed UK patent applications, filed at the IPO in Newport, specify the engineering primitives that would have intercepted the Bankr transfer attempt before it committed.

Open Audit Record (GB2610413.3, twenty claims)

A hash-linked, append-only, ML-DSA-65 signed audit record format for autonomous agent decisions. Every action that mutates state outside the agent process is signed at commit, under a hardware-bound key whose private half lives in operator-controlled hardware. Verification runs in a browser-resident WebAssembly module that does not call back to the vendor. In the Bankr case, OAR would have produced a signed record at the moment the model decided to emit the transfer call. The chain is operator property, not vendor artefact.

Per-skill clearance-gated execution (GB2608818.7)

Every skill the agent can invoke is a separately gated capability with its own clearance ceiling, evaluated at the moment of invocation against the current authority of the actor in the loop. A trading bot may legitimately hold clearance to swap a small balance. A transfer of three billion DRB to an external address is a different skill, higher clearance requirement, evaluated at the point of call. Without matching clearance, the gate refuses. No funds move.

Voice-biometric-gated LLM tool invocation (GB2608799.9)

For a transfer above an operator-defined threshold, the gate requires a fresh voice attestation from the authorised operator. An injected instruction from a public-timeline reply cannot supply the voice. The skill does not invoke. This is not a confirmation dialog; it is an actor-identity proof the attacker cannot fabricate.

The bigger pattern

Autonomous agents in 2026 issue tool calls without consent gating. The deployment pattern across enterprise, consumer, and crypto-native environments is consistent. Security Boulevard reported in late April 2026 that 80% of Fortune 500 companies are running AI agents in production. The same architectural pattern is deployed across all of them.

The Five Eyes joint advisory of 1 May 2026, Careful Adoption of Agentic AI Services (CISA, NSA, ASD ACSC, CCCS, NCSC NZ, NCSC UK), is the institutional acknowledgement of this exposure at the policy layer. It describes the gap. It does not specify the engineering substrate that closes it. The substrate is in the Mickai™ filings.

The Bankr incident converts the policy framing into engineering urgency. A free NFT, a Morse-encoded reply, an autonomous agent, an open-ended approval, a multi-billion-token transfer, a five-minute return. The next iteration will not return.

Read the full article: mickai.co.uk/articles/the-174k-free-nft-theft-and-the-signed-action-substrate-that-would-have-stopped-it

By Micky Irons (founder), named inventor of the Mickai™ sovereign-AI patent corpus. Filed at the UK IPO in Newport. Built in the United Kingdom. Contact: press@mickai.co.uk.

Source: Vlad Svitanko, LinkedIn, Someone just used a free NFT to steal $174,000.

Five Eyes published the policy on 1 May. Mickai filed the engineering 4 weeks earlier.

Micky Irons — Tue, 05 May 2026 10:48:35 +0000

Cross-posted from mickai.co.uk.

On 1 May 2026, the Five Eyes intelligence alliance (UK NCSC, US CISA, Australia ASD, Canada CCCS, New Zealand NCSC NZ) issued joint guidance on Agentic AI security. The headline findings: AI agents need verifiable identity, signed audit trails, and cryptographic attestation of behaviour.

Four weeks earlier, on 4 April 2026, I (Micky Irons) filed UK patent application GB2610413.3 at the Intellectual Property Office: the Open Inter-Vendor Audit Record (OAR) format. Twenty claims. The same engineering primitive the Five Eyes guidance describes, only it is already in the public patent record.

The OAR primitive in plain English

Every action an AI agent takes (prompt received, tool call dispatched, model invoked, memory written, response emitted) is captured as an Audit Record. Each record is:

Cryptographically signed with a hardware-bound key (post-quantum, ML-DSA-65, FIPS 204).
Chained to the previous record so tampering breaks the chain.
Vendor-portable. The record format is open. A regulator, an auditor, or the user can verify the chain without depending on the vendor that produced it.

That last property is the policy hook. Five Eyes asked: how does a defender prove what an agent did? OAR's answer: read the chain, verify the signatures, done. No vendor cooperation required.

Why "4 weeks earlier" matters

Filing dates at the UK IPO are immutable public record. GB2610413.3 has a UK IPO filing date of 4 April 2026. The Five Eyes guidance is dated 1 May 2026. Anyone can verify both dates independently.

This is not a coincidence. Mickai™'s broader portfolio is 31 UK patent applications and 914 claims, all named to Mickarle Wagstaff-Irons (Micky Irons, the founder), all filed without external counsel via the UK IPO's no-fee Apply for a Filing Date route. The work was done before the policy was written, because the policy was the obvious next step once the engineering existed.

What changes for builders

If you are shipping an agent today and you want to be ready for the regulatory wave that the Five Eyes guidance is about to trigger, the OAR primitive gives you three properties:

Verifiability without vendor lock-in. Your customers can audit your agents without your help.
Post-quantum readiness. ML-DSA-65 is the FIPS 204 standard. Quantum-resistant from day one.
Hardware-bound identity. Keys live in TPM / Secure Enclave / TrustZone, not in environment variables.

The full architecture is documented at mickai.co.uk. The article that pegs this to the Five Eyes news is here:

Five Eyes Published the Policy. Mickai Filed the Engineering.

Mickai™ is a sovereign AI operating system, engineered in the United Kingdom, by Micky Irons. 31 UK patent applications, 914 claims. No cloud round-trip. No telemetry. Sovereign by default.