EU AI Act Article 50 β€” 20 days to seal | Get passport

DEFONEOS Γ— Five Eyes

The UK's sovereign AI contribution to the Five Eyes intelligence alliance. Five nations, five sovereign instances, one interoperable protocol. UK-owned. UK-governed. Not subject to US CLOUD Act.

The Five Eyes Alliance

Five Eyes (FVEY) is an intelligence alliance dating to the 1946 UKUSA Agreement, comprising five English-speaking nations. It is the most extensive intelligence-sharing partnership in the world.

FlagNationLead AgencyRoleFounded
πŸ‡¬πŸ‡§United KingdomGCHQ (Cheltenham)SIGINT, cyber defence, European theatre1946
πŸ‡ΊπŸ‡ΈUnited StatesNSA (Fort Meade)SIGINT, cyber operations, global reach1946
πŸ‡¨πŸ‡¦CanadaCSE (Ottawa)Arctic monitoring, SIGINT, cyber1948
πŸ‡¦πŸ‡ΊAustraliaASD (Canberra)Regional SIGINT, Indo-Pacific, cyber1956
πŸ‡³πŸ‡ΏNew ZealandGCSB (Wellington)South Pacific monitoring, cyber1956

How DEFONEOS Serves Five Eyes

The Sovereignty Problem

The core challenge for Five Eyes AI: intelligence agencies need shared AI tools, but cannot use US-owned platforms (like Palantir) without exposing their data to US legal jurisdiction (CLOUD Act, FISA Section 702, Executive Order 12333). Each nation needs AI capability without handing sovereignty to another nation's vendor.

DEFONEOS: Five Sovereign Instances

DEFONEOS solves this by deploying five sovereign instances β€” one per nation β€” connected via the A2A protocol. Each instance is owned, operated, and governed by its host nation. No shared cloud. No central vendor. No single point of legal compulsion.

NationInstanceHostingSovereignty
πŸ‡¬πŸ‡§ UKcsoai.org (primary)GCP London + on-prem M4 MacFull UK sovereignty. UK Companies House 16939677. Not subject to US CLOUD Act.
πŸ‡ΊπŸ‡Έ USUS Gov instanceAWS GovCloud / Azure GovFull US sovereignty. FedRAMP + IL4/5 eligible.
πŸ‡¨πŸ‡¦ CACA instanceCanadian Sovereign Cloud / on-premFull Canadian sovereignty. ITAR-free open-source base.
πŸ‡¦πŸ‡Ί AUAU instanceAWS ap-southeast-2 / on-premFull Australian sovereignty. ASD IRAP eligible.
πŸ‡³πŸ‡Ώ NZNZ instanceNZ government cloud / on-premFull NZ sovereignty.

Classification Handling

DEFONEOS supports Five Eyes classification markings natively. Every SIGIL receipt carries classification metadata. Access control is enforced via DID-based identity (W3C DID + Ed25519 keys).

MarkingMeaningDEFONEOS Enforcement
UNCLASSIFIEDPublic release approvedDefault. Published to open-source repo.
RESTRICTED / OFFICIALUK government internalDID-gated. SIGIL receipts at RESTRICTED level. Air-gapped option.
CONFIDENTIALNational security sensitiveDID-gated + SC clearance check. Air-gapped deployment.
SECRETHigh national securitySC/DV clearance required. Air-gapped only. SIGIL chain isolated.
TOP SECRETExceptionally grave damageStrap/Brecon clearance. Physical air gap. No internet. Sovereign hardware only.
NOFORNNo foreign nationalsHive-scoped. Only UK DID identities can access.
REL TO FVEYReleasable to Five EyesFive-nation DID federation. Any FVEY DID can access.
REL TO USA/GBR/AUS/CAN/NZLSpecific Five Eyes membersPer-nation DID gating. Configurable per hive.

What Each Nation Contributes

πŸ‡¬πŸ‡§ UK β€” DEFONEOS Origin (GCHQ / NCSC)

DEFONEOS is UK-built. The UK contributes:

πŸ‡ΊπŸ‡Έ US β€” Interoperability Partner (NSA / Cyber Command)

The US contributes:

πŸ‡¨πŸ‡¦ CA β€” Arctic Domain (CSE)

Canada contributes:

πŸ‡¦πŸ‡Ί AU β€” Indo-Pacific Domain (ASD)

Australia contributes:

πŸ‡³πŸ‡Ώ NZ β€” South Pacific Domain (GCSB)

New Zealand contributes:

Federated Intelligence Architecture

  πŸ‡¬πŸ‡§ UK                          πŸ‡ΊπŸ‡Έ US                          πŸ‡¨πŸ‡¦ CA
  β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”                    β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”                    β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
  β”‚ GCHQ     │◄───── A2A ────────►│ NSA      │◄───── A2A ────────►│ CSE      β”‚
  β”‚ DEFONEOS β”‚     SIGIL chain    β”‚ DEFONEOS β”‚     SIGIL chain    β”‚ DEFONEOS β”‚
  β”‚ :3101    │◄──────────────────►│ :3101    │◄──────────────────►│ :3101    β”‚
  β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜                    β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜                    β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”˜
       β”‚                               β”‚                               β”‚
       β”‚          πŸ‡¦πŸ‡Ί AU               β”‚          πŸ‡³πŸ‡Ώ NZ               β”‚
       β”‚          β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”         β”‚          β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”         β”‚
       └──────────► ASD      │◄────────└──────────► GCSB     β”‚β—„β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                  β”‚ DEFONEOS β”‚                      β”‚ DEFONEOS β”‚
                  β”‚ :3101    β”‚                      β”‚ :3101    β”‚
                  β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜                      β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

  Each nation:
  βœ… Owns its instance        βœ… Controls its data        βœ… Governs its AI
  βœ… Hosts on own soil        βœ… Signs own SIGIL chain    βœ… Sets own BFT council

  Shared (via A2A protocol):
  πŸ“‘ OSINT data (GDELT, Sentinel, AIS)    πŸ”— SIGIL proof chain    🀝 BFT governance votes

Legal & Regulatory Position

Why DEFONEOS Is Safe for Five Eyes

RiskPalantir / US VendorsDEFONEOS
US CLOUD Act❌ US gov can compel data from UK deploymentβœ… UK instance not subject to CLOUD Act (no US provider in the data path for the sovereign deployment)
FISA Section 702❌ US can collect communications of non-US personsβœ… UK instance processes data on UK soil under UK law
Executive Order 12333❌ US intel can collect overseas dataβœ… Open-source base is ITAR-exempt. Each nation runs its own.
UK Investigatory Powers Act⚠️ Vendor may receive UK warrantsβœ… CSOAI Ltd is UK company subject to UK law. No foreign jurisdiction conflict.
GDPR / UK GDPR⚠️ US vendor may transfer data to USβœ… UK data residency. No international transfers without explicit agreement.
Vendor Lock-in❌ Β£50–100M+ contract, locked in for yearsβœ… Open source. Leave anytime. No lock-in.

DEFONEOS vs Palantir for Five Eyes

FactorDEFONEOSPalantir Gotham
OwnershipπŸ‡¬πŸ‡§ UK (CSOAI Ltd, Companies House 16939677)πŸ‡ΊπŸ‡Έ US (Palantir Technologies, Denver)
FundingUK self-funded + UK grantsIn-Q-Tel (CIA VC) + Peter Thiel
Open Sourceβœ… Apache 2.0 (full base platform)❌ Closed source
CLOUD Act Exposureβœ… UK deployment not exposed❌ Exposed β€” US company, US servers
Per-Nation Deploymentβœ… 5 sovereign instances, A2A federated❌ Centralised US cloud
Cost per NationΒ£0 (open source) + optional supportΒ£50–100M+ per nation
AI Governance33-agent BFT council, Ed25519 SIGIL, public audit trailVendor-controlled, no public governance
Classification SupportNOFORN β†’ TOP SECRET, per-hive DID gatingSECRET + via accreditation
Inter-Nation SharingA2A protocol β€” instant, protocol-levelManual data-sharing agreements, months
Audit TrailEd25519 SIGIL chain, Bitcoin-anchored, immutableVendor-controlled logs, editable

Classification-Aware SIGIL Example

{
  "ts": 1782620774.443,
  "classification": "REL TO FVEY",
  "caveats": "",
  "line": "V|csoai-org|nato|Threat assessment: vessel 47 exhibiting spoofing behaviour",
  "agent_id": "uk-gchq-threat-analyst-007",
  "agent_clearance": "SC",
  "parameters": {"vessel_mmsi": 247123456, "sector": "eastern-med"},
  "result": {"confidence": 0.87, "pattern": "AIS-spoofing-detected"},
  "digest": "sha256:7f3a8e2d1c4b5a6f...",
  "signature": "ed25519:9a3f8e2d1c4b5a6f7e8d9c0b1a2f3e4d5c6b7a8f9e0d1c2b3a4f5e6d7c8b9a0f",
  "prev_hash": "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2",
  "access_control": {
    "did_required": true,
    "clearance_minimum": "SC",
    "nationalities": ["GBR", "USA", "AUS", "CAN", "NZL"],
    "marking": "REL TO FVEY"
  },
  "bitcoin_anchor": "1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa"
}

Human Gates (Require Nick's Action)

GateWhat's NeededBlocking?
UK SC clearanceNick's personal details, 4–6 weeksπŸ”΄ For SECRET+ work
Cyber EssentialsΒ£320–600, company infoπŸ”΄ Mandatory for UK gov contracts
NCSC consultationEmail to NCSC for Five Eyes AI guidance🟑 Recommended before deployment
Five Eyes partner outreachEmails to CSE/ASD/GCSB tech liaison🟑 Drafts ready β€” Nick must send

Timeline

PhaseTargetStatus
UK Instance (csoai.org)Live with 30 MCPs + BFT governanceLIVE
NCSC alignmentCyber Essentials + 10 Steps complianceIN PROGRESS
US pilotDIU or NSA pilot deploymentPlanned Q4 2026
AU pilotDSTG trilateral exercisePlanned Q1 2027
CA + NZ engagementCSE + GCSB technical liaisonPlanned Q1 2027
Full FVEY federation5 instances, A2A, shared SIGIL chainVision Q3 2027