By Micky Irons, founder of Mickai.
Why zero data egress is now a legal requirement, not a preference
For a growing set of regulated firms, the question is no longer whether to adopt AI. It is whether AI can be adopted at all without breaking the law. Public cloud AI assumes data can leave the building, cross a jurisdiction, and be processed on infrastructure the customer neither owns nor controls. For a bank supervised under PRA model risk expectations (SS1/23), a hospital bound by the NHS Data Security and Protection Toolkit, or a defence supplier under ITAR and EAR, that assumption is fatal. The data cannot leave. So the AI has to come to the data.
We built for that constraint from the first line. We run entirely on the customer's own hardware, on premises and air gapped, with zero data egress and no public cloud round trip. Nothing is sent out to be scored, embedded, logged, or improved. The workload runs inside the customer's walls, and it stays there.
What we are
Mickai is a sovereign intelligence operating system that regulated businesses own and run inside their own walls. We are not a concept, a roadmap, or a hosted service with a compliance badge bolted on. We are built and live today, installed on the customer's estate, governed by the customer, and severable from us. If we vanished tomorrow, the system would keep running and the customer could still verify every decision it had ever made.
We run about fifty specialist models, twenty-five domain and twenty-five operational, with cross-model routing under a deterministic arbiter. That last point matters more than the headline count. Because routing is deterministic and arbitration is fixed, the same inputs produce the same outputs. Reproducibility is not a nice property for a regulated buyer. It is the difference between a decision you can defend to a supervisor and one you cannot.
Egress is the risk. So we removed it
Most AI incidents that frighten a Chief Risk Officer are egress incidents in disguise. Data leaves the perimeter and lands somewhere it should not. It is retained, subpoenaed under the US CLOUD Act, exposed in a breach at a third party, or quietly used to train a model the customer will never see. The NIS Regulations, UK GDPR special category rules, and the EU AI Act high-risk classification all circle the same failure mode: sensitive data in motion, outside the controller's control.
We close that surface entirely. There is no outbound call to a model API, no telemetry channel, no update path that phones home with customer content. When a regulator asks where the data went, the honest and provable answer is that it went nowhere. It was processed on hardware the customer owns and it never crossed the boundary. That is a far stronger position than a data processing agreement and a promise.
The Open Audit Record: proof without trust
Removing egress solves confidentiality. It does not, on its own, solve accountability. A regulator does not just want to know that the data stayed put. They want to know what the system did, when, and on what basis, and they want to check it themselves years later without taking anyone's word for it.
That is what our Open Audit Record delivers. Every consequential action is signed under post-quantum cryptography (FIPS 204 ML-DSA-65, with ML-KEM-768) and hash-chained into a tamper-evident, append-only ledger. Anyone can verify that ledger offline, for decades, without trusting the vendor. The record does not depend on us being alive, cooperative, or solvent. An auditor takes the chain, checks the signatures and the hashes, and confirms that nothing was altered or backdated. Trust moves from the vendor's assurances to mathematics the auditor can run on their own machine.
We also offer the audit layer on its own, as OAR-as-a-Service, for organisations that want verifiable, post-quantum records over systems they already operate. The principle is the same in both forms: verification belongs to the customer and the regulator, not to us.
Studios: the work regulated firms actually need
On top of the substrate we run a set of studios, each one aimed at a regulated function. The names are drawn from Greek myth; the function in every case is serious and specific. Nemesis handles fraud and anti money laundering. Plutus covers finance and FP&A. Tyche runs underwriting. Prometheus does forecasting. Iris handles customer service. Nomos covers compliance, Astraea covers legal, and Panacea covers clinical work. Pythia is business intelligence, Aletheia is audit, and Vinis is voice. The Agentic Marketing Team runs regulated marketing operations, and Trust Agent holds the perimeter.
Each studio inherits the same guarantees as the platform beneath it. Nothing egresses. Every consequential action lands in the Open Audit Record. Outputs are reproducible under the deterministic arbiter. A compliance function does not have to reason about whether one studio is safe and another is not. The safety is a property of the substrate, and the studios sit on top of it.
Pantheon: attestation across many sites, no central server
Sovereignty for a single site is one problem. Trust across many fielded units, with no shared cloud to lean on, is a harder one. Pantheon, our post-quantum Layer 1, is on testnet and gives multi-node attestation across fielded units with no central server. Deployments can attest to one another's state and audit records without routing anything through a vendor hub. For an organisation running sovereign AI across sites, regions, or partners, that means a shared source of cryptographic truth without a shared point of failure or a shared point of leakage.
The intellectual property behind the boundary
None of this is a wrapper over someone else's endpoint. The architecture is protected. We hold 104 filed UK patent applications, roughly 2,340 claims, across 13 invention families, owned by Mickai LTD, with named inventor Mickarle Sean Junior Wagstaff-Irons. These are filed, not granted. Filing establishes priority and builds a prior-art moat around the way sovereign, verifiable, post-quantum AI is done on the customer's own hardware.
For a regulated buyer, the patent position is a durability signal. The capability they are buying is defensible and is unlikely to be replicated wholesale by a fast follower. Mickai LTD is a UK company, Companies House number 17166618, with Birmingham manufacturing secured, led by founder and CEO Micky Irons.
The market the public cloud cannot lawfully reach
The sovereign AI market is roughly USD 40 billion in 2025, rising to about USD 148 billion by 2032. The reason is structural rather than cyclical. Around 0.85 million UK businesses, about 15 percent of the total, and roughly 5 million across the EU, legally cannot send data to public cloud AI. The drivers are named and enforceable: PRA model risk expectations (SS1/23), UK GDPR special category data, the NHS Data Security and Protection Toolkit, the EU AI Act high-risk classification, ITAR and EAR, the NIS Regulations, and the US CLOUD Act.
These firms are not waiting for permission to like AI. They are waiting for a way to use it lawfully. A system that runs on their own hardware, egresses nothing, and proves every action under post-quantum signatures is not a preference for them. It is the only compliant path.
An ally to the platforms, not a rival
Our commercial thesis has two sides. First, we sell sovereign AI directly to regulated firms the public cloud cannot lawfully reach. Second, we license the patented stack to the platforms that want to reach those same customers and currently cannot. Our internal analysis maps 196 companies and 311 patent-company pairs as potential licensees, including names such as Microsoft, AWS, NVIDIA, Google, Adobe, and IBM. To be precise about what that is: it is potential-licensee sizing, not a signed book and not an infringement claim.
We are an ally to the AI majors, not an adversary. A large platform that adds a sovereign, verifiable, on premises layer instantly reaches the regulated market it is legally barred from serving today. The public cloud model and the sovereign model are not in competition. They serve different data under different laws, and one of them has been unaddressable at scale until now.
Where this leaves a regulated buyer
The buyer's position is straightforward once the constraint is taken seriously. If the data cannot leave, the AI has to run where the data lives, prove what it did in a way the vendor cannot tamper with, and keep working even if the vendor does not. We built exactly that, it is live, and it is in the hands of customers today. Zero data egress is not a setting we offer. It is the shape of the whole system.
Our pre-seed round is opening soon, and we welcome inquiries from interested partners by email at micky@mickai.co.uk or on LinkedIn.
Frequently asked questions
Does zero data egress mean the system cannot be updated?
No. Updates are delivered without customer data ever leaving the estate. There is no channel that sends prompts, documents, or telemetry containing customer content out of the perimeter. The boundary holds for operational data at all times, and the customer controls what, if anything, is applied.
How can an auditor trust the record if they do not trust the vendor?
They do not have to trust us. Every consequential action is signed under post-quantum cryptography (FIPS 204 ML-DSA-65, with ML-KEM-768) and hash-chained into an append-only ledger. An auditor verifies the signatures and the hash chain offline, on their own hardware, for decades. Verification depends on mathematics, not on our cooperation or our continued existence.
Is this a research prototype or a production system?
It is a production system, built and live today. We run about fifty specialist models under a deterministic arbiter, with reproducible outputs, on the customer's own hardware. The architecture is protected by 104 filed UK patent applications across 13 invention families, and Mickai LTD has Birmingham manufacturing secured.
Written by Micky Irons, founder of Mickai. Originally published at https://mickai.co.uk/articles/zero-data-egress. More from Mickai at mickai.co.uk.




Top comments (0)