By Micky Irons, founder and CEO of Mickai.
Once due on 2 August 2026, the obligations that the European Union AI Act attaches to Annex III, the register of high-risk uses, now apply from 2 December 2027, deferred by the Digital Omnibus. The proof requirements survive the move unchanged, so the sensible response is to build now. Among those uses sit systems that determine access to essential public services and benefits. A model that scores a tax return for fraud, that flags an entitlement for review, or that ranks a household's claim for support is no longer an administrative convenience. It is a regulated instrument, and the body that deploys it carries a duty of care that regulators, courts and auditors will test.
The stakes here are not abstract. Tax and revenue authorities hold the most intimate ledger a state possesses: income, property, family structure, medical exemptions, business relationships, the movement of money across a lifetime. A misfiring benefits algorithm does not produce a bad advert. It withholds rent money from a family, or brands an honest citizen a suspect. The question for every revenue leader in 2026 is therefore precise. Where does the model run, who can see the data, and can every decision be reconstructed and defended years later.
Annex III turns a data question into a design question
The high-risk classification does not merely demand good intentions. It demands demonstrable ones. Providers and deployers of Annex III systems face requirements for risk management, data governance, logging, human oversight, accuracy and robustness, and technical documentation that a supervisory authority can inspect. These are not features a revenue body can bolt on after procurement. They are properties of the architecture itself.
An authority that sends citizen tax records to a general-purpose model hosted elsewhere inherits a governance problem it cannot fully see. The logging it needs may be partial. The oversight it promises may be advisory rather than binding. The data lineage it must prove may run through infrastructure it does not control. Compliance framed as paperwork over an opaque service is fragile. Compliance built into where and how the system runs is durable.
The sovereignty problem beneath the compliance problem
There is a legal reality that sits underneath the AI Act and rarely appears in a vendor brochure. Under the United States CLOUD Act, a provider subject to US jurisdiction can be compelled to produce data it holds, wherever in the world that data physically sits. For a European or United Kingdom tax authority, this means that residency guarantees and encryption promises do not, by themselves, resolve the question of who ultimately has reach over the nation's fiscal records.
This is a matter of architecture and design, not an accusation against any company. A perimeter that depends on a distant operator's goodwill is a different thing from a perimeter the authority owns outright. Sovereignty, properly understood, is not a marketing word. It is the plain condition of a system where the data never leaves hardware the operator controls, and where no external party holds a key to the door.
What on-premise actually has to mean
On-premise is often used loosely to describe a service that merely sits closer to the customer. For public revenue the definition has to be stricter. We build Mickai as a Sovereign Intelligence Operating System, a SIOS that runs offline on operator-owned hardware with no dependency on an outside network to function. The intelligence, the audit trail and the keys stay inside the authority's own walls.
Concretely, that rests on a zero-egress inbound perimeter. Work comes into the system through a controlled inbound channel, and nothing leaves. There is no telemetry call home, no model weight fetched from a remote host at runtime, no citizen record posted to a scoring endpoint. When the network cable is unplugged, the system still reasons. That single test separates genuine sovereignty from a cloud service wearing a private label.
An audit trail a regulator can actually verify
The AI Act asks for logging. A duty of care asks for something stronger: proof that the log has not been altered. In a revenue dispute that surfaces four years after a decision, the authority must be able to show not only what the system did, but that the record of what it did is intact and original.
A revenue body cannot discharge its duty of care over a system whose decisions it cannot fully see, verify and reconstruct after the fact.
We seal every action in a post-quantum signed audit chain, each entry cryptographically linked to the last so that a single altered record breaks the chain and becomes visible. Identity is hardware-attested, meaning an action is bound to the specific attested device that performed it rather than to a reusable password. The result is an evidentiary record designed to hold up under adversarial scrutiny, the standard a court, an auditor or a public inquiry will apply. The methods behind this sit among the 104 filed UK patent applications, approximately 2,340 claims, owned by Mickai LTD.
Why one model deciding alone is a governance risk
A single model producing a single confident answer is a poor foundation for a decision that affects a citizen's income. Models hallucinate, absorb the biases of their training data, and fail in ways that are hard to predict from the output alone. The OWASP work on risks in large language model applications catalogues these failure modes plainly, from prompt injection to insecure output handling, and none of them are hypothetical in a benefits context.
We address this with cross-model consensus. Rather than trusting one model, a decision of consequence is put to several sovereign models running side by side, and agreement is required before the system acts on its own. Where they diverge, the case is escalated to a human reviewer with the disagreement made explicit. This turns human oversight from a formality into a triggered event, and it gives the caseworker the one thing an opaque score never provides: a reason to look closer.
The wider regulatory perimeter is already here
The AI Act does not arrive into an empty field. DORA has been in force across the EU financial sector since January 2025, setting expectations for operational resilience and third-party risk that revenue-adjacent bodies increasingly mirror. NIS2 raises the security baseline for essential and important entities. ISO/IEC 42001 gives organisations a certifiable management standard for artificial intelligence itself. Read together, these frameworks point one way: control of the system, its data and its dependencies must sit with the accountable body.
An architecture that keeps the model, the data and the audit chain inside the authority's own estate satisfies these overlapping obligations by construction rather than by exception. Third-party risk is easier to contain when there is no third party in the processing path, and resilience is easier to prove when the system does not depend on a network it does not own.
The direction of travel for public revenue
The reasonable objection is that all of this sounds heavier than a service a department can simply switch on. It is heavier at the outset, and that weight is the point. A revenue authority is a custodian of the public's most sensitive records and a body whose decisions must survive challenge for years. The convenient path, sending sensitive data to a capable model elsewhere, quietly transfers a risk the authority cannot lawfully transfer: the duty of care remains with the state whatever the contract says.
We believe the coming years will reward the bodies that treat their AI as infrastructure they own rather than a service they rent. Offline operation, a zero-egress perimeter, hardware-attested identity, post-quantum signed audit chains and cross-model consensus are not luxuries added to a system. They are the properties that let a public authority say, to a citizen and to a court, exactly what its system did and why, and prove it. That is the standard a duty of care demands, and it is the standard revenue administration should now hold itself to.
Written by Micky Irons. Originally published at https://mickai.co.uk/articles/tax-authorities-and-the-duty-of-care-sovereign-ai-for-public-revenue. More from Micky Irons and Mickai at mickai.co.uk.





Top comments (0)