NHS Ambient Voice Just Got Rules. The Transcript Is the Most Sensitive Object in the Building
Why we think the consultation transcript should stay on-prem, held under a signed deletion and access record, even though the rules permit the cloud
!A cinematic figure of Asclepius, god of healing, rendered in gold against a void-black background, holding a sealed scroll close to his chest
The moment a clinician says "let's begin" and an ambient scribe starts listening, the most sensitive object in the building comes into existence. Not the diagnosis. Not the prescription. The raw transcript. It contains the patient's exact words, the clinician's working hypotheses, the differential that was considered and dropped, the sentence about the abusive partner that never made it into the coded record. NHS England's 2026 guidance on ambient voice technology finally puts rules around these products. We want to talk about the object those rules are really protecting, and why we think it should never leave the trust.
What the 2026 guidance actually says
The headline requirements are concrete, and for once a buyer can actually hold a product to them. Ambient voice and AI scribe products deployed in NHS settings are expected to hold at least MHRA Class 1 medical device registration, and Class 2a where the product influences diagnosis or a management plan rather than just transcribing. They must satisfy the Data Security and Protection Toolkit. They must carry Cyber Essentials, and Cyber Essentials Plus for anything touching patient data at scale. And session data, the audio and the transcript, must be auto-deleted under UK GDPR once it has served its purpose, with retention justified rather than assumed.
That is a real bar. It pushes a lot of demo-grade scribe tooling out of the room. But it also quietly concedes something buyers need to notice: DSP Toolkit compliance permits cloud processing, provided the controls are in place. There is no legal wall that says a transcript cannot be sent to a vendor's cloud. We are not going to pretend otherwise. The honest position is that cloud is permitted with controls, and on-prem is the safer default for this specific workload. Those are different claims, and the difference is the whole argument.
The transcript is not the note
Health-tech procurement tends to reason about the finished clinical note, because that is what gets filed, coded, and billed. The note is governed, structured, and access-controlled. The transcript is none of those things by default. It is a richer, messier, more revealing artefact than the note it produces, and it exists for a window of seconds to minutes before, ideally, it is destroyed.
Everything dangerous about ambient scribing lives in that window. If the transcript is generated on the clinician's device and processed inside the trust, the blast radius of a failure is the trust. If it is streamed to a vendor's cloud for inference, the blast radius becomes the vendor, the vendor's sub-processors, the vendor's incident history, and every jurisdiction the packets crossed. The finished note might be identical either way. The transcript's exposure is not.
!A gold figure of Hades enthroned before a sealed vault door, symbolising permanence and finality, on a black void
Why on-prem is the safer default for this workload
We build Mickai as a Sovereign Intelligence Operating System, a SIOS that regulated organisations own and run inside their own walls, air-gapped where they choose, with a cryptographically-signed audit record on every action. For ambient scribing, that architecture maps almost one-to-one onto the 2026 requirements, and it does so at the layer that matters, the transcript layer.
Run inference on-prem and the transcript never becomes a network event. Registration and the DSP Toolkit still apply, but you are attesting to a system whose data boundary is the building, not a shared-responsibility diagram that ends at someone else's tenancy. Auto-deletion stops being a policy you trust a vendor to honour and becomes a signed deletion record you hold. When the retention window closes, the system does not merely promise the transcript is gone, it produces a tamper-evident entry recording that it was destroyed, by which process, at which time, under which policy. That is the difference between an assurance and evidence.
The access side works the same way. Every read of a live transcript, every export, every model invocation carries an entry in the Open Audit Record, our substrate primitive. When an information governance lead or the ICO asks who touched a given consultation transcript, the answer is a query, not an investigation. We treat that signed deletion-and-access record as the compliant default for the transcript workload, and we think trusts should demand it regardless of vendor.
Where cloud genuinely is fine, and where it is not
We are not making a blanket anti-cloud argument, because that argument is false and diligence catches it. Almost every regime that touches this space, UK GDPR, the DSP Toolkit, the wider financial and data rules, permits cloud with controls. The genuine no-cloud bar is workload-level and narrow. Most NHS scribing does not sit behind a hard legal prohibition. It sits behind a sovereignty preference: control over where the most sensitive object lives, control over deletion, and the removal of a data-exfiltration path that a shared cloud inevitably widens.
So the honest framing is this. A trust can run a compliant cloud scribe. A trust that runs the transcript workload on-prem removes a whole category of risk for the artefact that carries the most patient harm if it leaks, and it does so without giving up any of the auditability that regulators are moving toward requiring. Given the choice and given that the on-prem architecture is built and live, we think the transcript should stay in the building.
The buyer's checklist
When you evaluate an ambient voice product against the 2026 guidance, we would push past the certification logos and ask four things. Where is the transcript generated, on the device or in a cloud. Where is inference performed, and can it be performed entirely on-prem. When session data is deleted, do you get a signed, verifiable deletion record or only a policy statement. And can every access to a transcript be produced as an audit entry on demand. A product that answers those cleanly is compliant in substance, not just on paper.
This connects to two things we have written about before. Our work on the cryptographically-signed clinical audit record covers why signed provenance beats logged provenance for regulated care. And our piece on why regulated AI belongs inside your own walls sets out the broader sovereignty-preference case that this NHS example is a sharp instance of. Ambient voice is where the abstract argument about data residency finally has a face, and that face is the transcript.
!A gold figure of Chronos holding an unbroken chain, representing the continuous audit trail, against black void with drifting embers
The takeaway
The 2026 guidance is good news. It sets a real bar and it forces buyers to think about session data, not just finished notes. Our argument is one step further in. The transcript is the most sensitive object your ambient scribe will ever create, it exists for seconds, and everything that can go wrong with it is governed by where it lives during those seconds. Compliance permits cloud. Safety, for this workload, prefers the building. Keep the transcript on-prem, hold a signed deletion and access record, and the hardest questions a regulator can ask become a query you can answer in seconds.
Frequently asked questions
Does NHS guidance ban cloud-based ambient scribing?
No. The DSP Toolkit and UK GDPR permit cloud processing when the required controls are in place. We argue on-prem is the safer default specifically for the transcript workload, because it removes an exfiltration path for the most sensitive artefact, not because cloud is prohibited.
What MHRA class does an ambient scribe need?
At least Class 1 for products that transcribe, and Class 2a where the product influences diagnosis or a management plan. The distinction turns on whether the tool merely records or actively shapes a clinical decision, so map your product's real function to the class rather than assuming the lower tier.
What makes the transcript more sensitive than the finished note?
The note is structured, coded, and access-controlled. The transcript is the raw, unfiltered record of everything said, including discarded hypotheses and disclosures that never reach the coded record. It is richer and more revealing, and by default it is far less governed, which is exactly why it deserves the strongest residency and deletion controls.
How does Mickai prove a transcript was deleted?
Mickai runs inference on-prem and writes every action, including deletion, to the Open Audit Record, a cryptographically-signed audit chain. When the retention window closes the system produces a tamper-evident entry recording that the transcript was destroyed, by which process and under which policy, so deletion is evidenced rather than merely asserted.
Micky Irons


