DEV Community

Cover image for Write Once, Prove Forever: WORM Storage for AI Decisions
Micky Irons
Micky Irons

Posted on • Originally published at mickai.co.uk

Write Once, Prove Forever: WORM Storage for AI Decisions

Write Once, Prove Forever: WORM Storage for AI Decisions

By Micky Irons, founder and CEO of Mickai.

For decades, financial firms have kept certain records under write-once, read-many rules. A trade confirmation, an order ticket, a client communication: once written, the record cannot be edited, silently replaced or quietly deleted. Regulators built this expectation because memory is convenient and the past is inconvenient, and the whole point of a durable record is to survive the moment when someone would prefer it changed. Write-once storage is not a filing preference. It is a design stance about who controls the truth after the fact.

Artificial intelligence has arrived in exactly the settings where that stance matters most. The European Union's AI Act treats decisions in credit, employment, essential services, biometrics and critical infrastructure as high risk under its Annex III list, and those obligations, once due on 2 August 2026, now apply from 2 December 2027 after the Digital Omnibus deferral. We read that as a build window, not a reprieve, because the proof requirements survive the move, so the sensible response is to build now. DORA has governed financial-sector operational resilience across the EU since January 2025, NIS2 has widened the duty to report and to prove, and ISO/IEC 42001 has given organisations a management-system yardstick for their AI. Each of these regimes asks a similar question. When your system made that decision, can you show, later and to a sceptical outsider, exactly what happened?

What a decision has to survive

An AI decision is not one thing. It is a bundle: the input that arrived, the model version that ran, the policy in force at that instant, the intermediate reasoning, the human who reviewed or overrode the output, and the final action taken. For that bundle to be evidence rather than anecdote, it has to survive three distinct threats.

The first is honest loss, where records are overwritten by the next release or aged out of a log rotation. The second is convenient revision, where a record is edited after the fact to match a preferred story. The third, and the one most people underweight, is undetectable revision, where the record is changed and nothing in the system reveals that it ever was. Ordinary databases and mutable object stores defend against the first threat and barely touch the other two.

Write Once, Prove Forever: WORM Storage for AI Decisions, illustration 1

Write-once is a property, not a promise

The phrase write-once, read-many describes a guarantee that must hold even against the operator of the storage. A configuration flag that says do not delete is a promise. A cryptographic structure that makes deletion or edit detectable is a property. The difference decides whether an auditor has to trust your good intentions or can verify your records directly.

We build the guarantee into the record itself rather than the surrounding process. Every AI decision inside the Sovereign Intelligence Operating System is sealed as it is made. Each sealed entry carries a hash of its own contents and a reference to the hash before it, so the entries form a chain in which any later alteration breaks the link visibly. Change one field in one record and every subsequent hash fails to reconcile. The tampering does not need to be caught by an alert human. It is caught by arithmetic.

An AI decision should be as hard to rewrite after the fact as a regulated trade confirmation, and just as easy for an outsider to verify.

Write Once, Prove Forever: WORM Storage for AI Decisions, illustration 2

Signing the chain so it holds tomorrow

A hash chain proves internal consistency, but consistency alone does not prove authorship. Anyone who can recompute the hashes could, in principle, rebuild a fraudulent chain from scratch. Signatures close that gap. Each entry, and each periodic checkpoint over the chain, is signed by a key bound to the machine that produced it, so the record asserts not only that it is unbroken but who stands behind it.

The harder question is time. Records kept for regulatory purposes may need to remain verifiable for years, and a signature scheme that is sound today can be undermined by advances in computing. This is why we sign the audit chain with post-quantum signatures, using schemes designed to resist attack by both classical and quantum computers. A record sealed now should still verify when the reviewer opens it much later, without a quiet migration that reopens the very entries it is meant to protect.

Write Once, Prove Forever: WORM Storage for AI Decisions, illustration 3

Verifiable without asking us anything

The value of a sealed record collapses if checking it requires calling the vendor. An auditor who must ask us to confirm a record is, in effect, trusting us twice. So the audit chain is offline verifiable: the hashes, the signatures and the public verification keys travel with the records, and a reviewer can confirm the chain on their own hardware, in their own facility, with no live connection to us and no live connection to anyone.

This matters because the Sovereign Intelligence Operating System runs offline on operator-owned hardware behind a zero-egress inbound perimeter. Decisions are made where the data already lives, and the evidence of those decisions never has to leave the operator's control to be trusted. Identity is hardware-attested rather than asserted, so a record does not merely claim to come from a given machine; the machine's own attested identity is part of what the signature covers.

Write Once, Prove Forever: WORM Storage for AI Decisions, illustration 4

Why the location of the record is a governance question

Where a regulated record physically rests is not an operational detail. It is a jurisdictional one. Under the United States CLOUD Act, data held by certain providers can be reached by lawful process regardless of the country the servers sit in, which means a record's legal exposure can differ sharply from its apparent home. For a European bank or a public body, an audit trail that lives inside another jurisdiction's reach is an audit trail held partly on someone else's terms.

Keeping the sealed record on operator-owned hardware, inside the operator's own perimeter, is therefore an architectural answer to a legal question. We frame this as design rather than accusation: a cloud-hosted model of security concentrates both the decision and its record in an external trust boundary, while a sovereign model keeps both inside the operator's boundary. Both are legitimate engineering choices. They simply distribute control differently, and regulated bodies are increasingly required to know exactly where that control sits.

Decisions worth sealing are decisions worth checking twice

Durability guards the record after the decision. It does nothing for the quality of the decision itself. A sealed mistake is still a mistake, preserved with a signature attached. So the seal is only half of a credible governance story, and the other half is what happens before the record is written.

Inside the Sovereign Intelligence Operating System, consequential outputs can be routed through cross-model consensus, where more than one sovereign model, reasoning independently, must agree before an action proceeds, and disagreement is itself recorded rather than smoothed away. The OWASP work on the risks specific to large language models, from prompt injection to insecure output handling, maps naturally onto a design that records the disagreement, the override and the human sign-off as first-class entries in the same sealed chain. The audit trail then holds not just the answer but the deliberation, which is precisely what a regulator examining a high-risk decision wants to see.

Building for the reviewer who has not arrived yet

The organisations that will fare best under the 2026 regimes are not those that log the most. They are those whose logs an outsider can trust without trusting the organisation. That is the quiet inversion write-once storage has always represented, and it is the standard we hold the audit chain to: verifiable by a stranger, durable against a determined insider, and readable years after the people who built it have moved on.

We treat this as foundational rather than optional, and the approach sits within the 104 filed UK patent applications, and approximately 2,340 claims, owned by Mickai LTD. The wider point stands without any of that. As AI moves into decisions that change lives and carry legal weight, the record of each decision has to earn the same respect we already grant a regulated financial record. Write it once, seal it as it is made, and let anyone prove it forever.


Written by Micky Irons. Originally published at https://mickai.co.uk/articles/write-once-prove-forever-worm-storage-for-ai-decisions. More from Micky Irons and Mickai at mickai.co.uk.

Top comments (0)