The Risk That Survives Every Control
By Micky Irons, founder of Mickai.
Most security spending is aimed outward. Firewalls, intrusion detection, zero-trust gateways and endpoint agents all assume the danger arrives from the perimeter, a stranger trying to get in. That model has matured to the point where the outsider is often the least of a regulated firm's worries. The harder problem is the trusted insider, the person who is already inside the wall because their job requires it. When a multibillion-pound company runs its intelligence on a third-party cloud, the insiders who matter most are not its own staff. They are the vendor's.
Consider the architecture honestly. When you submit a prompt, a contract, a customer record or a pricing model to a frontier cloud, that payload travels to infrastructure you do not own, is processed on silicon you cannot inspect, and is logged in storage governed by people you will never meet. The provider operates excellent controls. But controls operated by someone else are, by definition, controls you cannot verify from the outside. You are trusting a promise. For open, non-regulated work that promise is perfectly reasonable, and the frontier clouds remain the right tool there. Inside the regulated perimeter a promise is not the same as proof, and proof is the entire point.
This is the wedge that moves even the companies already committed to cloud artificial intelligence. They are not leaving because the models are weak. They are leaving because of who else is on the same stack, and who can reach the data once it lands.
The Competitor Sharing Your Vendor
Here is the part that gets overlooked in procurement. Your direct competitor of comparable scale, the one chasing the same contracts, the same clients and the same talent, very probably uses the same handful of frontier providers you do. There are not many to choose from. So two rivals end up as tenants on the same vendor stack, their most sensitive material flowing through the same operational plane, reachable by the same small population of privileged administrators.
"If you are a multibillion-dollar company running on Anthropic or OpenAI, and your direct competitor of comparable scale sits on the same vendor stack, what stops them paying a vendor insider to leak your data, your tactics, your leads, your sales strategy? Inside a third-party cloud, there is no safeguard you can verify from the outside. The only answer is a sovereign system where you hold the keys, with no third-party cloud data path." , Micky Irons, founder and CEO, Mickai LTD
The point is not that any particular provider is untrustworthy. It is that trust, once it depends on a third party's internal personnel, becomes a variable you do not control and cannot audit. A rogue administrator is a residual risk. You can shrink it with contracts, attestations and access logs the vendor chooses to show you, but you cannot remove it, because removing it would require holding the keys yourself. As long as the data path runs through someone else's cloud, the insider your competitor could in principle reach is an insider you can neither see nor dismiss.
History has already drawn this line. A major electronics manufacturer banned public AI chatbots internally in 2023 after engineers pasted confidential source code into the tool and it left the building. Major global banks and a number of National Health Service Trusts restricted the same services in the same period. A European data-protection regulator fined a major AI provider 15 million euros. A national privacy regulator in Asia issued its own penalty. None of those organisations acted because a model gave a bad answer. They acted because they could not prove where the data went or who could touch it once it was gone.
Two Buyers, One Architecture
This residual-insider problem explains a pattern in the market that looks contradictory until you name it. There are two distinct buyers for sovereign artificial intelligence, and the same architecture serves both.
The first segment is being forced off the cloud. These are organisations that adopted frontier tools, hit a regulator, an information-security review or a board risk committee, and were told to stop. This is rescue revenue already in motion. It is the major electronics manufacturer after the source-code leak, it is the major global banks and Trusts that restricted access, it is every firm now reading that European regulator's 15-million-euro decision and asking whether it is next. They wanted the capability and had to give it up, and they are looking for a way to keep it without the data path that got them into trouble.
The second segment never started. Magic Circle litigation teams, National Health Service clinical units, Ministry of Defence cleared programmes, Financial Conduct Authority regulated wealth managers, Federal Risk and Authorization Management Program and Impact Level 5-plus federal workloads, International Traffic in Arms Regulations and Export Administration Regulations aerospace work. For these buyers the cloud was never an option, so their artificial-intelligence budget is net-new and entirely unclaimed. They are not switching from a cloud provider. They are spending for the first time, on the only architecture their rules permit.
What unites both segments is that the answer cannot be a better cloud. It has to be no third-party cloud data path at all. The Mickai Sovereign Intelligence Operating System is built precisely there. Fifty specialised artificial-intelligence brains run fully offline on hardware the customer owns, where the data never leaves the building and the operator holds its own keys. There is no vendor administrator to bribe because there is no vendor in the data path.
What Holding Your Own Keys Actually Means
The phrase is easy to say and hard to deliver, so it is worth being concrete. In the Mickai Sovereign Intelligence Operating System the model weights, the customer's documents, the embeddings, the memory and the logs all live on infrastructure the operator owns and physically controls. Processing happens locally. Nothing transits a shared multi-tenant plane. The keys that protect the system belong to the operator, not to a supplier, which means no external party can decrypt, replay or exfiltrate what the system holds, because no external party has the means.
That is what closes the insider gap. A risk you cannot remove from the outside is removed when there is no outside to begin with. The competitor cannot pay a vendor administrator to reach your data when there is no vendor administrator with a route to it. The threat does not get smaller. It disappears as a category.
This is also the architecture that solves a quieter problem the insider question tends to overshadow.
"When companies use the Mickai Sovereign Intelligence Operating System, the context-compression problem that plagues cloud LLMs is removed at the architectural level. Cloud systems hallucinate and drift off topic because shared multi-tenant storage forces aggressive context compression, summary-pass swaps, and lossy recall. Inside Mickai, the operator owns the memory. They expand it inside their own data centre or workstation, scale it on Poseidon rack-scale or local NVMe, and never compete with another tenant for context budget. The result is a measurable reduction in drift and hallucination." , Micky Irons, founder and CEO, Mickai LTD
Owning the keys and owning the memory are two faces of the same design choice. Once the data never leaves, the same control that shuts out the rogue administrator also gives the operator a private memory budget no other tenant can squeeze. Sovereignty and accuracy turn out to be the same property seen from two angles.
The Receipt You Can Verify Without Asking Anyone
Removing the insider path is necessary, but a regulator wants more than your word that the path is closed. This is where the Open Audit Record matters. Every action the Mickai Sovereign Intelligence Operating System takes is sealed under a post-quantum signature, the Open Audit Record, or OAR, that anyone can verify offline.
The distinction is the whole argument. A cloud audit log is a record the provider keeps and shows you. The OAR is a record you hold and can prove, independently, without trusting the party that produced it. When Nomos, the compliance and regulator-reporting studio, generates a filing, the OAR attests to exactly what model, what inputs and what policy produced it. When Astraea, the legal and contract-review studio, marks a clause as non-standard, the reasoning is sealed and reproducible. When Nemesis flags a transaction for anti-money-laundering review, or Aletheia runs continuous controls assurance, the output carries its own verifiable provenance.
This answers the insider question in the language a board understands. It is not enough to say no administrator can reach the data. You also have to show that every output is authentic and untampered, and the OAR does that with mathematics rather than with a supplier's assurance. The Financial Conduct Authority's Consumer Duty, in force since 2023, requires that every consequential customer decision be auditable and explainable. Plutus for finance and financial planning, Tyche for underwriting and rating, Pythia for business intelligence and Iris as a customer-service agent all produce sealed, replayable records by default rather than as an afterthought.
Mapping the Threat to the Rules
The insider-threat wedge stops being abstract the moment it is read against the regulations that already bind these firms. Under the Financial Conduct Authority's Senior Management Arrangements, Systems and Controls framework and the Prudential Regulation Authority's expectations, a regulated firm remains accountable for outsourced processing, which means a vendor administrator's access to client data is the firm's liability, not the vendor's. The Solicitors Regulation Authority holds a firm responsible for client confidentiality regardless of which tool touched the file. The National Health Service Data Security and Protection Toolkit, and Ministry of Defence standards Joint Service Publication 440 and 604, treat uncontrolled data egress as a primary finding, not a footnote.
Across the Channel, the European Union Artificial Intelligence Act brings high-risk obligations into force from 2 December 2027, with fines up to 35 million euros or 7 percent of global turnover, and it sits alongside the General Data Protection Regulation, the Digital Operational Resilience Act and the second Network and Information Security Directive. In the United States the relevant frame includes the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, Securities and Exchange Commission and New York Department of Financial Services rules, the Federal Reserve's SR 11-7 model-risk guidance, the Federal Risk and Authorization Management Program, Impact Levels 5 to 6, the International Traffic in Arms Regulations, the Export Administration Regulations, the Cybersecurity Maturity Model Certification, the Sarbanes-Oxley Act and the Payment Card Industry Data Security Standard. Globally the list runs through Canada's Personal Information Protection and Electronic Documents Act, the Australian Prudential Regulation Authority, the Monetary Authority of Singapore, Switzerland's Financial Market Supervisory Authority, Japan's Act on the Protection of Personal Information, Korea's Personal Information Protection Act, Brazil's Lei Geral de Protecao de Dados, India's Digital Personal Data Protection Act and China's Cyberspace Administration and Personal Information Protection Law regimes. Every one of these regimes assumes you can prove who could reach the data. Only an architecture with no third-party data path lets you answer without qualification.
The market is sized accordingly. The enterprise artificial-intelligence software total addressable market is heading toward roughly 122.6 billion pounds by 2030 at a 37.6 percent compound annual growth rate. The slice eligible for regulated, private deployment is around 40 billion pounds, and the governed, auditable served market sits near 4.6 billion pounds and is growing about 45 percent a year. A Cisco study found that 27 percent of organisations banned generative artificial intelligence outright, 63 percent restrict what data may be entered, and 61 percent restrict which tools are allowed. Those restrictions are the insider question, expressed as policy. In the United Kingdom alone the addressable base includes roughly 50,000 regulated firms and around 8,250 large enterprises as a beachhead.
The Only Honest Answer
Strip the question to its core. A multibillion-pound firm on a frontier cloud shares that cloud with rivals, and the residual risk is not the hacker at the gate but the administrator at the keyboard inside the vendor, a person the firm can neither see, audit nor dismiss. No contract removes that person. No attestation lets you verify them from the outside. The only thing that removes the risk is removing the path, holding your own keys, keeping the data in the building, and sealing every action under a record you can prove without asking anyone for permission.
Mickai is delivered as a capital purchase rather than a subscription, access for a fee and then deployed free, run on hardware the operator owns. Above roughly 50 million tokens a month on owned hardware it runs 70 to 90 percent cheaper than cloud application programming interfaces, with break-even commonly inside 18 months and, at high volume, as fast as 4 to 8 weeks. The economics are persuasive. The architecture is the reason. The frontier clouds remain the right partners for open work. For the regulated perimeter they cannot cross, the answer is a sovereign system where the insider your competitor might buy simply does not exist. The defence of last resort against a person you cannot see is an architecture in which that person was never there.
Written by Micky Irons. Originally published at https://mickai.co.uk/articles/the-insider-your-competitor-can-buy. More from Micky Irons and Mickai at mickai.co.uk.
Top comments (0)