DEV Community

Cover image for The Provenance Standard
Micky Irons
Micky Irons

Posted on • Originally published at mickai.co.uk

The Provenance Standard

#sovereignai #aigovernance #provenance #postquantum

The Provenance Standard

A radiologist in a teaching hospital reads a scan, hesitates, and asks the assistant for a second opinion. The model returns a confident answer in under a second. She cannot see which version of the model spoke, which data it leaned on, whether it had been quietly updated overnight, or whether the same question an hour earlier would have produced the same verdict. She acts on it anyway, because the alternative is to act on nothing. Multiply that single act of faith by every clinician, every analyst, every officer of a court, every bank, and you have the quiet crisis of this decade. We have built machines that speak with total fluency and zero accountability, and we have asked an entire civilisation to take them at their word.

Fluency is not evidence. A system can be eloquent and wrong, persuasive and fabricated, authoritative and untraceable, all at once. For most of computing history we tolerated a degree of this because software behaved deterministically: the same input gave the same output, and when it failed it failed loudly. Generative intelligence broke that contract. Its outputs are probabilistic, its training is opaque, its versions shift beneath us, and its mistakes arrive wearing the same calm voice as its truths. The result is a strange inversion. The more capable these systems become, the harder it is to know whether to believe any single thing they say.

The usual answer to this is more disclaimers, more guardrails, more confident reassurance that the model is improving. None of that addresses the actual deficit, which is not accuracy but provenance. We do not need the machine to be infallible. We need it to be answerable. We need every consequential output to carry, inseparably, the record of how it came to exist, so that a human being, a regulator, or another machine can check the claim instead of swallowing it. That record is the missing layer of the entire field, and the standard for producing it is what this piece is about.

Belief Without Proof Is a Liability

Consider how trust works everywhere else that consequences are real. A medicine carries a batch number that ties it back to the line that made it, the materials that went into it, and the inspector who signed it off. A financial transaction carries an audit trail that a forensic accountant can walk backwards, step by step, years later. A photograph entered as evidence is challenged on its chain of custody before anyone argues about what it shows. In each case the object is not trusted because it looks trustworthy. It is trusted because its history can be reconstructed and tested by an adversary who wants it to fail.

Machine output today has none of this. An answer from a large model is a sentence with no birth certificate. You cannot point to the weights that produced it, because they may have changed. You cannot point to the data behind it, because it was never disclosed and may not be disclosable. You cannot point to the moment, because nothing about the answer is timestamped in a way that resists tampering. You cannot even prove that the answer you received is the answer the system actually generated, rather than something altered in transit or after the fact. The most consequential outputs in the world are the least verifiable.

This is not a theoretical complaint. It is a liability that is already crystallising into law and litigation. Courts are sanctioning lawyers who file machine-invented citations. Regulators are drafting rules that will require automated decisions to be explained and contested. Insurers are beginning to ask what happens when a model used in underwriting or diagnosis produces a harm, and who, exactly, can be made to account for it. In every one of these collisions the same question surfaces and finds no answer: can you prove what the system did, when it did it, and on what basis? Where there is no proof, there is only exposure.

A colossal golden seal of pressed wax suspended in void black, its surface inscribed with constellated geometry, marble columns dissolving into shadow behind it.

Trust is not a feeling. It is a seal that an adversary can break and cannot forge.

Provenance Is Not Explainability

It is worth being precise, because the field has a habit of solving the wrong problem with great enthusiasm. A great deal of effort goes into explainability: the attempt to make a model narrate why it reached a conclusion, to surface the features it weighed, to produce a plausible story of its own reasoning. This is useful and it is not the same thing. An explanation is a claim about the inside of a process. It can be sincere and still be a confabulation, because a model asked to justify itself will generate a justification whether or not it reflects the real computation. You cannot audit a story by listening to it more carefully.

Provenance is a different and humbler object. It does not ask the machine to confess its reasons. It records, from the outside, the verifiable facts that surround an output. Which model, identified down to the exact set of weights, produced it. Which inputs and which retrieved context were present. What configuration governed the generation. When it happened, in a timestamp that cannot be backdated. What the output actually was, fixed by a cryptographic fingerprint so that any later alteration is detectable. None of that requires the model to be honest about itself. It requires the system around the model to be disciplined about what it captures and to seal that capture beyond the reach of revision.

The distinction matters because explainability degrades as models grow more capable, while provenance does not. A frontier system is harder to interpret than a small one, its internal reasoning more alien, its self-narration less reliable. But a frontier system can be sealed exactly as well as a toy one, because sealing is a property of the surrounding architecture, not of the model's introspection. Provenance is the one form of accountability that scales with capability instead of collapsing under it. That is precisely why it, and not explainability, belongs at the foundation.

An explanation tells you a story about the machine. Provenance tells you what the machine actually did, and lets a stranger check.

The Open Audit Record

Inside Mickai, the Sovereign Intelligence Operating System I have spent these years building, the mechanism that carries this discipline is the Open Audit Record, or OAR. The idea is deliberately unromantic. Every consequential action the system takes is captured as a structured record and signed at the moment it occurs. The signature is produced under a post-quantum scheme, ML-DSA-65 from the FIPS 204 standard, chosen because a record meant to outlive the decade must survive the arrival of machines that will break today's ordinary cryptography. A signature that a future quantum computer can forge is not a seal. It is a decoration.

Each record does not stand alone. It is linked, by hash, to the record before it, so that the whole history forms a chain in which no entry can be altered, removed, or slipped in after the fact without breaking every link that follows. This is the same logic that makes a ledger tamper-evident, applied not to coins but to the behaviour of an intelligence. If someone tried to rewrite what the system did last Tuesday, the chain would not merely complain. It would become mathematically inconsistent, and the inconsistency would be visible to anyone who chose to look.

The property I care about most is the last one, and it is the one most systems quietly omit. The Open Audit Record is verifiable offline. You do not have to call a server we control and trust its answer. You do not have to take our word that the record is genuine. The signature and the chain can be checked on your own machine, with no connection to us, using public verification logic. This is the difference between an audit trail that belongs to the vendor and one that belongs to you. A record you can only verify by asking the accused is not evidence. It is a press release.

Put plainly, a consequential output from the system arrives with an attached proof that answers, without trusting anyone, four questions:

  • Which intelligence produced this, identified down to the exact model and configuration, not a vague brand name.
  • On what basis, meaning the inputs and the retrieved context that were actually present at generation time.
  • When, fixed by a timestamp inside a chain that cannot be backdated or reordered.
  • Exactly what was said, fingerprinted so that any later edit, however small, is detectable by anyone.

An endless chain of golden links receding into cosmic darkness, each link engraved with a different glyph, the nearest links catching rim light against deep void.

A hash chain: alter one link and every link after it betrays the change.

Why the Seal Must Outlive the Threat

There is a temptation to treat the cryptography here as a detail, a box ticked, a standard cited to impress. It is not a detail. The whole value of provenance is that it holds over time, and time is exactly where most security assumptions quietly expire. A diagnosis sealed today may be challenged in a malpractice suit eight years from now. A financial decision sealed this quarter may be reopened by a regulator a decade later. A record that protects a journalist's source, or a defendant's account, or a patient's history, has to remain unforgeable across the entire span in which it could possibly matter, not merely until the next product cycle.

The standard cryptography that secures most of the internet was not designed for that span. A sufficiently capable quantum computer, which serious institutions now plan for rather than dismiss, would render much of it forgeable. The danger is not only future. Adversaries can harvest sealed records now and break them later, when the hardware exists, retroactively unpicking proofs that everyone assumed were permanent. To build a provenance standard on cryptography with a known expiry date is to build a vault with a lock you have already announced will one day open by itself.

This is why the Open Audit Record is post-quantum from the start rather than as a future migration, and why the same principle runs underneath Pantheon, the sovereign Layer 1 chain we are building, which is post-quantum from genesis and anchored to Bitcoin for an independent timestamp that no single party can rewrite. The point of anchoring is subtle and important. A seal proves an output has not changed since it was made. An anchor proves when it was made, by tying the record to an external, adversarial, immutable clock that we do not own and cannot move. Together they close the loop. You can prove the what, and you can prove the when, and you do not have to trust the people who built the system to believe either.

Sovereignty Is the Precondition, Not the Slogan

Provenance has a quiet prerequisite that most of the industry would prefer not to discuss. You can only seal what you actually control. If your intelligence runs on infrastructure that belongs to someone else, your audit trail is a guest in their house. The model can be swapped beneath you without notice. The data can be retained, mingled, or repurposed by the host. The version you queried yesterday may be gone today, and the record of what it told you lives, if it lives at all, on a platform whose incentives are not yours. You cannot build an honest chain of custody on borrowed ground.

This is the deeper reason that sovereign intelligence and verifiable provenance are not two separate ideas but the same idea seen from two angles. To make output answerable, the whole stack has to be answerable: the weights, the data, the runtime, the keys that do the signing. That is why Mickai runs as an operating system you can hold rather than a service you rent, why it can seal and verify offline with no call home, and why the models matter. We fine-tune and specialise open foundations, the Llama 3.2 and Qwen 2.5 lineages, and at the same time we are actively training our own models now, with funding scaling that work toward fully native weights. A model you can pin and identify is a model you can put in the record. A model that lives only behind someone else's interface can be described but never truly sealed.

None of this is a claim that Mickai has solved trust, and it would be dishonest to pretend otherwise. A provenance standard is only as strong as its adoption, its independent scrutiny, and the willingness of adversaries to attack it in the open. What I will claim is that the architecture is the right shape: seal at the moment, chain the history, anchor the time, verify offline, own the stack. The portfolio behind it, 101 filed UK patent applications carrying roughly 2,234 claims and owned by Mickai LTD, exists to protect that architecture as a category, not to settle the argument. The argument is settled by proof you can check, and that invitation stands open.

An aegis shield of beaten gold floating before a field of constellations, its boss formed of interlocking circuitry, rim-lit against absolute black with deep negative space around it.

A shield is only sovereign if it answers to the one who holds it.

What a Provenance Standard Asks of Us

A standard is not a feature. It is a set of expectations that, once established, become embarrassing to live without. Seatbelts, double-entry bookkeeping, the chain of custody for evidence, the batch number on a drug: each began as an imposition and ended as the floor below which no serious actor is permitted to operate. Provenance for machine output is on the same trajectory, and the institutions that touch real consequences will get there first, because they have the most to lose from a fluent answer that no one can stand behind.

What the standard asks is modest in principle and demanding in practice. That any output capable of harm carry a sealed record of its origin. That the seal survive the cryptographic threats we already see coming, rather than the ones that expired last year. That the record be verifiable by the person relying on it, offline, without permission from the system that produced it. That the time be anchored to a clock no single party can turn back. And that the whole arrangement rest on infrastructure controlled by the party who must answer for it, because accountability without control is theatre. These are not exotic requirements. They are simply what we already demand of every other consequential record, finally extended to the most consequential new one.

The movement towards sovereign intelligence is, at heart, an insistence on this floor. It is the refusal to accept that the most powerful technology of the era should also be the least accountable, that we should be asked to believe machines precisely because we cannot check them. The answer is not to slow the machines down or to wrap them in more apologetic disclaimers. It is to give every consequential thing they say a history that an enemy could try to break and could not. An intelligence that can be checked can be trusted in proportion to what it can prove. An intelligence that cannot has only ever been asking for faith, and faith is not a standard.

Mickai is being built so that the question a radiologist could not answer at the start of this piece becomes answerable as a matter of course. Which model spoke. On what basis. At what moment. And exactly what it said, sealed under post-quantum cryptography, chained against tampering, anchored to an external clock, and verifiable in her own hands without trusting us at all. That is the provenance standard. It is the price of admission for any intelligence that wants the right to be believed, and the field will not earn that right by promising harder. It will earn it by showing its work.

An oracle figure rendered in gold standing within a vast pantheon of light, a single golden thread descending from a constellation above to a sealed tablet in her hands, deep chiaroscuro against void black.

The right to be believed is not given. It is proven, output by output.

Top comments (0)