By Micky Irons, founder and CEO of Mickai.
A defence prime lives inside a paradox. It holds the design intelligence for the systems that guard a nation, and it is expected to move at the speed of a modern software company, yet the single most valuable thing it owns is the information it can never allow to leave the building. The public cloud, for all its power, is built on the opposite assumption. Data flows out, is processed elsewhere, and returns. For a classified programme under export control, that flow is the whole problem.
We built Mickai for exactly this boundary. Mickai is a Sovereign Intelligence Operating System, a SIOS, that runs on hardware the prime already owns, air-gapped or on-premise, with zero data egress. It brings the reasoning power of modern artificial intelligence to programme intelligence, engineering data and mission planning, without the classified material ever touching an external network. The cloud giants remain allies working at a different layer. Mickai serves the regulated ground they cannot, and were never designed to, stand on.
The boundary the public cloud cannot cross
Under the International Traffic in Arms Regulations, known as ITAR, controlled technical data may only be accessed by authorised persons on authorised infrastructure, and every disclosure is a potential violation carrying criminal weight. A prime cannot simply send drawing packages, radar signatures or mission parameters to a shared inference service and hope the contracts hold. The exposure is not theoretical. It is architectural. Any system that processes the data off the customer's own equipment has already crossed a line that export control draws in indelible ink.
Mickai removes the crossing entirely. The reasoning runs where the data already sits, behind the same air gap, inside the same accreditation boundary. There is no outbound call to a remote service, no telemetry to strip, no third-party endpoint to trust. The programme's intelligence stays inside the programme. That is not a policy applied on top of the system. It is the shape of the system itself, and it is why sovereignty has to be built rather than bolted on.
Like Atlas bearing the sky alone, a sovereign programme carries its most sensitive burden without ever setting it down elsewhere
Air-gapped intelligence that needs no line home
Most artificial intelligence assumes a lifeline to somewhere else: a licence server, a model update channel, a usage meter. Cut that line and the intelligence goes dark. Mickai is built to run indefinitely with no line home at all. The brains, our term for the specialised reasoning subsystems, are packaged to operate fully offline, and every guarantee the system makes can be verified offline too, without ever asking the outside world for permission or confirmation.
This matters on a classified network in a way it rarely does elsewhere. An accreditor will ask what happens when the system is severed from everything, because on a real programme it will be. Mickai's answer is that nothing changes. The same reasoning, the same signing, the same audit ledger, all continue on isolated hardware. A prime can stand up a capability inside a sensitive compartmented facility and know it depends on nothing beyond the room it lives in.
Every decision signed before it executes
On a defence programme, an unexplained action is a liability even when it is correct. Mickai treats every action the system takes as an event that must be accountable in advance. Before anything executes, the system produces an Operation Attestation Record, an OAR, that describes what is about to happen, which brain proposed it, under whose authority, and against which inputs. The record is signed first. The action follows second. There is no path where something happens and the explanation is reconstructed afterwards.
Argus never closed every eye at once, and neither does a ledger where each signed link watches the one before it
Those signatures are not ordinary ones. Mickai signs with post-quantum cryptography, the FIPS 204 ML-DSA-65 scheme standardised for exactly this kind of long-lived assurance, so that an attestation made today remains verifiable against the threat model of decades from now. The records are bound into a hash-linked chain using SHA-3-512, meaning each entry seals the one before it. To alter a single past decision, an adversary would have to forge every link that followed, and the break would be visible immediately.
For the highest-stakes actions, a signature from the system alone is not enough. Mickai can require multiple brains to concur and a human to confirm with voice-biometric approval before the operation is permitted to proceed. A mission-affecting change does not slip through on one component's confidence. It has to pass a quorum, and a named person has to stand behind it.
Revocable brains and a ledger that cannot be quietly edited
Trust on a classified programme is never permanent, and Mickai does not pretend otherwise. Every brain is revocable. If a subsystem is found to be behaving outside its authorisation, or a clearance changes, or a programme phase closes, that reasoning capability can be withdrawn in seconds and the withdrawal is itself an attested, signed event. Nothing keeps running on the strength of a permission that no longer exists.
Hecate held the keys to every threshold, granting passage and revoking it, as authority here can be withdrawn in an instant
Underneath everything sits a tamper-evident, cryptographically-signed audit ledger. It is not a log file that a privileged user can rewrite. Because the chain is hash-linked and post-quantum signed, any attempt to remove, reorder or alter an entry breaks the mathematics and announces itself. When an investigator, an internal security team or an external auditor asks what the system did and why, the answer is a complete, ordered, verifiable account, and it can be checked without trusting the operator who produced it. On a programme where the audit is the deliverable, that is the point.
Built for the regulations, not retrofitted to them
Defence primes do not answer to one framework. They live under export control, and increasingly under a widening lattice of assurance regimes: the EU Artificial Intelligence Act for high-risk systems, ISO 42001 for artificial intelligence management, the NIST AI Risk Management Framework for governance, and sector rules that reach into any prime with financial or critical-infrastructure exposure. Each of these asks the same underlying question in a different accent. Can you show, provably, what your intelligence did, and prove it stayed inside the lines?
Themis weighed each act on its own merits, the same way every operation must be attested and proven before it proceeds
Mickai was designed to answer that question by default rather than by exception. The attestation record, the signed ledger, the offline verifiability and the revocable authority are not features added to satisfy an auditor. They are the substrate on which every action runs. Compliance stops being a document a prime writes about the system and becomes evidence the system produces about itself. Those capabilities are described across 104 filed UK patent applications, some 2,340 claims in total, owned by Mickai LTD, which frame the machinery a sovereign programme needs at the boundary.
The bottom line
A defence prime does not need artificial intelligence that is merely powerful. It needs intelligence it can put behind the air gap, run under ITAR, sign before it acts and switch off the instant trust changes. Mickai is that intelligence: a Sovereign Intelligence Operating System that keeps classified programme data on hardware the prime owns, signs every decision before it executes, and holds an audit ledger that cannot be quietly edited. The cloud giants remain partners at their layer. We hold the sovereign boundary, on the customer's own terms, where nothing leaves and everything is accountable.
Written by Micky Irons. Originally published at https://mickai.co.uk/articles/sovereign-ai-for-defence-primes. More from Micky Irons and Mickai at mickai.co.uk.





Top comments (0)