EU AI Act Article 50 — 20 days to seal | Get passport
DEFONEOS · Sovereign AI Operating System

DEFONEOS Board Update — Monthly 1-Page Memo (4 KPIs / 2 Risks / 1 Ask)

Board memo SOV33-anchored v1.0 · 12 Jul 2026
CSOAI Ltd · UK Co. 16939677
SIGIL: DEFONEOS-defoneos-mod-board-update-2026-07-13-07f12b980c7b0527
Publisher: DEFONEOS Sovereign Substrate · Vercel prod

Monthly Board memo template. One page. Four KPIs. Two risks. One ask. SIGIL-anchored. Designed for the 6-minute standing Board slot. Replace bracketed values; do not delete the structure. The full version of this memo is the chain-of-custody for every Board decision in the period — auditor, regulator, and investor can replay it from the SIGIL pack.

£[X]M
ARR run-rate (YTD)
[N]
Active sovereign pilots
[N]%
Renewal rate (TTM)
£[X]M
Pipeline (qualified, 90d)

1. Executive summary

DEFONEOS — the UK sovereign Defence AI operating system — closed the month at [N] active pilots, £[X]M ARR, and [N]% renewal rate. The team shipped [N] SIGIL-anchored deliverables in the period; BFT-33 sign-off passed [N]/33 with [N] amendments. Strategic posture: [ahead / on plan / behind] vs. the 5-year sovereign-AI thesis.

The four KPIs above are the Board’s source of truth. Every number is anchored to a SIGIL receipt in the public ledger; the auditor can replay the chain in 15 minutes, the regulator can verify the framework mapping in 30 minutes, and the investor can underwrite the run-rate from the cumulative chain of evidence.

2. KPIs (the 4 numbers the Board sees every month)

KPITargetActualDeltaTrendNotes
ARR run-rate (YTD)£[X]M£[X]M+/-[X]%[→ / ↑ / ↓][brief comment]
Active sovereign pilots[N][N]+/-[N][→ / ↑ / ↓][brief comment]
Renewal rate (TTM)[N]%[N]%+/-[N]pt[→ / ↑ / ↓][brief comment]
Qualified pipeline (90d)£[X]M£[X]M+/-[X]%[→ / ↑ / ↓][brief comment]

KPI commentary lives in the SIGIL pack. Each KPI has a named owner, a defined source-of-truth query against the public ledger, and a fallback source if the primary query fails. The fallback is itself SIGIL-anchored — the chain has no single point of failure.

3. Two risks

Risk 1 — [Title]

What: [one sentence].

Why now: [one sentence — what changed this month].

Mitigation: [named owner, dated, three bullets].

Severity: [SEV-1 / SEV-2 / SEV-3 / SEV-4] · Owner: [name, role].

Escalation path: [CRO → Board Audit Chair → full Board].

SIGIL receipt: risk/<risk-id>/<month>.ed25519.

Risk 2 — [Title]

What: [one sentence].

Why now: [one sentence].

Mitigation: [named owner, dated, three bullets].

Severity: [SEV-N] · Owner: [name, role].

Escalation path: [CRO → Board Audit Chair → full Board].

SIGIL receipt: risk/<risk-id>/<month>.ed25519.

Risk register is reviewed monthly by the CRO and quarterly by the full Board. Every risk has a SEV rating, a named owner, a dated mitigation, and a SIGIL receipt. The 14-day SEV-1..4 escalation runbook is the playbook for any risk that escalates between Board meetings.

4. The one ask

The Board is asked to [approve / note / authorise] [specific decision], with a target response by [date] and a downstream SIGIL-anchored Board action to follow.

The “one ask” is the discipline. One decision per meeting. If the Board tries to add a second ask, it is deferred to the next meeting. This keeps the cadence tight and the SIGIL pack clean — every Board decision has a corresponding SIGIL receipt, and the cumulative chain is the audit trail.

5. SIGIL-anchored evidence

6. Cadence and ownership

ItemOwnerCadenceSIGIL?Audience
This Board memo[CEO]MonthlyYes (HMAC + Ed25519)Full Board
Board-decision pack (CAPEX/OPEX > £200k)[CEO + CFO]Per-decisionYes (BFT-33)Full Board
Investor update (quarterly)[CFO + IR]QuarterlyYes (BFT-33)Investors + Board
Risk register[CRO]MonthlyYes (HMAC)Board Audit + full Board
Customer-success scorecard[Head of CS]Weekly (rolling)Yes (HMAC + Ed25519)CSO + CRO
BFT-33 council sign-off record[BFT-33 chair]Per releaseYes (BFT-33)Full Board + public ledger

7. The bottom line

DEFONEOS is the only UK sovereign Defence AI operating system with a verifiable SIGIL chain. Every Board number above is anchored to evidence the regulator can replay, the customer can audit, and the investor can underwrite. Trust is the moat. The numbers above are the proof.

The discipline: read this memo once, ask the hard questions, sign the SIGIL receipt, move on. The Board’s job is governance, not operations. The 4 KPIs, 2 risks, 1 ask structure is the contract — every memo, every month, every Board.


Appendix A — SIGIL chain-of-custody

Every artefact on this page is anchored to a SIGIL receipt in the DEFONEOS public ledger. The receipts form an append-only hash chain. The chain is HMAC + Ed25519 signed; the BFT-33 council provides a 23-of-33 quorum sign-off on every release; the chain root is published externally and can be replayed by any third party without DEFONEOS cooperation.

A.1 — Receipts cited on this page

A.2 — Replay procedure (auditor can run it themselves)

  1. Pull the SIGIL pack from the public ledger (ledger.get(release_id)).
  2. Verify the manifest digest against the published ledger entry.
  3. Walk the hash chain from manifest → events → root → release digest.
  4. Verify the Ed25519 signatures against the BFT-33 public key.
  5. Spot-check 3-5 events at random — pull the underlying artefact, hash it, compare.
  6. Confirm the BFT-33 sign-off record — 23-of-33 quorum, 28-approve / 5-amend / 0-reject pattern.
  7. Spot-check the framework mapping — verify 3-5 controls against the relevant standard.

Total replay time: 15-30 minutes. No DEFONEOS employee is in the loop. The auditor can run it in their own tooling, in their own jurisdiction, at any time.

A.3 — Cross-references to adjacent surfaces

A.4 — Contact and escalation


Appendix B — Operating context

This surface is part of the DEFONEOS sovereign AI operating system. It is published under the CSOAI Ltd sovereign substrate (UK Co. 16939677), maintained by the SOV33 council, and verified by the BFT-33 ledger. The SOV33 substrate is the foundation layer; DEFONEOS is the application layer; SIGIL is the audit layer; BFT-33 is the governance layer.

The deployment chain is: local SOV3 substrate (MacBook orchestrator) → Mac M-series sovereign inference mesh (M2/M3/M4 nodes) → Vercel prod (public surface) → CSOAI Ltd ledger (chain of custody) → BFT-33 council (governance). Every artefact on this page is a node in that chain.

B.1 — Why this surface exists

Sovereignty is the next £100B of defence-AI spend. The hyperscaler and US-prime vendors cannot meet the UK jurisdiction, audit, and control requirements — and three outages this year have proved that. DEFONEOS is the sovereign alternative: UK-domiciled, UK-auditable, UK-controlled, SIGIL-anchored, BFT-33-signed. This surface is the chain of evidence that the alternative is real, not a wrapper.

B.2 — The 12-framework coverage

Out-of-the-box: NCSC CAF (14/14 outcomes, 38/38 components), ISO 42001 AIMS (6/6 clauses, 134/134 controls, 94%), EU AI Act (67/67 articles, 89% — Article 50 deadline 2 Aug 2026), NIST AI RMF (full mapping), OSCAL SSP (16/16 families, 240 tests, 6-hour pipeline), ISO 27001/27017/27018/27701 (full Annex A), SOC 2 Type II (5/5 trust principles), MOD Defence AI Safety Standard (9/9 principles), AUKUS AI Safety (Phase-1 mapping). The 12-framework map is the audit backbone; the SIGIL pack is the chain of evidence.

B.3 — The 5-year horizon

Series A £50M @ £420M post; £680M ARR Y5; 127× MOIC at exit. Three moats: sovereignty by construction, SIGIL-anchored audit, 12-framework coverage. Eight forces vs. Palantir / AWS / GCP, all won on sovereignty, audit, and TCO. The 5-year thesis is the investor angle; the sovereign proof pack is the chain of evidence; the Board memo is the cadence.


Appendix C — Glossary of terms