Keeping Patient Data on the Ward: NHS Data Sovereignty When the AI Is Local
When clinical AI runs on operator-owned hardware inside the hospital, patient records never have to cross the network boundary to be useful.
In 2026 the British Medical Association issued a plain warning: NHS data must remain under NHS stewardship. The concern is not abstract. As clinical decision support, ambient documentation and triage assistance move from pilot to routine use, where a patient's record physically travels becomes a governance question with legal weight. A record that leaves the hospital network to be processed by a distant service has, in effect, left the control of the people accountable for it.
This matters now because two forces meet in the same year. The EU AI Act reaches full application on 2 August 2026, placing high-risk clinical systems under strict duties of transparency, logging and human oversight. The UK Sovereign AI programme, alongside long-standing NHS information governance, pushes the same way: keep sensitive workloads on infrastructure the public sector can see and control. The way to satisfy both is deceptively simple. Do not send the data anywhere. Run the AI where the data already lives.
What sovereignty actually means at the bedside
Data sovereignty is often reduced to a map: which country the servers sit in. That framing is too weak for a ward. A record can rest on UK soil and still be outside NHS control if a third party holds the keys, sets the retention policy or can be compelled to disclose it. Sovereignty is about custody and accountability, not geography.
The stricter reading is the useful one. Patient data is sovereign when the hospital, and only the hospital, can decide what happens to it, prove what happened to it, and guarantee that no copy left the building. That standard is hard to meet when the intelligence doing the work sits in someone else's cloud. It becomes achievable when it sits on the ward.
Why the cloud model strains against clinical trust
The mainstream pattern for AI assistance is to send a prompt, often with the context around it, to a remote service and receive an answer back. For a general query that is unremarkable. For a patient's history, medication list or free-text notes it is a boundary crossing. Every crossing widens the surface that must be secured, audited and legally justified, and adds a dependency on an outside party's uptime and jurisdiction.
There is also the quieter risk. Remote services can retain, log or reuse what passes through them, and the operator rarely has cryptographic proof of what was kept. Consent frameworks and contracts help, but they are promises rather than mechanisms. A clinician acting under a duty of confidentiality is entitled to something firmer than a promise.
“If a patient's record never crosses the hospital network boundary, sovereignty stops being a policy commitment and becomes a physical fact.”
The AI runs on the ward, not in a cloud
Mickai is a Sovereign Intelligence Operating System, a SIOS. It runs entirely offline on operator-owned hardware inside the trust's own environment. The clinical reasoning, the retrieval over local records and the generation of a note all happen on a machine the hospital controls. Nothing about the workload requires an outbound connection, so there is no default path along which patient data could leave.
We treat the perimeter as inbound only. A zero-egress design means the system is architected so that data has no route out: no telemetry home, no model calls to a remote endpoint, no silent synchronisation. Updates and models are brought in deliberately and verified, rather than the system reaching out on its own. The boundary the BMA asks the NHS to hold is, in this model, held by construction rather than by configuration a mistake could undo.
Proving it, not just asserting it
Keeping data local removes one class of risk. It does not, on its own, answer the regulator's next question: how do you know what the AI did? A ward needs to reconstruct which record was read, which model produced which recommendation, and whether anything was altered. Under the EU AI Act's logging duties and the assurance expectations of ISO/IEC 42001, that record must be trustworthy, not merely present.
We build every action into a signed audit chain. Each step the system takes is written as a sealed entry, cryptographically linked to the one before it, so the sequence cannot be reordered or edited without detection. We sign these entries with post-quantum cryptography, so the audit trail remains verifiable long after today's signature schemes weaken. The identity doing the signing is hardware-attested: the machine proves it is the specific authorised device it claims to be, not an impostor holding a copied key.
The point of all this is offline verifiability. An auditor, an information governance lead or a regulator can check the chain locally, without contacting us and without any live service. The proof travels with the trust, not with the vendor.
Guarding against the model being wrong
Clinicians are right to distrust a single confident answer. A local system removes the data-egress problem but must still confront reliability. Our approach is cross-model consensus: more than one sovereign model reasons over the same question, and the system surfaces where they agree and, more importantly, where they diverge. Disagreement is treated as a signal to escalate to a human, not as noise to be smoothed over.
This keeps the human oversight the AI Act requires meaningful rather than ceremonial. The clinician is not asked to rubber-stamp an opaque output. They see a recommendation, the local evidence it drew on, and whether the models were unanimous. Agentic-audit governance, where the system's own decisions are logged and reviewable, means an oversight body can inspect not just the answer but the reasoning path that produced it.
What this asks of a trust, honestly
Running intelligence on the ward is not free of trade-offs, and we will not pretend otherwise. It requires capable hardware on site, a plan for validating models before they are brought in, and clinical governance over the arrangement. Local operation shifts responsibility toward the trust: the custody it gains is custody it must actively hold. That is a serious commitment, entered into knowingly.
We think it is the right trade for the most sensitive workloads. The alternative, streaming patient data to services the trust cannot fully see or verify, trades a durable form of control for convenience. For a general enquiry that may be reasonable. For a named patient's record it rarely is. The mechanisms we build, from the zero-egress perimeter to the post-quantum signed chain, exist to make the local option practical, not merely principled. Much of the underlying architecture is reflected in our estate of 104 filed UK patent applications, approximately 2,340 claims, owned by Mickai LTD; never granted or patented.
Where this is heading
The direction of travel in 2026 is clear enough. Regulation is tightening around logging, oversight and provenance. Public-sector buyers are being told, correctly, to keep sovereign workloads under their own control. And the means to run genuinely capable AI on local hardware, without a cloud dependency, have matured to the point where the cloud is a choice rather than a necessity.
We expect the ward, the clinic and the records department to become places where the intelligence comes to the data, and the data stays put. When that is the norm, the BMA's warning is met not by a policy anyone has to remember to follow, but by an architecture in which the patient's record never had a way to leave. That is the standard we are building toward, and the standard serious buyers should hold every supplier of clinical AI to.




