By Micky Irons, founder and CEO of Mickai.
Every breach that matters starts the same way. Something inside the perimeter was trusted when it should not have been. A credential, a service account, an agent acting on behalf of a person who never approved the action. The old security model assumed that once you were through the wall, you belonged. Artificial intelligence has quietly detonated that assumption, because an autonomous agent inside your network can move faster, wider and more convincingly than any human intruder ever could.
Zero-trust AI architecture answers the only question that now counts. Not who is at the gate, but what is about to happen, on whose signed authority, and whether that authority can survive scrutiny after the fact. At Mickai we built our Sovereign Intelligence Operating System, a SIOS, around a single unforgiving rule. Trust nothing, verify everything, and prove it later. This is how that rule becomes architecture rather than a slogan.
The perimeter was always a fiction
Traditional security drew a line and called everything inside it safe. That worked when the things inside were laptops and file servers moving at human speed. It collapses the moment you introduce intelligence that can reason, plan and act on its own initiative. An AI brain does not phish one inbox and wait. It can touch a thousand records, draft a hundred decisions and trigger a chain of downstream actions before a human notices the login was unusual.
Zero trust discards the perimeter entirely. There is no inside and no outside, only a continuous demand for proof at every step. A brain that read a customer file five minutes ago holds no standing credit to write to a payment system now. Every action is a fresh negotiation. Identity is checked, authority is checked, context is checked, and nothing is granted on the strength of what came before. The wall did not fall because we abandoned it. We replaced it with something that verifies at the level of the individual act.
Signed identity, not borrowed trust
In most systems an AI agent inherits the identity of whoever launched it, and that borrowed trust becomes the single point everything hangs on. Compromise the token and you inherit the empire. We refuse that shortcut. In our SIOS every brain carries its own cryptographic identity, bound to hardware the customer owns, and that identity cannot be lifted, replayed or spoofed by another process pretending to be it.
Like Janus watching both ways at once, zero trust knows there is no safe inside and no safe outside
The signatures are post-quantum by design. We sign with FIPS 204 ML-DSA-65, the Module Lattice Digital Signature Algorithm standardised for the era when today's encryption starts to fray. An adversary harvesting signed traffic now, hoping to break it with tomorrow's machines, finds nothing worth keeping. Identity in a zero-trust AI system is not a badge you wave at a door. It is a mathematical fact that travels with every request and can be independently confirmed by anyone holding the public key, with no call home required.
Every action attested before it runs
Here is where most zero-trust talk stops and where the hard engineering begins. It is not enough to know who is asking. You must know precisely what they intend to do, and you must capture that intent before a single byte moves. Our answer is the Operation Attestation Record, the OAR, and it is the beating heart of the whole architecture.
Hephaestus sets his mark before the work begins, as every action is attested before it runs
Before any consequential action executes, the SIOS writes an OAR. It states which brain is acting, what it proposes to do, on what data, under whose authority and against which policy. That record is signed and committed first. The action only proceeds once the attestation exists. This inversion matters more than it sounds. In conventional systems the log is written after the fact, by the same system that might already be compromised, which is exactly why attackers delete logs. An OAR that must exist before the operation runs cannot be edited into innocence afterwards, because the evidence precedes the act rather than trailing it.
The ledger that cannot be quietly rewritten
Attestations are only as trustworthy as the place they live. If an intruder can slip into the record store and rewrite history, the whole edifice is theatre. So we chain every attestation into a tamper-evident ledger, each entry hash-linked to the one before it using SHA-3-512. Change any single record and every hash downstream breaks, announcing the tampering to anyone who checks.
Because the chain is cryptographically self-describing, verification needs no live connection to us and no trusted third party. An auditor, a regulator or the customer's own security team can take the ledger offline, air-gapped, and confirm its integrity from first principles. This is what sovereignty means in practice. The proof of good behaviour belongs to the customer, sits on infrastructure they own, and does not depend on our word or our uptime. For anyone living under the EU AI Act, the Digital Operational Resilience Act, DORA, or the Network and Information Security Directive, NIS2, a portable and independently verifiable audit trail is no longer a nice-to-have. It is the difference between passing an inspection and failing one.
High stakes demand more than one witness
Not all actions carry the same weight. Reading a document is not the same as moving money, changing a clinical record or deleting a dataset. Zero trust should scale its scrutiny to the consequence, and ours does. For high-stakes operations a single signed identity is not sufficient. We require multiple brains to independently agree, and for the most sensitive actions we bind approval to a human presence confirmed by voice biometrics.
Atlas holds the unbroken chain, and if one link is altered the whole weight betrays the tampering
This is separation of powers rendered in cryptography. One brain proposes, others must corroborate, and a person the system can actually recognise must consent. Every brain is revocable, so authority that turns rogue or is suspected of compromise can be pulled instantly and cleanly, with the revocation itself recorded in the ledger. The result is a system where no single point, human or machine, can unilaterally do irreversible harm, and where every consequential decision leaves a signed record of exactly who and what agreed to it.
Built for the boundary the cloud cannot cross
None of this is a critique of the public cloud. The hyperscalers, OpenAI, Microsoft, Amazon Web Services, Google and Oracle among them, are allies operating at a different layer, and they do that layer superbly. But there is a boundary they cannot cross on the customer's terms. A defence programme under International Traffic in Arms Regulations, ITAR, a bank under the Basel framework and the Markets in Financial Instruments Directive, MiFID II, a hospital under the Health Insurance Portability and Accountability Act, HIPAA, cannot let sensitive reasoning leave their walls.
Geryon guards with three bodies in agreement, as high-stakes actions demand more than one witness
Our SIOS is built for exactly that boundary. It runs on hardware the customer owns, air-gapped or on-premise, with zero data egress, and it holds 104 filed UK patent applications, about 2,340 claims, owned by Mickai LTD, describing the capabilities that make signed, attested, offline-verifiable AI possible. Zero trust is not a feature we bolted on. It is the substrate. The intelligence and the proof of its behaviour occupy the same sealed space, aligned with ISO 42001 and the NIST AI Risk Management Framework, so the organisation gets autonomy and evidence together rather than trading one for the other.
The bottom line
Zero-trust AI architecture is not a stricter password policy. It is a wholesale refusal to grant standing trust to anything, including your own intelligence, followed by a demand that every action prove itself in advance and remain provable forever. Signed identity says who. The OAR says what and why, written before the deed. The hash-linked ledger keeps that proof honest, offline and in the customer's hands. And for the decisions that could hurt, more than one witness must agree.
We built our SIOS this way because the alternative, trusting AI on the strength of a login, is a bet no regulated institution can responsibly make. Verify everything, attest before you act, and keep the receipts where no attacker can reach them. That is not paranoia. In the age of autonomous intelligence, it is simply the price of trust.
Written by Micky Irons. Originally published at https://mickai.co.uk/articles/zero-trust-ai-architecture. More from Micky Irons and Mickai at mickai.co.uk.





Top comments (0)