Energy and Water as Critical Infrastructure: AI That Cannot Be Someone Else's Dependency
For operators of energy and water, resilient AI means intelligence that runs on their own hardware and answers to no external cloud.
Across 2026, the regulatory frame around energy and water has hardened into something closer to national defence than commercial IT. NIS2 now binds essential and important entities across the European Union to concrete duties on risk management, supply-chain assurance and incident reporting, with personal accountability reaching board level. DORA has been in force for the financial sector since January 2025, and its logic, that an operator remains responsible for a service even when a third party runs part of it, is spreading by example into every sector that regulators class as critical.
The EU AI Act's high-risk obligations, once due to apply on 2 August 2026, now take effect from 2 December 2027 after the Digital Omnibus deferral, and its Annex III places AI used in the management and operation of critical infrastructure, including electricity, gas and water supply, in the high-risk category. The proof requirements survive the move unchanged, so for the people who keep a grid balanced or a reservoir dosed, this is still the moment the question changes, and the sensible response is to build now. It is no longer whether AI can help them run the plant. It is whether the intelligence they depend on can itself become a point of failure that sits outside their control.
Why intelligence is now part of the critical asset
A control room that leans on a model for load forecasting, anomaly detection or maintenance triage has, quietly, made that model part of the operational chain. If the model lives in an external cloud, the plant has acquired a dependency it does not own and cannot inspect. The operator carries the regulatory liability. The provider carries the availability, the update cadence and the failure modes.
This is the mismatch that NIS2 and DORA are written to expose. Responsibility cannot be outsourced even when the compute is. When a regulator asks who is accountable for a decision the model influenced, the answer is the operator, every time. An architecture in which the reasoning happens somewhere the operator cannot reach, on hardware they do not hold, under terms they did not set, is a supply-chain risk wearing the costume of a convenience.
The dependency is jurisdictional, not only technical
The failure modes people picture first are outages and latency. Those matter, but the deeper exposure is legal. Data-access laws that reach providers by jurisdiction can compel disclosure of data those providers hold, wherever in the world that data physically sits. For an operator whose telemetry, network topology and control logic pass through a foreign-controlled cloud, the guarantee of exclusive national control over critical-infrastructure data is not something the operator can honestly give.
This is a matter of architecture, not accusation. A cloud model of security is a rational design for many workloads. It is simply the wrong design for a substrate that a regulator has classed as critical to national resilience, because it distributes control of the operator's most sensitive intelligence across parties and jurisdictions the operator does not command. Resilience for critical national infrastructure begins with the ability to say, truthfully, that no external party can compel, observe or interrupt the reasoning that runs the plant.
What operator-owned intelligence actually means
Mickai is a Sovereign Intelligence Operating System, a SIOS. It runs offline, on hardware the operator owns and controls, inside the perimeter rather than beyond it. The sovereign models it uses reason locally. No prompt, no telemetry and no derived insight leaves the site unless the operator deliberately exports it. For a water utility or a grid operator, that is the difference between AI as an asset they hold and AI as a service they rent from beyond their own fence line.
Running offline is not a limitation dressed up as a virtue. It is the precondition for honest assurance. An air-gapped system has a knowable boundary. Its behaviour can be tested, sealed and reasoned about because nothing crosses the wire to change it under the operator's feet. When the intelligence cannot phone home, it cannot be silently updated, throttled, subpoenaed or switched off by a party the operator has never met.
“For infrastructure a nation depends on, the intelligence that runs it must be something the operator holds, not something the operator borrows.”
The mechanisms that make it verifiable
Sovereignty that cannot be proven is only a claim. Several concrete mechanisms turn it into something an auditor can check. Hardware-attested identity binds the running system to specific, operator-held machines, so the intelligence executes only where it is meant to and can prove which silicon it ran on. A zero-egress inbound perimeter inverts the usual assumption: the system is built to accept nothing outbound by default, so data leaving the site is an explicit, logged decision rather than a background habit.
Every consequential action is written to a post-quantum signed audit chain. The signatures are chosen to resist adversaries with future quantum capability, and the chain is tamper-evident, so an investigator years from now can reconstruct not just what the system did but that the record was not altered after the fact. This is the evidentiary spine that ISO/IEC 42001, the management-system standard for AI, and the AI Act's traceability duties both call for, delivered by construction rather than by promise.
Cross-model consensus adds a further check. Rather than trusting a single model's output on a decision that affects supply, the SIOS can require agreement across independent models before an action is surfaced, which raises the cost of a single corrupted or hallucinating component driving a real-world outcome. Read against the OWASP catalogue of AI risks, from prompt injection to insecure output handling, these are not marketing features. They are the specific controls those risks demand.
Continuity when the connection is the thing that fails
Critical infrastructure is defined by the days everything else is failing. A regional network cut, a coordinated intrusion, a submarine cable fault, a provider incident: these are precisely the moments an operator most needs its intelligence, and precisely the moments a cloud dependency is most likely to be absent. An air-gapped SIOS has no such conditional. Its forecasting, its anomaly detection and its operator support keep working when the internet does not, because they never depended on it.
This is what resilience means when it is taken seriously rather than asserted. The system's worst day is bounded by what the operator can physically protect, not by the health of a distant data centre or the state of a contested link. For energy and water, where a lost hour can mean a blackout or a boil-water notice, that bound is the whole point.
Sovereignty as the compliance path, not the obstacle to it
It is tempting to read all of this as friction: another set of requirements between an operator and useful AI. The opposite is true. NIS2, DORA, the AI Act and ISO/IEC 42001 are converging on the same demand, which is demonstrable control over the systems an operator depends on. An architecture that keeps the intelligence inside the perimeter, attests its identity, refuses silent egress and seals its own audit trail is not fighting these frameworks. It is the shortest route through them.
Our patent position reflects how much of this is genuinely novel engineering rather than configuration. Mickai LTD holds 104 filed UK patent applications, covering approximately 2,340 claims, spanning the attestation, sealing and consensus mechanisms described here. These are filed and patent pending, not granted. We describe them because the mechanisms are the substance of the argument, and an operator evaluating a resilient architecture deserves to know the specifics rather than the slogans.
Where this leads for the sector
The direction of travel through the rest of 2026 and beyond is unambiguous. Regulators will keep tightening the accountability that operators of energy and water cannot delegate, and the AI those operators use will be judged by the same standard as the pumps, the turbines and the control systems it now sits beside. The question every board will face is simple to state and hard to answer with a borrowed system: can you prove you control the intelligence that runs your infrastructure.
We built a SIOS so the honest answer can be yes. An operator that holds its own intelligence, offline, attested and sealed, is not merely compliant. It has removed a whole class of dependency from the most critical thing it does. For energy and water, where the public interest and the national interest are the same interest, that is not a preference. It is the resilient design, and it is the one the regulatory frame is steadily making mandatory.




