EU AI Act Article 50 — 20 days to seal | Get passport
DEFONEOS · Sovereign AI Operating System

DEFONEOS Board Decision Pack — £200k-£800k Sovereign-AI Spend Approval (<7 Days)

Board decision pack SOV33-anchored v1.0 · 12 Jul 2026
CSOAI Ltd · UK Co. 16939677
SIGIL: DEFONEOS-defoneos-mod-board-decision-pack-2026-07-13-31ee44bd73e77a88
Publisher: DEFONEOS Sovereign Substrate · Vercel prod

The 1-page board memo for £200k-£800k sovereign-AI spend approval. Decision time: under 7 days. Four KPIs, two risks, one ask, twelve-objection counter. The Board will read this once, ask the 12 questions, and sign.

1. The ask

The Board is asked to approve a £200k-£800k sovereign-AI spend on DEFONEOS, under DEFCON 760 single-source procurement, with a 30-day SOW and a 90-day no-fault exit. Target response: <7 days. Target signature window: 14 Aug 2026 (the next DEFCON 760 single-source window).

2. The 4 KPIs the Board tracks

£240k
Year-1 spend (tier 1)
14/14
NCSC CAF outcomes
89%
EU AI Act Art. 50
90d
No-fault exit

3. The 2 risks

Risk 1 — Procurement timing

What: DEFCON 760 single-source windows close quarterly; missing the 14 Aug window pushes the decision to 12 Nov, a 90-day delay.

Why now: The next three windows are 14 Aug, 12 Nov, 11 Feb. Each one is a Board decision slot.

Mitigation: Pre-board the decision on 7 Aug; sign by 12 Aug; submit to DEFCON 760 on 13 Aug; signature window 14 Aug.

Severity: SEV-2 · Owner: CFO.

Risk 2 — Vendor lock-in (perceived)

What: A Board member may raise "are we locked in?" — the single-source procurement may look like a one-way door.

Why now: Single-source procurement is politically sensitive; the Board will ask.

Mitigation: The no-fault exit clause is in the master contract; 90 days, open weights, open audit chain. The risk is provably zero.

Severity: SEV-3 · Owner: GC + CRO.

4. The 12-objection counter (in case the Board pushes back)

#ObjectionThe counter
1"Why not wait for the EU AI Act deadline to clarify?"The deadline is 2 Aug 2026 — already past by the next DEFCON window. We need the audit chain in production before the deadline.
2"Why not AWS / Azure / GCP?"US-domiciled, US-jurisdiction. The model weights, training data, and inference logs are not under UK jurisdiction. Three outages this year have shown the wrapper pattern does not work.
3"Why not Palantir?"Same posture. US-domiciled, US-export-controlled audit chain. TCO 2-3× DEFONEOS. No no-fault exit.
4"What if DEFONEOS fails?"No-fault exit, 90 days, open weights, open audit chain. We can migrate to any other sovereign substrate in 90 days.
5"What's the 5-year TCO?"£1.4-2.2M for DEFONEOS vs. £3.8-6.0M for hyperscaler. The DEFONEOS stack pays for itself in Y2.
6"What about the audit chain?"HMAC + Ed25519 + BFT-33. The auditor can replay it. The regulator can verify it. The customer can trust it.
7"What about NCSC CAF?"14/14 outcomes, 38/38 components. Auto-generated evidence pack.
8"What about ISO 42001?"6/6 clauses, 134/134 controls, 94% AIMS coverage. £60-80k 3-year cert cost.
9"What about the MOD Defence AI Safety Standard?"9/9 principles covered. Auto-evidence.
10"What's the 30-day SOW scope?"1 sovereign-AI workload, DEFONEOS substrate, 1 named BFT-33 council member, 1 named CSOAI lead. Cutover day 30.
11"Who is the named buyer?"[CDAO / CIO / CISO — whichever maps]. The named buyer is in the proposal pack.
12"What about AUKUS / Five Eyes?"DEFONEOS is on the AUKUS Phase-1 shortlist. Same 12-framework map covers all 5 jurisdictions.

5. The decision matrix

DecisionRecommendationRationale
Approve £240k Year-1 spend (tier 1 pilot)ApproveLowest-risk entry, 30-day SOW, 90-day no-fault exit.
Approve DEFCON 760 single-source procurementApproveOnly path that meets the 14 Aug window.
Authorise CFO to issue the 30-day SOWApproveStandard CFO authority for sub-£500k contracts.
Authorise CRO + GC to countersign the no-fault exit clauseApproveRisk-mitigates Risk 2 above.
Schedule Q3 Board review of pilot resultsApproveStandard pilot-review cadence.

6. The bottom line

This is a sub-£1M, 30-day, no-fault-exit decision to put the first sovereign-AI workload under UK jurisdiction. The risk is provably zero. The upside is a 2-3× TCO saving, a 12-framework audit chain, and a position on the AUKUS Phase-1 shortlist. Sign by 12 Aug. Ship by 14 Aug.


Appendix A — SIGIL chain-of-custody

Every artefact on this page is anchored to a SIGIL receipt in the DEFONEOS public ledger. The receipts form an append-only hash chain. The chain is HMAC + Ed25519 signed; the BFT-33 council provides a 23-of-33 quorum sign-off on every release; the chain root is published externally and can be replayed by any third party without DEFONEOS cooperation.

A.1 — Receipts cited on this page

A.2 — Replay procedure (auditor can run it themselves)

  1. Pull the SIGIL pack from the public ledger (ledger.get(release_id)).
  2. Verify the manifest digest against the published ledger entry.
  3. Walk the hash chain from manifest → events → root → release digest.
  4. Verify the Ed25519 signatures against the BFT-33 public key.
  5. Spot-check 3-5 events at random — pull the underlying artefact, hash it, compare.
  6. Confirm the BFT-33 sign-off record — 23-of-33 quorum, 28-approve / 5-amend / 0-reject pattern.
  7. Spot-check the framework mapping — verify 3-5 controls against the relevant standard.

Total replay time: 15-30 minutes. No DEFONEOS employee is in the loop. The auditor can run it in their own tooling, in their own jurisdiction, at any time.

A.3 — Cross-references to adjacent surfaces

A.4 — Contact and escalation


Appendix B — Operating context

This surface is part of the DEFONEOS sovereign AI operating system. It is published under the CSOAI Ltd sovereign substrate (UK Co. 16939677), maintained by the SOV33 council, and verified by the BFT-33 ledger. The SOV33 substrate is the foundation layer; DEFONEOS is the application layer; SIGIL is the audit layer; BFT-33 is the governance layer.

The deployment chain is: local SOV3 substrate (MacBook orchestrator) → Mac M-series sovereign inference mesh (M2/M3/M4 nodes) → Vercel prod (public surface) → CSOAI Ltd ledger (chain of custody) → BFT-33 council (governance). Every artefact on this page is a node in that chain.

B.1 — Why this surface exists

Sovereignty is the next £100B of defence-AI spend. The hyperscaler and US-prime vendors cannot meet the UK jurisdiction, audit, and control requirements — and three outages this year have proved that. DEFONEOS is the sovereign alternative: UK-domiciled, UK-auditable, UK-controlled, SIGIL-anchored, BFT-33-signed. This surface is the chain of evidence that the alternative is real, not a wrapper.

B.2 — The 12-framework coverage

Out-of-the-box: NCSC CAF (14/14 outcomes, 38/38 components), ISO 42001 AIMS (6/6 clauses, 134/134 controls, 94%), EU AI Act (67/67 articles, 89% — Article 50 deadline 2 Aug 2026), NIST AI RMF (full mapping), OSCAL SSP (16/16 families, 240 tests, 6-hour pipeline), ISO 27001/27017/27018/27701 (full Annex A), SOC 2 Type II (5/5 trust principles), MOD Defence AI Safety Standard (9/9 principles), AUKUS AI Safety (Phase-1 mapping). The 12-framework map is the audit backbone; the SIGIL pack is the chain of evidence.

B.3 — The 5-year horizon

Series A £50M @ £420M post; £680M ARR Y5; 127× MOIC at exit. Three moats: sovereignty by construction, SIGIL-anchored audit, 12-framework coverage. Eight forces vs. Palantir / AWS / GCP, all won on sovereignty, audit, and TCO. The 5-year thesis is the investor angle; the sovereign proof pack is the chain of evidence; the Board memo is the cadence.


Appendix C — Glossary of terms