By Micky Irons, founder of Mickai.
Mickai is a sovereign intelligence operating system that regulated businesses own and run inside their own walls. It runs on the customer's own hardware, on premises and air gapped, with zero data egress. Everything we describe below happens inside those walls, on machines the customer controls, with no call home and no dependency on a vendor that could be compromised, subpoenaed, or switched off.
The hard problem with autonomous AI is not intelligence. It is consequence. An agent that only answers questions is easy to tolerate, because a wrong answer is a wrong answer and a human decides what to do with it. An agent that acts, that moves money, submits a filing, changes a record, sends an instruction, is a different proposition entirely. The moment software can commit an action on its own, a regulated organisation has to answer three questions before it will let it run: was the action allowed, was it checked, and can we prove both of those things years from now. Most agent frameworks answer none of these. We built one component whose entire job is to answer all three.
What the Action Interceptor is
The Action Interceptor sits between an autonomous agent's decision and its execution. When an agent decides to do something consequential, the action does not go straight to the world. It is intercepted first. We check it against policy, the rules the organisation has set for what is and is not permitted, and only if it passes do we let it commit. Nothing consequential acts without passing through that checkpoint. There is no side door and no fast path that skips the check under load.
That is the first half. The second half is memory. Every action that passes through the Interceptor is written to the Open Audit Record, our append-only ledger of what the system did and why. The record is not a log file that an administrator can quietly edit. Each consequential action is signed under post-quantum cryptography, FIPS 204 ML-DSA-65 with ML-KEM-768, and hash chained into a tamper-evident sequence. Change one entry and the chain breaks, visibly, for anyone who checks. The point of the post-quantum choice is time. A record that has to hold up for the lifetime of a regulated decision, a decade or more, cannot be signed with cryptography that a future machine will unpick. We signed it for the horizon these decisions actually live on.
Why offline verification is the whole point
Anyone can verify the Open Audit Record offline, for decades, without trusting us. That sentence carries more weight than it looks. A regulator, an auditor, a court, or the customer's own compliance team can take the ledger and confirm that every action was signed, that the chain is unbroken, and that nothing was inserted or removed after the fact, using only the record and the public verification method. They do not need our servers to be up. They do not need our company to still exist. They do not need to take our word for anything.
This is what separates a genuine audit trail from a marketing claim. A vendor who says trust us has given you nothing, because the day you most need the record is the day you least trust the party who kept it. We designed the Open Audit Record so that our own honesty is not a dependency. The maths is the guarantee. That is the only kind of guarantee a regulated buyer should accept, and it is the only kind a serious platform should offer.
How this makes agentic AI safe to deploy
Put the two halves together and the safety property falls out. Nothing consequential happens without being checked against policy, and nothing consequential happens without being recorded in a way that cannot be altered later. Before the fact, the Interceptor is a control. After the fact, the Open Audit Record is proof. An organisation can let an agent operate inside defined limits and know, not hope, that it stayed inside them, because the evidence of every action it took is signed, chained, and independently verifiable.
This is the difference between a demo and a deployment. Agentic AI has been easy to demonstrate and hard to trust because the demonstrations skip the part that matters in a regulated environment. We put that part at the centre. An agent in our system is not asked to be trustworthy. It is placed inside a structure that checks it and records it regardless, so that trust is not required.
Where this sits in the patent portfolio
We have filed 104 UK patent applications, roughly 2,340 claims, across 13 invention families, all owned by Mickai LTD, with named inventor Mickarle Sean Junior Wagstaff-Irons. These are filed applications, not granted patents, and we are careful to say so. Filing establishes priority, it fixes the date from which the invention is ours, and it builds a prior-art moat, a public record that others cannot claim the same ground later. The Action Interceptor is one of these filed families. It is not a paper idea bolted on to a pitch. It is a described, filed mechanism sitting inside a working system.
We mention the portfolio here because governance and intellectual property are the same conversation for this kind of buyer. The value of a control that makes autonomous AI accountable is not only that it works. It is that the method behind it is documented, dated, and owned, so that the organisations depending on it, and any party that one day depends on us, are standing on defensible ground rather than on a feature that anyone could copy.
The market that has no other option
Sovereign AI is estimated at roughly USD 40bn in 2025, growing towards roughly USD 148bn by 2032. That growth is not driven by preference. It is driven by law. Around 0.85m UK businesses, roughly 15 per cent, and around 5m across the EU, legally cannot put their data into public cloud AI. The reasons are specific and they stack: PRA SS1/23 for outsourcing and third-party risk, UK GDPR special category data, the NHS Data Security and Protection Toolkit, the EU AI Act's high-risk obligations, ITAR and EAR export controls, the NIS Regulations, and the extraterritorial reach of the US CLOUD Act.
For these organisations, an autonomous agent running in someone else's cloud is a non-starter before the first line of policy is written. What they need is autonomy they can own, run inside their own walls, and prove. That is precisely the combination the Action Interceptor and the Open Audit Record deliver, inside a system that never sends their data anywhere. We are speaking with a small number of aligned partners as we scale. The capability is built, it is filed, and it is aimed at the part of the market that cannot use anything else.
Frequently asked questions
Does the Action Interceptor slow every action down?
It applies to consequential actions, the ones that commit a change to the world, not to every internal step an agent takes while thinking. For those actions, the policy check and the signed record are the point, and they run locally on the customer's own hardware, so there is no external round trip. The cost is the cost of accountability, and it is paid where accountability is required.
If the record is post-quantum signed, why does that matter now?
Because regulated decisions have long lives. A record created today may need to be proven a decade or more from now, well within the horizon in which today's ordinary cryptography is expected to weaken. Signing under FIPS 204 ML-DSA-65 with ML-KEM-768 means the proof holds for the lifetime of the decision it describes, not just for as long as it is convenient.
These are filed applications, so what does that actually protect?
Filing fixes priority and establishes a prior-art position, which means the date and the method are on record as ours and cannot be claimed by others afterwards. We do not describe these as granted, because they are not. What they give a buyer today is confidence that the mechanism they are depending on is documented, dated, and owned, rather than an unprotected feature.
Written by Micky Irons, founder of Mickai. Originally published at https://mickai.co.uk/articles/action-interceptor-patent. More from Mickai at mickai.co.uk.




Top comments (0)