The UK's sovereign AI contribution to the Five Eyes intelligence alliance. Five nations, five sovereign instances, one interoperable protocol. UK-owned. UK-governed. Not subject to US CLOUD Act.
Five Eyes (FVEY) is an intelligence alliance dating to the 1946 UKUSA Agreement, comprising five English-speaking nations. It is the most extensive intelligence-sharing partnership in the world.
| Flag | Nation | Lead Agency | Role | Founded |
|---|---|---|---|---|
| π¬π§ | United Kingdom | GCHQ (Cheltenham) | SIGINT, cyber defence, European theatre | 1946 |
| πΊπΈ | United States | NSA (Fort Meade) | SIGINT, cyber operations, global reach | 1946 |
| π¨π¦ | Canada | CSE (Ottawa) | Arctic monitoring, SIGINT, cyber | 1948 |
| π¦πΊ | Australia | ASD (Canberra) | Regional SIGINT, Indo-Pacific, cyber | 1956 |
| π³πΏ | New Zealand | GCSB (Wellington) | South Pacific monitoring, cyber | 1956 |
The core challenge for Five Eyes AI: intelligence agencies need shared AI tools, but cannot use US-owned platforms (like Palantir) without exposing their data to US legal jurisdiction (CLOUD Act, FISA Section 702, Executive Order 12333). Each nation needs AI capability without handing sovereignty to another nation's vendor.
DEFONEOS solves this by deploying five sovereign instances β one per nation β connected via the A2A protocol. Each instance is owned, operated, and governed by its host nation. No shared cloud. No central vendor. No single point of legal compulsion.
| Nation | Instance | Hosting | Sovereignty |
|---|---|---|---|
| π¬π§ UK | csoai.org (primary) | GCP London + on-prem M4 Mac | Full UK sovereignty. UK Companies House 16939677. Not subject to US CLOUD Act. |
| πΊπΈ US | US Gov instance | AWS GovCloud / Azure Gov | Full US sovereignty. FedRAMP + IL4/5 eligible. |
| π¨π¦ CA | CA instance | Canadian Sovereign Cloud / on-prem | Full Canadian sovereignty. ITAR-free open-source base. |
| π¦πΊ AU | AU instance | AWS ap-southeast-2 / on-prem | Full Australian sovereignty. ASD IRAP eligible. |
| π³πΏ NZ | NZ instance | NZ government cloud / on-prem | Full NZ sovereignty. |
DEFONEOS supports Five Eyes classification markings natively. Every SIGIL receipt carries classification metadata. Access control is enforced via DID-based identity (W3C DID + Ed25519 keys).
| Marking | Meaning | DEFONEOS Enforcement |
|---|---|---|
| UNCLASSIFIED | Public release approved | Default. Published to open-source repo. |
| RESTRICTED / OFFICIAL | UK government internal | DID-gated. SIGIL receipts at RESTRICTED level. Air-gapped option. |
| CONFIDENTIAL | National security sensitive | DID-gated + SC clearance check. Air-gapped deployment. |
| SECRET | High national security | SC/DV clearance required. Air-gapped only. SIGIL chain isolated. |
| TOP SECRET | Exceptionally grave damage | Strap/Brecon clearance. Physical air gap. No internet. Sovereign hardware only. |
| NOFORN | No foreign nationals | Hive-scoped. Only UK DID identities can access. |
| REL TO FVEY | Releasable to Five Eyes | Five-nation DID federation. Any FVEY DID can access. |
| REL TO USA/GBR/AUS/CAN/NZL | Specific Five Eyes members | Per-nation DID gating. Configurable per hive. |
DEFONEOS is UK-built. The UK contributes:
The US contributes:
Canada contributes:
Australia contributes:
New Zealand contributes:
π¬π§ UK πΊπΈ US π¨π¦ CA
ββββββββββββ ββββββββββββ ββββββββββββ
β GCHQ βββββββ A2A βββββββββΊβ NSA βββββββ A2A βββββββββΊβ CSE β
β DEFONEOS β SIGIL chain β DEFONEOS β SIGIL chain β DEFONEOS β
β :3101 βββββββββββββββββββββΊβ :3101 βββββββββββββββββββββΊβ :3101 β
ββββββ¬ββββββ ββββββ¬ββββββ ββββββ¬ββββββ
β β β
β π¦πΊ AU β π³πΏ NZ β
β ββββββββββββ β ββββββββββββ β
ββββββββββββΊ ASD ββββββββββββββββββββββΊ GCSB βββββββββββ
β DEFONEOS β β DEFONEOS β
β :3101 β β :3101 β
ββββββββββββ ββββββββββββ
Each nation:
β
Owns its instance β
Controls its data β
Governs its AI
β
Hosts on own soil β
Signs own SIGIL chain β
Sets own BFT council
Shared (via A2A protocol):
π‘ OSINT data (GDELT, Sentinel, AIS) π SIGIL proof chain π€ BFT governance votes
| Risk | Palantir / US Vendors | DEFONEOS |
|---|---|---|
| US CLOUD Act | β US gov can compel data from UK deployment | β UK instance not subject to CLOUD Act (no US provider in the data path for the sovereign deployment) |
| FISA Section 702 | β US can collect communications of non-US persons | β UK instance processes data on UK soil under UK law |
| Executive Order 12333 | β US intel can collect overseas data | β Open-source base is ITAR-exempt. Each nation runs its own. |
| UK Investigatory Powers Act | β οΈ Vendor may receive UK warrants | β CSOAI Ltd is UK company subject to UK law. No foreign jurisdiction conflict. |
| GDPR / UK GDPR | β οΈ US vendor may transfer data to US | β UK data residency. No international transfers without explicit agreement. |
| Vendor Lock-in | β Β£50β100M+ contract, locked in for years | β Open source. Leave anytime. No lock-in. |
| Factor | DEFONEOS | Palantir Gotham |
|---|---|---|
| Ownership | π¬π§ UK (CSOAI Ltd, Companies House 16939677) | πΊπΈ US (Palantir Technologies, Denver) |
| Funding | UK self-funded + UK grants | In-Q-Tel (CIA VC) + Peter Thiel |
| Open Source | β Apache 2.0 (full base platform) | β Closed source |
| CLOUD Act Exposure | β UK deployment not exposed | β Exposed β US company, US servers |
| Per-Nation Deployment | β 5 sovereign instances, A2A federated | β Centralised US cloud |
| Cost per Nation | Β£0 (open source) + optional support | Β£50β100M+ per nation |
| AI Governance | 33-agent BFT council, Ed25519 SIGIL, public audit trail | Vendor-controlled, no public governance |
| Classification Support | NOFORN β TOP SECRET, per-hive DID gating | SECRET + via accreditation |
| Inter-Nation Sharing | A2A protocol β instant, protocol-level | Manual data-sharing agreements, months |
| Audit Trail | Ed25519 SIGIL chain, Bitcoin-anchored, immutable | Vendor-controlled logs, editable |
{
"ts": 1782620774.443,
"classification": "REL TO FVEY",
"caveats": "",
"line": "V|csoai-org|nato|Threat assessment: vessel 47 exhibiting spoofing behaviour",
"agent_id": "uk-gchq-threat-analyst-007",
"agent_clearance": "SC",
"parameters": {"vessel_mmsi": 247123456, "sector": "eastern-med"},
"result": {"confidence": 0.87, "pattern": "AIS-spoofing-detected"},
"digest": "sha256:7f3a8e2d1c4b5a6f...",
"signature": "ed25519:9a3f8e2d1c4b5a6f7e8d9c0b1a2f3e4d5c6b7a8f9e0d1c2b3a4f5e6d7c8b9a0f",
"prev_hash": "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2",
"access_control": {
"did_required": true,
"clearance_minimum": "SC",
"nationalities": ["GBR", "USA", "AUS", "CAN", "NZL"],
"marking": "REL TO FVEY"
},
"bitcoin_anchor": "1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa"
}
| Gate | What's Needed | Blocking? |
|---|---|---|
| UK SC clearance | Nick's personal details, 4β6 weeks | π΄ For SECRET+ work |
| Cyber Essentials | Β£320β600, company info | π΄ Mandatory for UK gov contracts |
| NCSC consultation | Email to NCSC for Five Eyes AI guidance | π‘ Recommended before deployment |
| Five Eyes partner outreach | Emails to CSE/ASD/GCSB tech liaison | π‘ Drafts ready β Nick must send |
| Phase | Target | Status |
|---|---|---|
| UK Instance (csoai.org) | Live with 30 MCPs + BFT governance | LIVE |
| NCSC alignment | Cyber Essentials + 10 Steps compliance | IN PROGRESS |
| US pilot | DIU or NSA pilot deployment | Planned Q4 2026 |
| AU pilot | DSTG trilateral exercise | Planned Q1 2027 |
| CA + NZ engagement | CSE + GCSB technical liaison | Planned Q1 2027 |
| Full FVEY federation | 5 instances, A2A, shared SIGIL chain | Vision Q3 2027 |