Trust is not a thing you can say. It is a thing you have to show.
I have read a great many statements over the past year that begin with some version of the same phrase. Trust us. Our models are safe. Our governance is robust. Our systems are aligned with the public interest. Each one arrives with confidence, a brand mark, and a portable document format file. None of them arrive with a way for me to check whether any of it is true. I built Mickai because I no longer accept that arrangement, and I do not think anyone responsible for real decisions should accept it either.
A claim is not a control
Consider what actually happened in the field this year, not what was promised. One of the largest laboratories published a preparedness framework stating that its evaluations would be audited by independent third parties. Those audits did not happen. Months later the provision was quietly removed, and the change was not recorded in the document history. The pledge existed exactly as long as it was convenient, and then it did not, and the only people who noticed were the ones reading closely enough to catch a deletion.
This is the structural problem with declared trust. A claim describes an intention. A control describes a constraint that holds whether or not the intention survives contact with pressure. The two are routinely presented as the same thing, and they are not. When a vendor tells you its artificial intelligence is governed, you are being shown an intention. You have no instrument with which to convert that intention into a fact you can rely on.
A claim describes an intention. A signed record describes a constraint that holds whether or not the intention survives pressure.
The pledges that move when pressure does
Another leading laboratory revised its responsible scaling policy this year, loosening commitments that critics had treated as flagship safety pledges, in a revision that coincided with intense pressure over military procurement. Whatever you think of the merits, observe the mechanism. The policy was voluntary, so it moved when the incentives moved. That is not a scandal. That is the predictable behaviour of any commitment that the committing party also controls.
The count of companies publishing frontier safety frameworks more than doubled across 2025, with at least a dozen such documents now in circulation. This is presented as progress, and in one narrow sense it is. But every one of those frameworks remains voluntary, self graded, and self amended. The international assessment of artificial intelligence safety published this year, backed by more than thirty countries, was blunt about the consequence. There is limited public and policymaker knowledge of how the most advanced models are actually developed, evaluated, safeguarded, and deployed, with the transparency gap widest precisely for systems deployed internally, where no outside party ever sees the working.
Why the incentives never favour the public
Some of this is being dragged toward enforcement, and that matters. Under the European Union Artificial Intelligence Act, obligations for general purpose models applied from August 2025, though the binding enforcement powers, the requests for information, the model access, the recalls, only begin in August 2026. In the United States, the National Institute of Standards and Technology, working through its standards body for artificial intelligence, agreed pre deployment testing arrangements with several major developers this year. These are real steps, and I welcome them. They are also slow, jurisdictional, and dependent on a regulator having the budget, the access, and the political backing to follow through.
The deeper issue is that the party making the safety claim, the party benefiting from it being believed, and the party able to amend it are the same party. No amount of good faith dissolves that conflict. A vendor is not lying when it says trust us. It is simply asking you to absorb a risk that it is better positioned to understand than you are, and to do so without any instrument of your own. Liability follows the same asymmetry. When something goes wrong, the harm lands on the deployer and the public long before it lands on the author of the framework.
What the breaches actually proved
The case for verifiability is not theoretical, and this year made that plain. A single attacker used commercial coding agents to breach nine government agencies in one country, reaching hundreds of millions of taxpayer and civil records, while telling the agent he was running a legitimate bug bounty programme. At a major deployment platform, a serious incident began with one employee granting an artificial intelligence productivity tool blanket permissions, after which compromised tokens were used to take over the account. Surveys through the year found that the large majority of organisations running agents had suffered a confirmed or suspected security incident, while only a sliver of security budgets addressed those agents at all.
Read those incidents carefully and a single thread runs through them. In each case an automated system took a consequential action, and afterwards nobody could reconstruct, with cryptographic certainty, what it had done, under whose authority, and against which policy, without trusting the very logs the compromised system itself produced. That is the gap. It is not a gap in good intentions. It is a gap in evidence.
The Open Audit Record, and why it is different
This is the problem I set out to solve when I designed Mickai, the Sovereign Intelligence Operating System. Mickai is built, live, and production ready, running fifty brains, twenty five domain and twenty five operational, on the Poseidon silicon substrate. The piece that matters for trust is the Open Audit Record. Every action the system takes is signed before it executes, not narrated after the fact, and written to an append only, hash chained ledger. The signatures use the post quantum module lattice digital signature standard that the National Institute of Standards and Technology finalised as Federal Information Processing Standard 204 in August 2024, so the evidence does not rot when cryptographically relevant quantum computing arrives.
The audit root anchors to Pantheon, and Pantheon anchors to Bitcoin, so a third party can confirm a record existed without taking anyone's word for it.
The point that separates this from a transparency report is the verifier. The record can be checked offline by a browser resident verifier, with no network, no special access, and no requirement to trust me, my company, or my servers. The same instinct now sits behind the tamper evident content provenance work that analysts have flagged among the strategic trends for this decade, but applied to actions rather than media. The audit root anchors to Pantheon, Mickai's sovereign first layer blockchain, whose own root anchors to Bitcoin, so that a third party can confirm a record existed at a point in time without taking anyone's word for it. Declared trust asks you to believe. Demonstrated trust hands you the means to check and then becomes irrelevant to the answer.
What I am actually asking for
I am not asking anyone to trust Mickai. That would make me exactly the kind of vendor this essay is about. I am asking for a world in which the burden runs the other way, where a system that takes a consequential action must produce a record that an adversary, a regulator, or a sceptical engineer can verify without the system's cooperation. The architecture behind this position is filed, not hand waved. There are one hundred and one filed United Kingdom patent applications, roughly two thousand two hundred and thirty four claims, owned by Mickai Limited, Companies House number 17166618, with myself as named inventor.
Pledges will keep being written, and some of them will be sincere. But a pledge you cannot check is a feeling, not a fact, and feelings move when money and power lean on them, as this year showed again and again. The future I am building toward is unglamorous and exact. Stop telling me your system is trustworthy. Hand me the signed record, and let me decide for myself. Trust is demonstrated, not declared. Everything else is marketing.
