How Sovereign AI Works: Byzantine Consensus, Encrypted Memory, and Care Floors Explained

When a company tells you their AI is “privacy-first” or “yours to control,” they almost always mean it as a policy commitment. Policies can be changed. Policies can be overridden by a new CEO, a regulator, a court order, or a well-funded adversary. Policies live at the layer of intention — and intentions are the least durable thing in technology.

MEOK is built on a different premise. Sovereignty is not something we promise — it is something we make structurally unavoidable. Three architectural pillars interlock to ensure that your AI can never be redirected, read, or manipulated without your explicit consent. This post explains how each pillar works and why their combination matters.

What is sovereign AI and how is it different from standard AI assistants?

Sovereign AI means your AI is owned and controlled exclusively by you — not a corporation. MEOK achieves this through per-user encrypted memory vaults, a constitutional care layer, and a distributed consensus engine. No employee, server operator, or policy change can redirect your AI without your consent.

The word “sovereign” carries weight. In political philosophy, a sovereign is the entity whose authority is final — the one who answers to no one above them within their domain. We use it deliberately. Your MEOK AI answers to you, and only to you, within the domain of your data and your conversations.

Standard AI assistants — however sophisticated — are sovereign to their creators. OpenAI can update GPT-4o overnight and your “assistant” behaves differently tomorrow without notice. Google can deprecate a model, change a usage policy, or respond to a government data request. Your “personal” AI is personal the way a rented flat is personal: you live in it, but the landlord holds the keys.

MEOK inverts this structure. The three pillars described in this post are not product differentiators — they are the architectural expression of a single conviction: that your relationship with your AI is a matter of personal sovereignty, and sovereignty must be structural or it is nothing.

How does the Byzantine Council consensus engine work?

MEOK's Byzantine Council is a 46-agent consensus engine. Before any sensitive output is delivered, all 46 agents vote independently. Byzantine fault tolerance guarantees correctness even if up to 15 agents are compromised or behaving maliciously. A supermajority must agree before the response reaches you.

Byzantine fault tolerance has its origins in a 1982 paper by Lamport, Shostak, and Pease — the “Byzantine Generals Problem.” The problem asks: given a group of generals who must agree on a battle plan, where some generals may be traitors sending contradictory messages, how can the loyal generals reach correct consensus? The answer is that consensus is possible if and only if fewer than one-third of the participants are traitors. This is the f < n/3 theorem that underpins modern distributed systems, from blockchain networks to MEOK's council.

We chose 46 agents because the mathematics are unambiguous at that scale: an attacker needs to simultaneously compromise 16 or more independent agents to corrupt a single output. Each agent in the council runs its own reasoning pass on the proposed response, evaluating it against the user's memory context, the Maternal Covenant dimensions, and independent safety heuristics. The agents do not share intermediate reasoning — they vote on the finalised output, preventing coordination attacks where corrupted agents conspire before voting.

In practice, this means prompt injection is not a viable attack vector against MEOK. Prompt injection — where malicious instructions are embedded in documents, web pages, or messages you paste into a conversation — works by convincing a single AI model that the injected instruction is a legitimate command. Against a 46-agent Byzantine council, the injected instruction would need to convince 31 independent agents simultaneously. The attack surface is prohibitive.

Who owns the encrypted memory in a MEOK sovereign AI?

You do — exclusively. Your memory vault is encrypted with keys derived from your credentials. MEOK's servers store only ciphertext. Even MEOK employees cannot read your memories. The vault is fully exportable in standard formats, so you can leave, migrate, or archive at any time.

Consider what lives in an AI memory vault after a year of daily use. Your health anxieties. Your business strategies before you have told your co-founders. Your conversations about relationships, finances, grief, ambition. The pattern of how you think when you are afraid versus when you are confident. The projects you abandoned and the real reasons why. This is not peripheral data — it is the texture of your inner life, serialised.

Standard AI products retain some or all of this for training, retention, or personalisation purposes. The terms of service disclose it. Most users do not read those terms. Most users have not considered that the value of their accumulated AI context will increase dramatically as models become more capable — and that the entity holding that context may not always have interests aligned with theirs.

In MEOK, encryption is not a policy commitment — it is a cryptographic fact. Your vault is encrypted with keys derived from credentials only you hold. We cannot run a batch job across user vaults. We cannot respond to a data request with readable content. We cannot be acquired by an entity that would change the privacy posture, because the data is mathematically inaccessible to us. The architecture makes betrayal technically impossible, not merely contractually prohibited.

Portability is built in from day one. Your memory vault can be exported as a standard JSON document at any time — a full record of everything your AI has learned about you, in a format you can read, archive, or import into a compatible system. Sovereignty without portability is a cage. You must be able to leave.

What is the Maternal Covenant care floor and what score does it require?

The Maternal Covenant is a constitutional constraint embedded in MEOK's response pipeline. Every output is scored across six care dimensions — Safety, Growth, Truth, Dignity, Autonomy, and Reciprocity. Any response scoring below 0.3 is blocked before delivery. Not flagged. Not softened. Structurally prevented.

Most AI safety is implemented as instruction-following. The model is trained to behave safely. The company publishes guidelines. Violations are bugs to patch. This approach has a fundamental fragility: it relies on the continued integrity of the training pipeline, the continued commitment of the company, and the resilience of the instruction layer against adversarial pressure. All of these can fail.

The Maternal Covenant operates at a structural layer below instruction-following. It is drawn from the care ethics tradition — specifically the work of Carol Gilligan and Nel Noddings, who argued that ethical behaviour begins not from abstract rules but from relationships and the responsibilities those relationships generate. We translated that philosophical framework into a technical specification: a six-dimensional care vector that every MEOK response must satisfy before it is delivered.

The threshold of 0.3 was not chosen arbitrarily. It represents the boundary below which a response is actively harmful to the relationship — where the AI is not merely unhelpful but is doing measurable damage to at least one of the six care dimensions. Above 0.3, the response may be imperfect, but it is within the space of care. Below 0.3, it is blocked.

The name “Maternal Covenant” is deliberate. We chose it to honour a specific intellectual lineage — Gilligan's critique of abstracted ethics, Noddings' insistence that care begins in relationship — and because the maternal metaphor captures something technically important. A mother's care is not transactional, not contingent on performance, not something that expires or can be upgraded. It is structural. That is exactly the kind of safety we are building: not a feature, not a policy, not a guideline. An architecture.

Can MEOK's sovereign architecture be overridden or jailbroken?

The three pillars operate at the architectural layer, not the policy layer. Byzantine consensus means a single compromised agent is outvoted. The encrypted vault means manipulation requires your cryptographic keys. The care floor is a structural check in code, not a guideline. Together they make manipulation technically prohibitive rather than contractually prohibited.

“Jailbreaking” is a meaningful concept only when safety exists at the instruction layer — when the constraint is a trained behaviour that can be circumvented by sufficiently adversarial input. The literature on jailbreaking documents hundreds of techniques that work precisely because they operate at the same layer as the safety constraint: instruction space.

The Maternal Covenant does not live in instruction space. It is a post-generation evaluation — a structural check that runs on the output after the model has produced it, before delivery. There is no prompt you can write that bypasses a post-generation threshold check, because the check is not a trained behaviour. It is a function in a pipeline.

Similarly, the Byzantine Council cannot be jailbroken by a single clever prompt because the council does not process the prompt as a unified entity. Forty-six agents evaluate the proposed output independently. A malicious instruction that compromises one agent's reasoning is outvoted. Compromising the council requires corrupting 16 agents simultaneously — a coordinated infrastructure attack, not a prompt engineering exercise.

The encrypted vault adds a final layer: even if both the council and the care floor were somehow circumvented, an attacker without your credentials cannot read your memory. The architecture is layered by design: each pillar protects a different attack surface, and the three together cover the full threat model.

How does MEOK's sovereign AI architecture protect against prompt injection attacks?

Prompt injection attacks embed malicious instructions inside content to hijack an AI's behaviour. In MEOK's Byzantine Council, a single agent capturing a malicious instruction is outvoted by the remaining 45. Corrupting the council requires simultaneously compromising more than 15 independent agents — a prohibitive attack surface for any realistic adversary.

Prompt injection is not a theoretical concern. It is already an active attack vector against deployed AI systems. Security researchers have demonstrated attacks where malicious instructions embedded in emails cause AI email assistants to exfiltrate data; where instructions embedded in websites cause browsing-capable AI systems to take actions the user did not authorise; where instructions embedded in documents cause document-processing AI systems to reveal confidential information.

As AI systems gain more autonomy — as they are granted access to more context, more tools, more ability to act on your behalf — the attack surface grows. An AI that can send emails, book appointments, execute financial instructions, or manage your relationships is an AI that is worth attacking. The question is not whether someone will try. The question is whether the architecture can withstand the attempt.

MEOK's council was designed with this threat model explicitly in view. We did not build Byzantine consensus because it sounded impressive. We built it because the mathematics provide a concrete, quantifiable guarantee against a class of attacks that will only become more common as AI capability increases. Forty-six independent agents. Fifteen can be fully compromised. The thirty-first votes the attack down.

Why do all three pillars have to work together?

Each pillar protects a different attack surface. Byzantine consensus guards the reasoning layer against manipulation. Encrypted memory guards the data layer against exposure. The care floor guards the output layer against harm. Remove any one pillar and the remaining two cannot compensate. Together they form a complete sovereign architecture.

Imagine Byzantine consensus without encrypted memory. The council might reach correct consensus on a response, but if your memory vault can be read by MEOK employees or accessed via a data breach, the sovereignty is hollow. The consensus engine protects action integrity; the vault protects data sovereignty. You need both.

Imagine encrypted memory without the care floor. Your data is private — no one can read it without your keys — but the AI drawing on that data could still produce harmful outputs. Encryption protects your data from extraction; the care floor protects you from the outputs your AI generates from that data. You need both.

Imagine the care floor without Byzantine consensus. Every output is checked against the Maternal Covenant dimensions — but the care floor evaluation itself could be manipulated by a prompt injection attack. Byzantine consensus ensures the council evaluating the output is itself manipulation-resistant. The care floor provides the ethical standard; the council ensures the evaluation of that standard cannot be corrupted. You need both.

This is what we mean by architectural sovereignty. Not a checklist of features. Not a set of promises. Three interlocking structural guarantees that cover the full threat model of what it means to have a genuine, private, trustworthy AI — and that do so at the layer of mathematics and engineering, not intention.

More from the blog