MICKAI
Article · 1 July 2026

The EU AI Act by Risk Tier: Mapping High-Risk Obligations to an On-Premise AI System

A tier-by-tier read of the EU AI Act, and how a sovereign, logged, human-oversight architecture answers each high-risk obligation inside your own walls.

The EU AI Act by Risk Tier: Mapping High-Risk Obligations to an On-Premise AI System
Author
Micky Irons
Published
1 July 2026
Follow Micky Irons
LinkedInX
Sovereign AIMickaiArtificial IntelligenceOpen Audit RecordPatents

The Act is a risk pyramid, not a rulebook

The EU AI Act by Risk Tier: Mapping High-Risk Obligations to an On-Premise AI System, illustration 1

The EU AI Act does not regulate AI as one thing. It sorts systems into tiers and attaches obligations to each. Read it that way and the compliance question stops being philosophical and becomes an architecture question: can your system produce, on demand, the evidence each tier requires.

Four tiers matter. Prohibited practices are off the table entirely, including untargeted scraping for facial recognition databases and certain social scoring. Limited-risk systems carry transparency duties, mostly disclosure that a user is dealing with a machine. Minimal-risk systems are largely unburdened. The weight sits in the high-risk tier, and for regulated firms that is where most valuable use cases land: credit scoring, insurance pricing and eligibility, employment decisions, access to essential services, and safety components.

If your deployment touches any of those, the Act is not a policy to write. It is a set of technical and record-keeping capabilities you either have or you do not.

What high-risk actually demands

The EU AI Act by Risk Tier: Mapping High-Risk Obligations to an On-Premise AI System, illustration 2

Strip the recitals away and the high-risk obligations reduce to a short list a CISO or Head of Model Risk can hold in one hand.

  • A risk management system that runs across the lifecycle, not a one-off sign-off.
  • Data governance: known provenance, quality controls, bias examination.
  • Technical documentation and automatic logging that let you reconstruct what the system did.
  • Human oversight designed in, so a person can understand, intervene, and stop.
  • Accuracy, robustness, and cybersecurity appropriate to the risk.
  • Records that survive scrutiny, retained and available to authorities.

Notice the shape. Almost every obligation is an evidence obligation. You are not asked to promise the model behaves. You are asked to prove what it did, show a human was in the loop, and demonstrate the record was not altered after the fact. A public-cloud endpoint you cannot inspect, running on infrastructure you do not control, in a jurisdiction that may compel disclosure under the CLOUD Act, struggles to meet that standard at the level a supervisor will accept.

Where sovereignty stops being a slogan

The EU AI Act by Risk Tier: Mapping High-Risk Obligations to an On-Premise AI System, illustration 3

Mickai is a sovereign AI operating system: AI that regulated businesses own and run inside their own walls, on-prem and air-gapped. That single design choice resolves a cluster of high-risk obligations before you write a policy.

Data governance and provenance become tractable because the model never leaves your environment and the retrieval corpus is an air-gapped RAG you assemble and control. There is no third party ingesting your special-category data, no cross-border transfer to reason about, no CLOUD Act exposure sitting under your DPIA. Cybersecurity appropriate to the risk starts from a defensible baseline: the attack surface is your building, not the open internet.

For the DPO and the GDPR DPIA specifically, this changes the analysis from mitigation to elimination. You are not documenting how you reduce the risk of an external processor. There is no external processor.

The obligation the cloud cannot answer: the record

The EU AI Act by Risk Tier: Mapping High-Risk Obligations to an On-Premise AI System, illustration 4

Logging is where most AI deployments quietly fail the high-risk test. The Act wants automatic recording of events over the system's lifetime, in a form that supports traceability and post-market monitoring. In practice a supervisor wants to know that the record is complete and that it has not been edited to flatter the operator.

Every action in Mickai is written to the OAR, a tamper-evident audit record signed with ML-DSA-65, a post-quantum signature scheme. Signing matters because a log you can silently rewrite is not evidence. A post-quantum signed, hardware-bound record is. When a supervisor, the Head of Internal Audit, or opposing counsel asks what the system did on a given decision, the answer is a cryptographically verifiable chain, not a database export you are asking them to trust.

This is the difference between claiming compliance and being able to demonstrate it under adversarial conditions. The OAR is designed for the second case.

Human oversight, built in rather than bolted on

The EU AI Act by Risk Tier: Mapping High-Risk Obligations to an On-Premise AI System, illustration 5

The Act's oversight requirement is often reduced to a review button. That is not what a serious architecture looks like. Under Mickai's arbiter, 50 specialised brains operate below a deterministic control layer, so outputs are governed by rules an auditor can inspect rather than by a single opaque model's mood. High-consequence actions can require voice-biometric quorum, tying an intervention to an identified human. When something must be undone, compensating rollback reverses the action and writes the reversal to the same signed record.

For the General Counsel and the Board, this is the material point. Oversight is not a promise that a person was watching. It is a mechanism that makes the human step a recorded, enforceable part of the decision, and it maps directly onto the Act's demand that oversight be designed into the system rather than left to operational goodwill.

The regime does not arrive alone

The EU AI Act by Risk Tier: Mapping High-Risk Obligations to an On-Premise AI System, illustration 6

No regulated firm gets to treat the AI Act in isolation. The same high-risk system usually sits inside SS1/23 model risk management, GDPR, DORA operational resilience, and sector rules from the FCA or a prudential supervisor. The value of a single sovereign substrate is that one evidence layer serves all of them. The OAR that satisfies the Act's logging duty is the same record that supports a DORA incident reconstruction, an SS1/23 model inventory, and a GDPR data-subject inquiry. You are not building a separate compliance stack per regulation. You are building one and answering many.

That is the wedge. Roughly 0.85 million UK businesses and around 5 million across the EU are effectively barred from putting regulated workloads on public-cloud AI. Independent analyses size the sovereign AI market at around USD 40 billion in 2025, on a path toward roughly USD 148 billion by 2032. The Act is one of several forces pushing that curve.

Filed, built, and moving

Mickai is built and LIVE, and building to scale. The architecture is backed by 104 filed UK patent applications, roughly 2,340 claims, held by Mickai LTD, inventor Micky Irons. Filed, not granted, is deliberate: it establishes priority and a prior-art position around sovereign, signed, human-oversight AI. As a dated third-party signal, in June 2026 Micky Irons was ranked #4 on Crunchbase, with the company placing in the top 1 to 2 percent globally.

We frame Mickai as an ally to the wider AI ecosystem, not a rival to it. Frontier labs build capability. Mickai builds the compliant substrate that lets regulated firms actually deploy that capability inside their own walls, with the record to prove it.

The window

The high-risk tier is not a cost to manage. For a firm that builds the evidence layer early, it is a moat to own before the enforcement calendar hardens. If your institution carries AI Act exposure and wants that layer in place ahead of the curve, you can reach me directly at micky@mickai.co.uk.

Micky Irons, founder and CEO of Mickai.

Frequently asked questions

Which EU AI Act tier do most regulated business use cases fall into?

High-risk. Credit scoring, insurance pricing and eligibility, employment decisions, access to essential services, and safety components sit in the high-risk tier, which carries the heaviest obligations: lifecycle risk management, data governance, automatic logging, human oversight, and records available to authorities.

Why does on-premise deployment help with EU AI Act compliance?

Most high-risk obligations are evidence obligations. Running the model inside your own walls, air-gapped, keeps special-category data out of third-party hands, removes cross-border transfer and CLOUD Act exposure from your DPIA, and lets you produce a complete, inspectable record of what the system did.

What is the OAR and why does it matter for logging duties?

The OAR is Mickai's tamper-evident audit record. Every action is written to it and signed with ML-DSA-65, a post-quantum signature scheme, and bound to hardware. A log you can silently rewrite is not evidence. A cryptographically verifiable chain answers the Act's traceability and post-market monitoring requirements under adversarial scrutiny.

How does Mickai satisfy the human oversight requirement?

Fifty specialised brains run below a deterministic arbiter, so outputs follow inspectable rules rather than one opaque model. High-consequence actions can require voice-biometric quorum tied to an identified person, and compensating rollback reverses an action and records the reversal, making oversight an enforceable, logged step.

Does one sovereign system help beyond the AI Act?

Yes. The same OAR that satisfies the Act's logging duty supports a DORA incident reconstruction, an SS1/23 model inventory, and a GDPR data-subject inquiry. One evidence layer serves multiple regimes instead of a separate compliance stack per regulation.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/eu-ai-act-by-risk-tier-mapping-high-risk-obligations-to-an-on-prem-system. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles