MICKAI
Article · 4 July 2026

NHS Ambient Voice Just Got Rules. The Transcript Is the Most Sensitive Object in the Building

Why we think the consultation transcript should stay on-prem, held under a signed deletion and access record, even though the rules permit the cloud

NHS Ambient Voice Just Got Rules. The Transcript Is the Most Sensitive Object in the Building
Author
Micky Irons
Published
4 July 2026
Follow Micky Irons
LinkedInX
NHSambient voiceclinical AIdata residencyMHRA

!A cinematic figure of Asclepius, god of healing, rendered in gold against a void-black background, holding a sealed scroll close to his chest

The moment a clinician says "let's begin" and an ambient scribe starts listening, the most sensitive object in the building comes into existence. Not the diagnosis. Not the prescription. The raw transcript. It contains the patient's exact words, the clinician's working hypotheses, the differential that was considered and dropped, the sentence about the abusive partner that never made it into the coded record. NHS England's 2026 guidance on ambient voice technology finally puts rules around these products. We want to talk about the object those rules are really protecting, and why we think it should never leave the trust.

What the 2026 guidance actually says

The headline requirements are concrete, and for once a buyer can actually hold a product to them. Ambient voice and AI scribe products deployed in NHS settings are expected to hold at least MHRA Class 1 medical device registration, and Class 2a where the product influences diagnosis or a management plan rather than just transcribing. They must satisfy the Data Security and Protection Toolkit. They must carry Cyber Essentials, and Cyber Essentials Plus for anything touching patient data at scale. And session data, the audio and the transcript, must be auto-deleted under UK GDPR once it has served its purpose, with retention justified rather than assumed.

That is a real bar. It pushes a lot of demo-grade scribe tooling out of the room. But it also quietly concedes something buyers need to notice: DSP Toolkit compliance permits cloud processing, provided the controls are in place. There is no legal wall that says a transcript cannot be sent to a vendor's cloud. We are not going to pretend otherwise. The honest position is that cloud is permitted with controls, and on-prem is the safer default for this specific workload. Those are different claims, and the difference is the whole argument.

The transcript is not the note

Health-tech procurement tends to reason about the finished clinical note, because that is what gets filed, coded, and billed. The note is governed, structured, and access-controlled. The transcript is none of those things by default. It is a richer, messier, more revealing artefact than the note it produces, and it exists for a window of seconds to minutes before, ideally, it is destroyed.

Everything dangerous about ambient scribing lives in that window. If the transcript is generated on the clinician's device and processed inside the trust, the blast radius of a failure is the trust. If it is streamed to a vendor's cloud for inference, the blast radius becomes the vendor, the vendor's sub-processors, the vendor's incident history, and every jurisdiction the packets crossed. The finished note might be identical either way. The transcript's exposure is not.

!A gold figure of Hades enthroned before a sealed vault door, symbolising permanence and finality, on a black void

Classical marble scene, Asclepius, gold rim light on void black

Why on-prem is the safer default for this workload

We build Mickai as a Sovereign Intelligence Operating System, a SIOS that regulated organisations own and run inside their own walls, air-gapped where they choose, with a cryptographically-signed audit record on every action. For ambient scribing, that architecture maps almost one-to-one onto the 2026 requirements, and it does so at the layer that matters, the transcript layer.

Run inference on-prem and the transcript never becomes a network event. Registration and the DSP Toolkit still apply, but you are attesting to a system whose data boundary is the building, not a shared-responsibility diagram that ends at someone else's tenancy. Auto-deletion stops being a policy you trust a vendor to honour and becomes a signed deletion record you hold. When the retention window closes, the system does not merely promise the transcript is gone, it produces a tamper-evident entry recording that it was destroyed, by which process, at which time, under which policy. That is the difference between an assurance and evidence.

The access side works the same way. Every read of a live transcript, every export, every model invocation carries an entry in the Open Audit Record, our substrate primitive. When an information governance lead or the ICO asks who touched a given consultation transcript, the answer is a query, not an investigation. We treat that signed deletion-and-access record as the compliant default for the transcript workload, and we think trusts should demand it regardless of vendor.

Where cloud genuinely is fine, and where it is not

We are not making a blanket anti-cloud argument, because that argument is false and diligence catches it. Almost every regime that touches this space, UK GDPR, the DSP Toolkit, the wider financial and data rules, permits cloud with controls. The genuine no-cloud bar is workload-level and narrow. Most NHS scribing does not sit behind a hard legal prohibition. It sits behind a sovereignty preference: control over where the most sensitive object lives, control over deletion, and the removal of a data-exfiltration path that a shared cloud inevitably widens.

So the honest framing is this. A trust can run a compliant cloud scribe. A trust that runs the transcript workload on-prem removes a whole category of risk for the artefact that carries the most patient harm if it leaks, and it does so without giving up any of the auditability that regulators are moving toward requiring. Given the choice and given that the on-prem architecture is built and live, we think the transcript should stay in the building.

Classical marble scene, Asclepius, gold rim light on void black

The buyer's checklist

When you evaluate an ambient voice product against the 2026 guidance, we would push past the certification logos and ask four things. Where is the transcript generated, on the device or in a cloud. Where is inference performed, and can it be performed entirely on-prem. When session data is deleted, do you get a signed, verifiable deletion record or only a policy statement. And can every access to a transcript be produced as an audit entry on demand. A product that answers those cleanly is compliant in substance, not just on paper.

This connects to two things we have written about before. Our work on the cryptographically-signed clinical audit record covers why signed provenance beats logged provenance for regulated care. And our piece on why regulated AI belongs inside your own walls sets out the broader sovereignty-preference case that this NHS example is a sharp instance of. Ambient voice is where the abstract argument about data residency finally has a face, and that face is the transcript.

!A gold figure of Chronos holding an unbroken chain, representing the continuous audit trail, against black void with drifting embers

The takeaway

The 2026 guidance is good news. It sets a real bar and it forces buyers to think about session data, not just finished notes. Our argument is one step further in. The transcript is the most sensitive object your ambient scribe will ever create, it exists for seconds, and everything that can go wrong with it is governed by where it lives during those seconds. Compliance permits cloud. Safety, for this workload, prefers the building. Keep the transcript on-prem, hold a signed deletion and access record, and the hardest questions a regulator can ask become a query you can answer in seconds.

Frequently asked questions

Does NHS guidance ban cloud-based ambient scribing?

No. The DSP Toolkit and UK GDPR permit cloud processing when the required controls are in place. We argue on-prem is the safer default specifically for the transcript workload, because it removes an exfiltration path for the most sensitive artefact, not because cloud is prohibited.

What MHRA class does an ambient scribe need?

At least Class 1 for products that transcribe, and Class 2a where the product influences diagnosis or a management plan. The distinction turns on whether the tool merely records or actively shapes a clinical decision, so map your product's real function to the class rather than assuming the lower tier.

What makes the transcript more sensitive than the finished note?

The note is structured, coded, and access-controlled. The transcript is the raw, unfiltered record of everything said, including discarded hypotheses and disclosures that never reach the coded record. It is richer and more revealing, and by default it is far less governed, which is exactly why it deserves the strongest residency and deletion controls.

How does Mickai prove a transcript was deleted?

Mickai runs inference on-prem and writes every action, including deletion, to the Open Audit Record, a cryptographically-signed audit chain. When the retention window closes the system produces a tamper-evident entry recording that the transcript was destroyed, by which process and under which policy, so deletion is evidenced rather than merely asserted.

Micky Irons

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/nhs-ambient-voice-mhra-class-and-why-transcripts-should-never-leave-the-trust. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles
4 Jul 2026
Alex Karp Is Right: You Are Paying For Tokens You Cannot Audit
Alex Karp said hosted-AI vendors capture your data and bill you for unproductive tokens that create no value. He is right. We built Mickai so regulated organisations own the substrate instead of renting it, with a signed audit record on every action.
4 Jul 2026
The EU Just Pushed High-Risk AI to December 2027. Here Is What We Are Building Instead of Waiting
The Digital Omnibus provisional agreement moves the EU AI Act high-risk deadlines from August 2026 to December 2027. Most coverage frames the delay as relief. We frame it as the window to own your compliance stack outright, so you are compliant on day one in 2027 instead of retrofitting logging, oversight and traceability under a live deadline.
4 Jul 2026
Article 50 Lands in August: Machine-Detectable AI Provenance, and Why We Sign It At Source
Article 50 makes synthetic content machine-detectable from 2 August 2026, and the draft Code of Practice names C2PA as the route. We bind Content Credentials to the cryptographically-signed audit record Mickai writes on every action, so provenance is produced at source inside your own walls, not bolted onto a cloud API afterward.
4 Jul 2026
Under Oath, They Said They Could Not Say No. That Sentence Is the Whole Market
Microsoft France told the French Senate under oath that it cannot guarantee European data will never reach US authorities under the CLOUD Act, even inside a French sovereign region. We think that single sentence defines the market. Sovereign cloud is a real engineering improvement, but while the parent is US-domiciled the legal gap stays open. The only structure where the answer to a foreign subpoena is genuinely no is one you own and run inside your own walls.