MICKAI
Article · 30 June 2026

Nomos: Continuous Compliance Mapping Against PRA, GDPR and the EU AI Act

Nomos turns evolving regulation into machine-checkable controls inside the firm, with the Operational Audit Record as evidence regulators can verify rather than take on trust.

Nomos: Continuous Compliance Mapping Against PRA, GDPR and the EU AI Act
Author
Micky Irons
Published
30 June 2026
Follow Micky Irons
LinkedInX
Sovereign AIMickaiArtificial IntelligenceOpen Audit RecordPatents

The compliance problem most tooling does not solve

Nomos: Continuous Compliance Mapping Against PRA, GDPR and the EU AI Act, illustration 1

Most compliance tooling tells you what the rules said last quarter. It produces a spreadsheet, a policy document, a status that someone updates by hand. Then the PRA issues new supervisory guidance, the EU AI Act moves another obligation from advisory to mandatory, and the gap between what the firm believes it is doing and what it can prove reopens. The work is real and the people are diligent, but the evidence is still a story told after the fact.

Nomos is built to close that gap. It is the compliance Studio module inside Mickai, the sovereign AI operating system that regulated businesses own and run inside their own walls, on-prem and air-gapped. Nomos does not summarise regulation for a human to interpret later. It maps evolving obligations into controls the firm can check by machine, continuously, and writes every check to the Operational Audit Record (OAR): a tamper-evident, post-quantum-signed audit trail that a regulator can verify directly.

This matters because the firms that most need AI are often the ones least able to use the public-cloud version of it. They cannot send special-category data to an external model. So the compliance burden and the AI opportunity sit on the same desk, and they have long been treated as opposites.

From regulation to machine-checkable control

Nomos: Continuous Compliance Mapping Against PRA, GDPR and the EU AI Act, illustration 2

The core idea is simple to state and hard to engineer. A regulation is a set of obligations. An obligation, decomposed properly, becomes a control: a condition the firm asserts is true, with evidence attached. Nomos performs that decomposition and keeps it current.

Take three regimes a UK regulated firm lives inside at once.

PRA supervisory expectations, including SS2/21 on outsourcing and third-party risk, require that a firm knows where its data and material services run, who can reach them, and what happens if a provider fails. With Mickai running on-prem, the answer to "where does this run" is the firm's own infrastructure, and Nomos maps each PRA expectation to a control the operating system can attest to: data residency, exit plans, dependency mapping.

UK GDPR special-category processing requires a lawful basis, minimisation, and a demonstrable record of what was processed and why. Because every action in Mickai is written to the OAR, Nomos does not reconstruct that record from logs after an incident. The record exists at the moment of processing, signed.

The EU AI Act classifies certain systems as high-risk and attaches obligations on data governance, human oversight, logging, and transparency. Nomos maps those obligations to controls, and the underlying system already produces the logging and traceability the Act demands. The compliance evidence is a property of the operating system, not a bolt-on.

When the regulation changes, the mapping changes. Nomos updates the control set, flags which controls are newly unmet, and routes the delta to the people who own it. The firm is never relying on last quarter's interpretation.

The OAR is the difference

Nomos: Continuous Compliance Mapping Against PRA, GDPR and the EU AI Act, illustration 3

Plenty of vendors promise continuous compliance. The honest question a regulator or auditor asks next is whether the evidence can be trusted. With most systems the answer is that you trust the vendor's word, because the logs are mutable and the data left the building.

The Operational Audit Record is engineered so that trust is not required. Every action Mickai takes, and every control Nomos checks, is written to a tamper-evident record that is post-quantum-signed. A regulator can verify the signature and the chain independently. Evidence stops being a narrative and becomes something checkable. That is the line between compliance theatre and compliance you can stand behind in a supervisory meeting.

This is also why sovereignty and compliance are the same product, not two. Because Mickai runs inside the firm, on-prem and air-gapped, the data never crosses a boundary that triggers the US CLOUD Act, NIS Regulations exposure, or ITAR and EAR concerns. Nomos can attest to that residency because the operating system enforces it.

Why this is a market, not a feature

Nomos: Continuous Compliance Mapping Against PRA, GDPR and the EU AI Act, illustration 4

The wedge is concrete. Roughly 0.85 million UK businesses, about 15 percent, legally cannot send their data to public-cloud AI. Across the EU the figure is near 5 million. The drivers are not preferences, they are obligations: PRA SS2/21, UK GDPR special-category processing, the NHS DSP Toolkit, EU AI Act high-risk classification, ITAR and EAR, NIS Regulations, and the long reach of the US CLOUD Act. The sovereign AI market is sized from around 40 billion US dollars in 2025 to roughly 148 billion by 2032.

Mickai is built and live, not a concept. The platform sits behind 104 filed UK patent applications, around 2,340 claims, owned by Mickai LTD with myself as inventor. These are filed, not granted: the point is to establish priority and a defensible prior-art position as the field forms.

As a dated, third-party momentum signal, in June 2026 I was ranked number 4 on Crunchbase by CB Rank for a person, verified live at that date, with the Mickai company profile in the top 1 to 2 percent globally. That is a point-in-time snapshot rather than a permanent claim, but it indicates that the market is paying attention to sovereign AI for regulated firms.

Where Nomos sits

Nomos: Continuous Compliance Mapping Against PRA, GDPR and the EU AI Act, illustration 5

Nomos is one of the Greek-named Studio modules inside Mickai, alongside Nemesis for fraud and AML, Plutus for finance, Tyche for underwriting, Prometheus for forecasting, Iris for customer service, Astraea for legal, Panacea for clinical, Pythia for business intelligence, and Aletheia for audit. They share the same substrate: the firm's own infrastructure and the OAR underneath every action. Compliance is not a separate silo bolted to the side; it reads the same signed record the rest of the firm runs on.

Mickai is positioned as an ally to the wider AI ecosystem, not a competitor set against it. The dual-buyer thesis is straightforward: the regulated enterprise buys sovereignty and provable compliance, and the broader market benefits as the controls and audit primitives mature. We are a UK company, with Birmingham manufacturing secured, building to scale.

Getting involved

Nomos: Continuous Compliance Mapping Against PRA, GDPR and the EU AI Act, illustration 6

A pre-seed window is open to a selected group of partners as Mickai scales. This is an opportunity to be early in a category that regulation is actively creating, not a search for rescue. If you operate in a regulated sector, advise firms that do, or invest where compliance and sovereignty intersect, the conversation is worth having now while the window is open.

You can reach me directly at micky@mickai.co.uk.

Micky Irons, founder and CEO of Mickai.

FAQ

What does Nomos actually do?

Nomos is the compliance module inside Mickai. It maps evolving regulation, including PRA expectations, UK GDPR, and the EU AI Act, into machine-checkable controls that the firm verifies continuously, and it writes every check to the Operational Audit Record so the evidence is independently verifiable.

How is the audit evidence trustworthy if it comes from the vendor?

Because the Operational Audit Record is tamper-evident and post-quantum-signed, a regulator or auditor verifies the signature and chain independently. Trust in Mickai's word is not required. The evidence is checkable on its own terms.

Why can't regulated firms just use public-cloud AI?

Many legally cannot send their data outside their own walls due to obligations like PRA SS2/21, UK GDPR special-category rules, the NHS DSP Toolkit, EU AI Act high-risk duties, ITAR and EAR, NIS Regulations, and the US CLOUD Act. Mickai runs on-prem and air-gapped so the data never crosses those boundaries.

Is Mickai available now or is this a roadmap?

Mickai is built and live, running inside the firm's own infrastructure, with Nomos and the other Studio modules operating on the shared OAR substrate. The company is building to scale, with a pre-seed window open to selected partners.

Frequently asked questions

What does Nomos actually do?

Nomos is the compliance module inside Mickai. It maps evolving regulation, including PRA expectations, UK GDPR, and the EU AI Act, into machine-checkable controls that the firm verifies continuously, and it writes every check to the Operational Audit Record so the evidence is independently verifiable.

How is the audit evidence trustworthy if it comes from the vendor?

Because the Operational Audit Record is tamper-evident and post-quantum-signed, a regulator or auditor verifies the signature and chain independently. Trust in Mickai's word is not required. The evidence is checkable on its own terms.

Why can't regulated firms just use public-cloud AI?

Many legally cannot send their data outside their own walls due to obligations like PRA SS2/21, UK GDPR special-category rules, the NHS DSP Toolkit, EU AI Act high-risk duties, ITAR and EAR, NIS Regulations, and the US CLOUD Act. Mickai runs on-prem and air-gapped so the data never crosses those boundaries.

Is Mickai available now or is this a roadmap?

Mickai is built and live, running inside the firm's own infrastructure, with Nomos and the other Studio modules operating on the shared OAR substrate. The company is building to scale, with a pre-seed window open to selected partners.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/nomos-continuous-compliance-mapping-on-prem. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles