A synthetic voice empties a corporate account over a video call. A doctored frame of a politician circulates faster than any correction. A song nobody performed appears on a streaming service under a real artist's name. By 2026 the question is no longer whether a machine can manufacture a convincing artefact. It can. The question is whether a stranger, trusting no one in the chain, can find out what is true.
Most of the current answer arrives too late. Content credentials and the C2PA specification attach a record to a file after it leaves the generator, and the EU AI Act, through its transparency and labelling obligations, asks providers to disclose that an output is synthetic. Both are useful. Both share a structural weakness. A label that is applied after creation can be stripped, re-encoded away, or simply omitted, and a disclosure regime that depends on the good faith of the producer collapses precisely against the actor who has every reason to lie.
There is a second weakness, quieter but just as serious. Even an honest credential usually proves only that a file passed through a particular tool. It rarely lets a downstream reader interrogate the artefact itself, pixel by pixel or frame by frame, and decide which part was altered and which part is original. Provenance that cannot be examined at the level where forgery actually happens is provenance a determined attacker can route around.
Provenance has to be born with the artefact
The Mickai Sovereign Intelligence Operating System takes the opposite starting point. Provenance is not a sticker added at the end. It is generated at the moment of creation, inside the substrate that produced the media, and it is signed there so that a third party can later verify it without trusting the system that made it.
That signature uses a post-quantum primitive. Across the relevant filed UK patent applications, the signing operation is performed under a module-lattice key held in operator-controlled hardware, and several of the filings name FIPS 204 ML-DSA-65 explicitly. The choice matters: a provenance record meant to outlive a deepfake should not rest on cryptography that a future machine can unpick.
It is not enough to label AI content after the fact. Provenance has to be created when the artefact is, and be checkable by someone who trusts no one.
Video that can be walked back to its prompt
Consider generated video, the format behind the most alarming forgeries. A filed UK patent application, GB2611885.1, describes a continuous cryptographic provenance chain that runs across the stages of a multi-stage generative video pipeline: generation, super-resolution, frame interpolation, and encoding. At each stage the system hashes every frame, arranges the hashes as the leaves of a Merkle tree, signs the root under a post-quantum key, and emits a stage manifest that hash-links back to the stage before it.
The consequence is investigative. A verifier holding the final encoded bitstream, the chain of stage manifests, and the operator's public key can walk any output frame back through interpolation, through upscaling, through generation, to the originating prompt and reasoning trace. Tampering does not merely fail a checksum. It is localised to the specific stage and the specific frame at which it was introduced.
Down to the individual pixel
Some domains cannot tolerate a forgery anywhere in the frame. For those, GB2611901.6 describes per-pixel image authenticity verification. At generation the system builds a Merkle tree whose leaves are hashes of individual pixels or non-overlapping pixel blocks, signs the root under a hardware-attested post-quantum signature, and stores the proofs alongside the image.
A verifier can then confirm the authenticity of any single pixel block. The filing lists the attacks this localises: object insertion, face swap, content removal, steganographic injection. It names the settings where that granularity earns its cost: medical imaging, satellite imagery, legal evidence, forensic photography.
When the forgery spans several senses at once
A convincing avatar is not one signal. It is a face, a head video, a spoken track, and a lip-sync alignment, and a forger only has to corrupt one of them. GB2611895.0 addresses this by watermarking each modality independently, using a scheme appropriate to that modality, while deriving all four watermarks from a common generative-session identifier and a single operator-bound key.
A cross-modality consistency oracle then checks that the four watermarks identify the same operator and the same session before any signature is emitted. The result is twofold: splicing across any pair of modalities becomes detectable, and a partial fragment can be verified on its own, without trusting the system that produced it.
Music receives a parallel treatment. GB2611890.1 anchors three independent watermarks in three orthogonal representations of the same work:
- a psychoacoustically shaped spread-spectrum watermark in the audio waveform;
- a digitally signed metadata watermark in the ID3v2 frame or BWF iXML chunk;
- a per-note steganographic watermark in the symbolic score, in MusicXML or MIDI.
A consistency oracle binds the three under one signing operation. A verifier accepts the work under a three-of-three quorum, or in degraded form under two-of-three, which lets the provenance survive transcoding, re-recording, and even re-performance from the sheet music. The same filing carries an AI-training opt-out flag enforceable at dataset ingestion.
The principle generalises
Provenance at the moment of creation is not confined to obvious media. GB2611898.4 binds every generatively produced user-interface component to a signed design-token graph, a component-genealogy structure, and an accessibility-tree, so that a verifier can confirm the interface meets a declared design-system version and WCAG 2.2 AA without re-rendering it. GB2611894.3 signs a real-time generative game world at three nested levels, every voxel chunk, every spawn event, and every biome, so that a regulator, an age-rating body, or an asset licensee can trace any object back to its originating prompt.
Each of these records is hash-linked into the operator's audit chain. The chain conforms to the Open Audit Record specification, the OAR, which is what makes the whole arrangement checkable by an outsider in a browser rather than locked inside a vendor's console.
A public-interest stance, not a product claim
The thread is consistent. These are filed UK patent applications, part of a corpus of fifty-seven on the UK IPO register from GB2607309.8 onward, with Micky Irons as the named inventor. None is granted. What they describe is a design stance on a problem that statute is only beginning to reach.
The AI Act can compel disclosure. C2PA can carry a credential. Neither can, on its own, give a sceptical stranger the means to verify a claim cryptographically and offline. A substrate that signs provenance at the moment of creation, under keys that resist a quantum adversary, and records it where anyone can replay it, treats authenticity as something to be proven rather than asserted. For deepfakes, that is the only ground that holds.
Top comments (0)