DEV Community

Cover image for Genomics and Biobanks: Running AI on Data That Can Never Be Re-Identified
Micky Irons
Micky Irons

Posted on • Originally published at mickai.co.uk

Genomics and Biobanks: Running AI on Data That Can Never Be Re-Identified

Genomics and Biobanks: Running AI on Data That Can Never Be Re-Identified

By Micky Irons, founder and CEO of Mickai.

The only defensible way to apply AI to genomic and biobank data is on infrastructure the custodian physically controls, with no outbound path to any third party and a signed, tamper-evident record of every query. A genome is permanently identifying: it is a person's identity, it cannot be reset like a password, and modern linkage attacks recover names from data stripped of every obvious identifier. Because genomic data cannot be truly anonymised, it cannot lawfully or safely sit on infrastructure the custodian does not control. On-premise, zero-egress AI is not a preference here. It is the design the risk demands.

This matters more in 2026 than it did even two years ago. Biobanks and genomics institutes are under pressure to extract clinical and research value from AI, while regulators, ethics boards and research participants tighten the terms on which their most sensitive data may be processed. The default AI on offer, sent to a public cloud service, is exactly the option a genomic custodian cannot take. The question is no longer whether to use AI. It is how to use it without ever letting the data leave the custodian's walls.

Why can genomic data never be truly anonymised?

A genome is high-dimensional and unique to one person, which means it carries its own fingerprint. Researchers have repeatedly re-identified individuals from supposedly de-identified genomic datasets by cross-referencing genealogy databases, surnames inferred from the Y chromosome, and small numbers of common variants. Removing names, dates and postcodes does not help, because the sequence itself is the identifier. Under UK and EU GDPR, data that can be linked back to a person remains personal data no matter how it is labelled. So genomic data is best treated as permanently identifiable and always in scope. The engineering conclusion follows directly: you protect it by controlling where it is processed, not by hoping a de-identification step made it anonymous.

Genomics and Biobanks: Running AI on Data That Can Never Be Re-Identified, illustration 1

How does zero-egress, on-premise AI work?

Mickai is a Sovereign Intelligence Operating System, a SIOS, that runs entirely on the operator's own hardware inside the biobank or genomics institute. Sovereign models are installed locally, so inference happens beside the data and never over the public internet. The perimeter is inbound only: authorised users and systems reach in to ask questions, and there is no configured route for genomic data, prompts or model outputs to reach any outside service. There is no API key to a public model, because there is no public model in the path. The genome is read, reasoned over and answered within a boundary the custodian owns, and nothing crosses it.

If a genome can never be un-identified, the only honest control is to ensure it never leaves the custodian's walls, and to prove it never did.

Genomics and Biobanks: Running AI on Data That Can Never Be Re-Identified, illustration 2

What can an auditor actually check?

Every action inside the SIOS is written to a cryptographically sealed audit ledger. Each entry records who asked, which dataset was touched, which model answered and when, and each is signed so that later tampering is detectable. The signatures use post-quantum schemes standardised as FIPS 204 (ML-DSA), so the record stays verifiable against future attacks. An auditor does not have to trust an assurance. They can verify the chain offline, confirm that the query history is complete and unaltered, and see that no entry describes an outbound transfer. The identity that signs each action is hardware-attested and bound to the same chain, so a query cannot be forged or repudiated. The check is the proof.

Genomics and Biobanks: Running AI on Data That Can Never Be Re-Identified, illustration 3

Which rules make this necessary?

Several regimes point to the same architecture:

  • GDPR: genomic data is special category data, and if it can be re-identified it stays personal data, so a lawful basis and strict controls apply throughout processing.
  • US CLOUD Act: data held by a US-linked cloud provider can be compelled by US authorities regardless of where the servers sit, which is a jurisdictional exposure custodians of national biobank data cannot accept.
  • NIS2: raises security and incident obligations for essential entities, including many health and research organisations.
  • DORA: in force since January 2025, it holds financial-sector operators, and their AI supply chains, to operational resilience and third-party control standards that map cleanly onto sensitive data processing.
  • ISO/IEC 42001: the AI management-system standard that expects demonstrable governance over how AI is deployed and logged.

On the EU AI Act, the high-risk Annex III obligations that were due on 2 August 2026 have been deferred by the Digital Omnibus to 2 December 2027, with embedded high-risk systems under Annex I moving to 2 August 2028 and the Article 50 transparency duties largely unchanged. We read this as a build window, not a reprieve. The custodians who use it to install auditable, sovereign AI now will meet the obligations without a rushed retrofit later.

Genomics and Biobanks: Running AI on Data That Can Never Be Re-Identified, illustration 4

How does this compare to public cloud AI services?

Sending a query to a public AI service means the data, or a prompt derived from it, leaves the custodian's control and enters a jurisdiction and a supply chain they do not govern. For most business data that is a reasonable trade. For a genome it is not, because the data is permanently identifying and the exposure is permanent too. Enterprise cloud vendors offer strong contractual and technical controls, and we describe this purely as a matter of architecture: a contract promising restraint is not the same as an environment with no outbound path. Zero-egress removes the question rather than managing it. There is nothing to promise about data that physically cannot leave.

Does keeping AI on-premise mean weaker answers?

No. Sovereign models run locally can be specialised for genomics and biobank workflows, and the SIOS can route a single question across several models and require them to agree before an answer is returned. This cross-model consensus raises reliability on exactly the high-stakes interpretive tasks where a single model might hallucinate. Because the whole exchange is sealed to the audit ledger, a researcher can later show which models were consulted and how they concurred. The custodian gets modern AI capability and a defensible record, without the data ever touching a service they do not own.

Frequently asked questions

Can genomic data be anonymised well enough to use public cloud AI?

No. A genome is inherently unique and has been re-identified from datasets stripped of names, dates and locations, so it should be treated as permanently identifiable. Because it can be linked back to a person, it stays personal data under GDPR regardless of de-identification. The safe design is to process it only on infrastructure the custodian controls.

What does zero-egress mean for a biobank?

Zero-egress means there is no configured route by which genomic data, prompts or AI outputs can leave the operator's own network. Users reach in to ask questions and the answers return within the boundary, but nothing crosses to an outside service. It removes the risk of transfer rather than trying to manage it with contracts and promises.

How do we prove to an ethics board or auditor that data never left?

Every query is written to a post-quantum signed audit ledger recording who asked, which dataset was used, which model answered and when. The chain can be verified offline and shows no outbound transfers, and the identity signing each action is hardware-attested and bound to the same record. The board checks the cryptographic proof rather than trusting an assurance.

Does the US CLOUD Act affect our genomic data?

It can, if the data is held by a US-linked cloud provider, because that data may be compelled by US authorities wherever the servers physically sit. For national or research biobank data this is a jurisdictional exposure many custodians cannot accept. On-premise, zero-egress processing on operator-owned hardware keeps the data outside that reach.

Is Mickai a granted patent or filed applications?

The relevant work sits within 104 filed UK patent applications and approximately 2,340 claims, owned by Mickai LTD. These are filed applications, not granted patents. The architecture described here, on-premise sovereign models, a zero-egress perimeter and a signed audit ledger, is what a genomic custodian can deploy today.


Written by Micky Irons. Originally published at https://mickai.co.uk/articles/genomics-and-biobanks-ai-on-data-that-cannot-be-re-identified. More from Micky Irons and Mickai at mickai.co.uk.

Top comments (0)