By Micky Irons, founder and CEO of Mickai.
Most audit trails answer one question: what happened? A cryptographic signature answers a harder one: can you still prove it years from now, when the machine that made the record is gone, the operator has moved on, and a future adversary commands more computing power than anyone alive today can imagine? At Mickai we treat that harder question as the real one, because in regulated work the record has to outlive everything around it.
Underneath every action a Mickai brain takes sits a single, quiet mechanism: a post-quantum digital signature built to the FIPS 204 standard, in its ML-DSA-65 parameter set. It is the seal that turns an action into evidence. This is the story of what that signature is, why we chose it, and why we designed it to hold for decades rather than headlines.
What FIPS 204 and ML-DSA-65 actually are
FIPS 204 is the Federal Information Processing Standard for the Module-Lattice-Based Digital Signature Algorithm, known as ML-DSA, published by the United States National Institute of Standards and Technology (NIST) in 2024. It is the finalised form of the algorithm the world knew during the standardisation competition as CRYSTALS-Dilithium. ML-DSA-65 is one of three defined strength levels, the middle tier, chosen to sit comfortably in the security band NIST calls Category 3.
The important word is post-quantum. Classical signature schemes such as RSA and elliptic-curve cryptography draw their strength from mathematics that a large fault-tolerant quantum computer could unpick in a practical timeframe using Shor's algorithm. ML-DSA does not. Its security rests on the hardness of lattice problems, a class of mathematics for which no efficient quantum attack is known. A signature made today with ML-DSA-65 is meant to resist not only the computers of the present but the quantum machines of a future we cannot yet see.
Why a signature under every action, not just at the door
Many systems sign at the perimeter. A user logs in, a token is issued, and everything that follows is trusted because the door was locked once. We reject that model for anything that matters. In a Sovereign Intelligence Operating System, a brain can read records, move money, alter a configuration, or dispatch a message. Each of those is an action with consequences, and each deserves its own evidence.
Like Kairos, the fleeting moment, the seal is set the instant before the deed and can never be reclaimed unsigned
So every operation carries an Operation Attestation Record, which we call the OAR. The OAR describes what is about to happen: which brain, which inputs, which policy allowed it, at what time, under whose approval. Critically, we sign the OAR before the action executes, not after. The signature is the commitment, and the action follows only once that commitment exists. If the deed is questioned in five years, the OAR is the sworn statement made the instant before, sealed with ML-DSA-65.
The chain that makes tampering visible
A single signed record proves one event. A ledger of them proves a history, but only if that history cannot be quietly edited. We link the records into a hash chain using SHA-3-512, so each entry carries the fingerprint of the one before it. Change a record in the middle and every fingerprint after it breaks, the way a forged page tears the thread that binds a bound book.
Mnemosyne, memory itself, holds the hash-linked chain where breaking one link tears the whole record
The result is a tamper-evident, cryptographically-signed audit ledger. It is not merely stored; it is provable. An auditor does not have to trust that our database is honest. They can recompute the hashes and verify each ML-DSA-65 signature independently, and the mathematics either agrees or it does not. That is the difference between a log you are asked to believe and a ledger you can check for yourself.
Offline verification and the customer's own hardware
A seal is only useful if it can be checked without asking the sealer for permission. ML-DSA-65 verification needs only the public key and the standard algorithm, both of which are open. So a regulator, an insurer, or the customer's own compliance team can verify a Mickai ledger with no connection back to us, on a laptop in an air-gapped room if they wish. There is no phone-home, no licence server standing between the evidence and the person examining it.
This matters most where Mickai is designed to live: on hardware the customer owns, air-gapped or on-premise, with zero data egress. The signatures are made inside that boundary and stay inside it. For institutions bound by the General Data Protection Regulation (GDPR), the European Union Artificial Intelligence Act, the Digital Operational Resilience Act (DORA), or the Health Insurance Portability and Accountability Act (HIPAA), the ability to prove an action without exporting a single byte is not a convenience. It is the whole point.
High-stakes actions and the weight behind a signature
Not every action carries the same risk, and the signature is only as meaningful as the authority behind it. For consequential operations, a Mickai signature is not produced on the say-so of one brain acting alone. We gate high-stakes actions behind multi-brain agreement and voice-biometric approval, so the OAR that gets signed reflects a decision that more than one authority endorsed, with a human voice as part of the quorum.
Argus of the hundred eyes verifies the seal alone, needing no permission and trusting nothing unchecked
Brains are also revocable. If one is compromised or retired, we can withdraw its authority, and because every past action it took is sealed and hash-linked, the historical record remains intact and independently checkable even after the brain itself is gone. The signature does not just say a thing happened. It says who was accountable, how the decision was reached, and that the account cannot be quietly rewritten afterwards.
Why we chose the middle tier, and why decades
ML-DSA offers three strength levels. We standardised on the 65 parameter set because it lands in the sweet spot NIST intends for serious long-lived data: comfortably beyond the reach of foreseeable attack, while keeping signatures and keys small enough to sign every single action without slowing the system to a crawl. It is a deliberate engineering choice, not the maximum for its own sake and not the minimum for speed.
Chronos, deep time, is the true test: a seal that must still stand when the machine that made it is long gone
The reason to reach for post-quantum strength now, before quantum computers are a daily threat, is a problem the field calls harvest-now, decrypt-later. An adversary can capture signed records today and wait for the machines that might break weaker schemes tomorrow. A financial instruction, a medical decision, or a legal attestation may need to stand for twenty or thirty years. Sealing it with ML-DSA-65 today is how we make sure the evidence made this morning is still evidence long after the technology that made it has been replaced.
The bottom line
The signature under every action is not a feature we bolt on for a compliance checkbox. It is the load-bearing element of what a Sovereign Intelligence Operating System is for: turning autonomous action into durable, verifiable evidence that belongs entirely to the customer and answers to mathematics rather than to us. FIPS 204 ML-DSA-65 is the choice that lets that evidence outlast the present moment, and the quantum era after it.
This capability is one of about 2,340 claims across 104 filed United Kingdom patent applications owned by Mickai LTD. We build for the regulated boundary the public cloud cannot cross on the customer's own terms, and the signature is where that promise is kept, one operation at a time. Micky Irons, founder and CEO of Mickai.
Written by Micky Irons. Originally published at https://mickai.co.uk/articles/ml-dsa-65-the-signature-under-every-action. More from Micky Irons and Mickai at mickai.co.uk.





Top comments (0)