DEV Community

Cover image for The CISO Case for Sovereign AI
Micky Irons
Micky Irons

Posted on • Originally published at mickai.co.uk

The CISO Case for Sovereign AI

The CISO Case for Sovereign AI

By Micky Irons, founder and CEO of Mickai.

Every Chief Information Security Officer inherits the same buried assumption, and almost nobody says it aloud. It is this: that useful artificial intelligence means copying your most sensitive data onto a computer you do not own, in a building you cannot enter, governed by a contract you did not write. We have watched security leaders spend a decade hardening the perimeter, encrypting the databases and rehearsing the breach, only to be asked to sign that assumption away the moment a model becomes useful.

Mickai, our Sovereign Intelligence Operating System (SIOS), is built on the opposite premise. The intelligence runs on hardware the customer owns, air-gapped or on-premise, with zero data egress. That single architectural choice does something a policy document never can: it makes three of the largest problems on a CISO risk register collapse into each other and shrink. The attack surface, the insider threat and the data-leakage problem are not solved one at a time. They dissolve together, because the thing they all depend on, sensitive data in motion to a third party, never happens.

The attack surface a CISO cannot see

When an organisation routes its work through a hosted model, the real attack surface stops being the part you can audit. It becomes the provider's network, the provider's staff, the provider's supply chain and every integration between them. A CISO is now accountable for a breach they cannot detect, in an estate they cannot inspect, defended by controls they cannot test. The threat model quietly expands to swallow an entire second company, and the security team is told to trust rather than verify.

A sovereign deployment inverts this. Because the brains and the audit ledger sit inside the customer's own boundary, the attack surface returns to something the security team can actually reason about: their network, their hardware, their people. There is no outbound tunnel of prompts and documents to defend, because there is no outbound tunnel. Every action Mickai takes is signed by an Operation Attestation Record (OAR) before it executes, so the question is no longer whether a distant provider behaved, but whether a locally verifiable signature holds. That is a security posture, not a leap of faith.

A colossal marble giant covered in a hundred watchful eyes standing sentinel, lit by points of gold light against a black void.

Like Argus of the hundred eyes, a security posture you can actually see is one you can defend.

Insider threat, on both sides of the wall

Insider threat is usually framed as a danger inside your own walls: the disgruntled administrator, the compromised credential, the analyst who copies a client list on their last Friday. Hosted intelligence silently doubles that problem. Now every privileged engineer at the provider is also an insider to your data, and you have no visibility into their access, their offboarding or their coercion. Our founder and CEO, Micky Irons, put it plainly in a briefing: the most dangerous insider is the one who works for a company you have never audited.

Sovereign AI shrinks the insider surface back to the people you actually employ and can actually govern. It then goes further than a traditional system, because the SIOS was designed for the assumption that even trusted insiders make mistakes or turn. High-stakes actions require multi-brain plus voice-biometric approval, so no single person and no single subsystem can move alone. Brains are revocable: authority granted to a subsystem can be withdrawn instantly, and the withdrawal is itself a signed, timestamped event. The insider threat does not vanish, but it is contained to a population you can name, and every hand on the controls leaves a print.

Leakage is a copy problem, so stop copying

Data leakage, stripped to its mechanics, is a copy problem. A copy of your data has to exist somewhere it should not for a leak to occur at all. Every hosted inference call, every fine-tuning upload, every retained log and every cached prompt is a fresh copy leaving your control, and in that moment the leak has effectively already happened; you are simply waiting to find out. No amount of contractual assurance changes the physics of a copy that now lives on someone else's disk.

A colossal three-headed marble hound coiled at the entrance to an inner chamber, lit by gold light against black.

Cerberus lets nothing pass unseen, the shape of an insider surface contained to those you can name.

When the intelligence never leaves, the copy is never made. The document a legal team analyses, the patient record a clinician queries, the trade position a desk models, all of it stays on hardware inside the customer's boundary. This is what closes the exposure a CISO can never fully close with a hosted model: you cannot leak what you never sent. For organisations bound by the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA) or the International Traffic in Arms Regulations (ITAR), that difference is not a nice-to-have. It is the gap between a control you can attest to and a hope you have to disclose.

The audit trail regulators actually want

Security leaders are increasingly judged not only on whether they prevented harm, but on whether they can prove what happened afterwards. The EU Artificial Intelligence Act (EU AI Act), the Digital Operational Resilience Act (DORA) and the Network and Information Security Directive (NIS2) all push in the same direction: demonstrable, tamper-evident records of automated decisions. A log that lives on the provider's infrastructure, mutable and out of reach, does not meet that bar, and every CISO who has sat through a supervisory review knows it.

A colossal robed marble figure cradling a single small flame kept close to her body, lit in gold against a black void.

Hestia never lets the fire leave the hearth, the same reason you cannot leak what you never sent.

Mickai writes every action into a tamper-evident, cryptographically-signed audit ledger, hash-linked with SHA-3-512 so that any alteration to the history breaks the chain and shows itself. Signatures use post-quantum cryptography, the FIPS 204 ML-DSA-65 scheme, so the evidence survives the arrival of quantum computers that will one day unpick today's schemes. Because verification is offline, an auditor, a regulator or your own board can confirm the record independently, without calling a vendor and without trusting one. That is the artefact a modern examination asks for, held by the party who has to answer for it.

Not a rival to the cloud, a different layer

None of this is a case against the public cloud. The large providers, OpenAI, Microsoft, Amazon Web Services, Google and Oracle, have built extraordinary infrastructure, and for a great deal of work they are the right answer. Mickai is not competing for that work. It occupies a different layer entirely: the regulated boundary the public cloud cannot cross on the customer's own terms, where data cannot legally, contractually or physically be allowed to leave.

A mature security strategy uses both. The general, non-sensitive workload goes to the elastic cloud, where scale and cost win. The sovereign workload, the data that would end a career or a licence if it leaked, stays inside the SIOS on hardware the organisation owns. The CISO's job stops being an all-or-nothing bet on trust and becomes what it should always have been: placing each class of data where its risk actually belongs, and being able to prove where it went.

A colossal marble figure holding an unbroken carved chain that recedes into darkness, each link edged in gold against black.

Mnemosyne holds an unbroken chain of memory, the tamper-evident ledger any auditor can verify alone.

The bottom line

The strongest case for sovereign AI is not ideological and it is not about fear of the cloud. It is that three of the hardest problems a CISO owns, the invisible attack surface, the insider you cannot audit and the leak that is really a copy, all share a single root cause: sensitive intelligence in motion to a party you do not control. Remove the motion and the three problems collapse together.

Mickai removes it by design, then adds the machinery a security leader needs to prove it: OAR signing every action before execution, revocable brains, multi-brain and voice-biometric approval for high-stakes moves, and a post-quantum, hash-linked ledger anyone can verify offline. Backed by 104 filed UK patent applications covering about 2,340 claims and owned by Mickai LTD, this is not a promise about the future of security. It is a substrate you can run inside your own walls today, where the intelligence is powerful precisely because it never leaves.


Written by Micky Irons. Originally published at https://mickai.co.uk/articles/the-ciso-case-for-sovereign-ai. More from Micky Irons and Mickai at mickai.co.uk.

Top comments (0)