By Micky Irons, founder and CEO of Mickai.
UK enterprises should demand four verifiable proofs from any sovereign agentic AI: that it runs and produces correct output with the network cable pulled, that every action it takes is written to a cryptographically signed and tamper-evident ledger, that the encryption and signing keys are held only by the operator, and that the system makes no outbound call to any third party to function. The reason is simple: a sovereignty claim is only as strong as what the buyer can independently check, and a vendor promise is not a check.
This matters now because in July 2026 the marketing shifted. Vendors that spent years routing UK data through public cloud AI services began labelling those same offerings sovereign, sovereign-ready or UK-hosted. The word has no legal definition, so it does a great deal of work in a sentence and almost none in an architecture. For a bank, a hospital or a government department, that gap is the difference between compliance and a reportable breach. The buyer's task is to convert every adjective into a test.
What does sovereign actually mean for an agentic system?
Sovereign means the operator retains full control over where the model runs, where data rests, who holds the keys and who can compel access. Agentic raises the stakes because the system does not only answer, it acts: it writes to records, moves money, triggers workflows and calls other systems. A chatbot that leaks is a data problem. An agent acting on instructions you cannot audit is an operational and legal one. Sovereignty for an agent must cover the actions, not just the answers. Our position: the only defensible design runs entirely on operator-owned hardware, with every action sealed as it happens.
How do we verify it offline?
Run the named test: disconnect the machine from every network and ask the system to complete a real task end to end. If it still reasons, retrieves, acts and signs its work, it is genuinely local. If any step stalls, times out or degrades, it depends on something outside your control and is not sovereign. Offline verifiability is binary. Mickai is a Sovereign Intelligence Operating System built to pass this test by design: it runs on operator-owned hardware behind a zero-egress inbound perimeter, so there is no outbound dependency to sever.
What can an auditor actually check?
An auditor should be able to check the action trail without trusting the vendor. Demand a tamper-evident ledger where each agent action is a signed entry, chained so that altering any past record breaks every signature after it, and the identity taking each action is hardware-attested and bound to that same chain, so an entry cannot be forged or repudiated. We sign our audit ledger with post-quantum signatures under FIPS 204 and protect key exchange with FIPS 203, because an audit record that outlives its cryptography is not evidence. The buyer's test: alter one historic log line and the whole chain fails verification.
Who holds the keys?
Whoever holds the keys holds the data, wherever the servers sit. This question collapses most sovereign claims. If the vendor can decrypt your records, rotate your keys or read your audit trail, then your data is portable to them, to their sub-processors and to anyone who can compel them. Demand operator-held keys generated and stored on your hardware, with the vendor holding none. UK hosting alone does not answer this: under the US CLOUD Act, a provider subject to US jurisdiction can be compelled to produce data it can access, wherever that data lives. Key custody, not map location, is the real border.
A sovereignty claim you cannot test offline, with keys you do not hold, is a marketing statement wearing the clothes of an architecture.
Which rules make this necessary?
Several, and they are converging. DORA has been in force since January 2025 and requires financial entities to evidence control over their critical third-party dependencies, which an opaque cloud agent undermines. NIS2 extends similar operational-resilience duties across essential sectors, GDPR governs every transfer and processor relationship, and ISO/IEC 42001 gives buyers a certifiable AI management standard to demand. On the EU AI Act, note the current position: the high-risk Annex III obligations due on 2 August 2026 were deferred by the Digital Omnibus to 2 December 2027, with embedded Annex I high-risk moving to 2 August 2028 and Article 50 transparency duties largely unchanged. We read that deferral as a build window, not a reprieve.
What are the exact proofs to put in a contract?
Write the tests into the procurement. Ask for each of these and treat a missing answer as a fail:
- Offline completion: the system finishes a real task with all networking disabled.
- Zero-egress perimeter: no outbound connection is required for any core function, provable by network monitoring.
- Signed action ledger: every agent action is recorded, signed and chained, and tampering is detectable.
- Hardware-attested identity: the actor behind each action is cryptographically bound to the log.
- Operator-held keys: the vendor can produce no key that decrypts your data or audit trail.
- Independent reproducibility: your own staff can run every one of the above.
Each is checkable in a proof of concept.
Why does cross-model consensus matter for agents?
Agents act, so a single confident wrong answer becomes a wrong action. One mitigation is to require agreement across independent sovereign models before a consequential action executes, so one model's error does not reach your records or payments. A buyer can inspect it by asking how disagreement between models is resolved and logged. Where relevant, this and related mechanisms sit within our estate of 104 filed UK patent applications, approximately 2,340 claims, owned by Mickai LTD; never granted or patented. For a buyer, the point is not the filings but that the mechanism is real and testable.
Frequently asked questions
What is sovereign agentic AI?
It is an agentic AI system, one that takes actions rather than only answering, run under the operator's own control over hardware, data location and encryption keys. True sovereignty means it can function with no outbound dependency on any third-party service. If it needs a public cloud AI service to reason or act, it is hosted, not sovereign.
How can a buyer verify a sovereign AI claim independently?
Disconnect the system from all networks and ask it to complete a genuine end-to-end task. If it still reasons, acts and signs its output, it is local. Then confirm the operator holds the only keys and the action log is signed and tamper-evident. All three run in a single proof of concept, without trusting the vendor.
Is UK-hosted the same as sovereign?
No. Hosting describes where servers physically sit; sovereignty describes who holds the keys and who can compel access. Under the US CLOUD Act, a provider under US jurisdiction can be ordered to produce data it can decrypt even when that data resides in the UK. Key custody decides sovereignty, not the location on a map.
Does the EU AI Act still require high-risk compliance in August 2026?
No, not on that date. The Digital Omnibus deferred the high-risk Annex III obligations due on 2 August 2026 to 2 December 2027, with embedded Annex I high-risk moving to 2 August 2028, while Article 50 transparency duties are largely unchanged. We treat the deferral as a build window for verifiable systems, not a reason to delay.
What is a signed action trail and why does it matter?
It is a ledger where every action an agent takes is a cryptographically signed entry, chained so that altering any past record breaks every signature after it. It matters because agents act on your systems, and without a tamper-evident trail you cannot prove what was done, by which identity or on whose instruction. Post-quantum signing keeps that evidence valid over time.
Written by Micky Irons. Originally published at https://mickai.co.uk/articles/proof-not-promises-what-uk-enterprises-should-demand-from-sovereign-agentic-ai. More from Micky Irons and Mickai at mickai.co.uk.





Top comments (0)