DEV Community

Cover image for Own, Do Not Rent: Why Regulated Firms Need AI Inside Their Own Walls
Micky Irons
Micky Irons

Posted on • Originally published at mickai.co.uk

Own, Do Not Rent: Why Regulated Firms Need AI Inside Their Own Walls

Own, Do Not Rent: Why Regulated Firms Need AI Inside Their Own Walls

The question regulated firms are actually being asked

By Micky Irons, founder and CEO of Mickai.

When a bank, a hospital, a defence supplier, or an insurer sends data to a public-cloud AI service, it is not buying a feature. It is making a custody decision. The real question is not whether the model is good. It is who can touch this data, under which jurisdiction, with what legal compulsion, and whether every action can be proven after the fact. For ordinary commercial data, renting is fine. For special-category and controlled data, renting fails the test before the model ever runs.

This is a first-principles point, not a marketing one. If you cannot guarantee where data sits, who processed it, and that the record of processing cannot be altered, you do not have a compliance position. You have a hope. Regulators do not accept hope.

I founded Mickai to remove the hope and replace it with proof. Mickai is a sovereign AI operating system, an SIOS, that regulated businesses own and run inside their own walls, on-prem and air-gapped, with every action written to a tamper-evident, post-quantum-signed audit record we call the OAR. It is built and it is live.

Why ownership is a requirement, not a preference

Look at what the rulebooks actually demand and a pattern appears. The PRA outsourcing and operational resilience expectations under SS2/21 push firms to retain control and a clean exit over critical functions. UK GDPR treats special-category data as a class that needs the strongest safeguards and a clear, demonstrable basis for every processing event. The NHS Data Security and Protection Toolkit sets a hard bar for how patient data is handled. The EU AI Act puts high-risk systems under documentation, logging, and human-oversight obligations. ITAR and EAR restrict where controlled technical data may physically reside and who may access it. The NIS Regulations raise the resilience bar for essential services. And the US CLOUD Act means data held by a US-controlled provider can be compelled regardless of where it physically sits.

Read those together and the conclusion is not subtle. For the most sensitive categories of data, the firm must hold the keys, the location, and the audit trail itself. That is ownership. A rented endpoint, however well engineered, hands custody to a third party in another legal regime and asks you to trust the boundary. For controlled data, the boundary is the requirement, and the only way to guarantee it is to own the system.

This is why the addressable need is not a niche. Roughly 0.85 million UK businesses, about 15 percent, sit in scope of rules that make public-cloud AI a poor or impossible fit, alongside an estimated 5 million across the EU that are legally barred from it. The sovereign AI market reflects this gravity, sized at around USD 40 billion in 2025 and on a path toward USD 148 billion by 2032. The demand is structural. It follows from the law, not the hype cycle.

What air-gapping actually buys you

Air-gapping is often described as a constraint. In a regulated setting it is the opposite. It is the cleanest way to make a custody guarantee true rather than asserted. When the system runs on hardware the firm controls, with no path out to a third-party cloud, the questions a regulator asks become answerable with evidence instead of contracts. Where is the data. Here. Who processed it. These identities. Can the record be altered. No, because every action is signed into the OAR with post-quantum cryptography, so tampering is detectable.

That last point matters more each year. Audit records that rely on today's signatures risk becoming forgeable once cryptographically relevant quantum computing arrives. A controlled-data audit trail needs to survive that. Mickai signs the OAR with post-quantum schemes precisely because a compliance record has to outlive the threat model it was created under.

Built as an operating system, delivered as working studios

Mickai is not a wrapper around someone else's API. It is a full operating system for AI work, and the capabilities ship as Greek-named Studios that map onto real regulated functions. Nemesis handles fraud and AML. Plutus covers finance. Tyche does underwriting. Prometheus runs forecasting. Iris serves customer operations. Nomos and Astraea cover compliance and legal. Panacea works clinical data. Pythia drives business intelligence and Aletheia handles audit. Around them sit Trust Agent, the AMT agentic layer, Vinis voice, OAR-as-a-Service, and HELIOS hardware. Each Studio runs inside the same owned, air-gapped, auditable substrate, so adopting a function never reopens the custody question.

Underneath sits the moat. Mickai LTD has 104 filed UK patent applications carrying roughly 2,340 claims, with myself as inventor. Filed, not granted, which is the honest framing, and what filing secures is priority and a prior-art position across the architecture. The same estate has been mapped against 196 companies and 311 patent-company pairs as potential licensees, names that include Microsoft, AWS, NVIDIA, Google, Adobe, and IBM. That is potential-licensee sizing, not signed revenue, but it indicates the surface area of the work is broad and that the largest platforms operate in territory this estate touches.

A category, not a product

I am deliberate about positioning. Mickai is an ally to the model labs, not an OpenAI killer. The frontier labs build extraordinary models. What regulated firms lack is a way to run capable AI under their own custody with provable controls. Mickai is the operating system that closes that gap, which is why the thesis is dual-buyer: it serves the regulated enterprise that must own its AI, and it is the kind of sovereign-control layer a hyperscaler would rather own than compete with.

The momentum is showing externally as well as architecturally. In June 2026 I was ranked number four on Crunchbase, with the Mickai company profile placing in the top one to two percent globally, a third-party signal that the category is being noticed. We are a UK company with Birmingham manufacturing secured, building to scale and heading for the top. The economics follow the structure. A Year 5 revenue path toward billions at high gross margin, underwritten by the IP estate and the dual-buyer thesis, is what a category that the law itself creates looks like when it is built properly. It is the kind of substrate a hyperscaler would want to own.

The window

Mickai is built and live, and the work now is scaling it with the right partners. The advantage belongs to those who understand the structural point early: that owning the substrate beats renting the boundary, and that a category created by regulation does not wait for the hype cycle to validate it. That is the position Mickai occupies, and it is built to lead it.

To talk, write to me directly at micky@mickai.co.uk.

Micky Irons, founder and CEO of Mickai.

FAQ


Written by Micky Irons. Originally published at https://mickai.co.uk/articles/why-regulated-firms-must-own-not-rent-their-ai. More from Mickai at mickai.co.uk.

Top comments (0)