MICKAI
Article · 1 July 2026

Nomos and the EU AI Act: Continuous High-Risk Conformity Mapping Without Data Egress

The Nomos compliance Studio maps controls to EU AI Act high-risk obligations continuously and entirely on-prem, turning a moving regulatory target into a living, auditable system of record.

Nomos and the EU AI Act: Continuous High-Risk Conformity Mapping Without Data Egress
Author
Micky Irons
Published
1 July 2026
Follow Micky Irons
LinkedInX
Sovereign AIMickaiArtificial IntelligenceOpen Audit RecordPatents

The conformity problem nobody solved for regulated buyers

Nomos and the EU AI Act: Continuous High-Risk Conformity Mapping Without Data Egress, illustration 1

The EU AI Act is not a one-time certificate. For high-risk systems it is a standing obligation: risk management that runs across the lifecycle, data governance you can evidence, technical documentation kept current, logging that survives audit, human oversight that is real rather than nominal, and accuracy, robustness, and cybersecurity you can demonstrate on demand. The obligations move. Guidance shifts, harmonised standards land, your own models retrain, your data pipelines change. A static binder of policies signed last quarter does not describe the system running today.

Most compliance tooling answers this by shipping your evidence to someone else's cloud. Logs, model cards, training-data lineage, incident records, the very artefacts that prove conformity, leave your walls to be assessed by a third-party SaaS. For a bank under PRA SS2/21, a hospital inside the NHS DSP Toolkit, or any operator holding UK GDPR special-category data, that egress is the problem, not the solution. You cannot demonstrate sovereignty over a high-risk AI system by exporting the audit trail to a jurisdiction the CLOUD Act can reach.

Nomos, the compliance Studio inside Mickai, was built to close that gap. It maps your controls to EU AI Act high-risk obligations continuously, and it does the whole of it inside your own walls.

What Nomos actually does

Nomos and the EU AI Act: Continuous High-Risk Conformity Mapping Without Data Egress, illustration 2

Nomos is one of the Greek-named Studios that run on Mickai, the sovereign AI operating system. Mickai is AI that regulated businesses own and run on-prem or air-gapped, with every action written to a tamper-evident, post-quantum-signed audit record we call the OAR. Nomos uses that substrate to turn compliance from a periodic project into a live system of record.

It works on three moves.

First, it holds a structured model of the obligations themselves. The high-risk requirements under the Act, the connected duties under UK GDPR, NIS Regulations, and sector rules like PRA SS2/21 and the NHS DSP Toolkit, are represented as a control framework rather than a PDF. When guidance updates or a harmonised standard is published, the framework updates, and every mapping downstream inherits the change.

Second, it maps your real controls to those obligations and keeps the mapping current. Nomos reads the operational signals already flowing through Mickai: which model version is in production, what data governance gates fired, who exercised human oversight on which decision, what the logging and monitoring picked up. Each obligation is bound to live evidence, not to a description of evidence. A control that has drifted out of conformity shows as drifted the moment it drifts, not at the next annual review.

Third, it produces the documentation. Technical documentation, conformity records, the lifecycle risk-management file, and the logs an auditor or notified body will ask for are generated from the live state and signed into the OAR. Because the record is tamper-evident and post-quantum-signed, you are not asking anyone to trust a screenshot. You are handing them a cryptographically verifiable history.

Continuous, not quarterly

Nomos and the EU AI Act: Continuous High-Risk Conformity Mapping Without Data Egress, illustration 3

The phrase that matters is continuous conformity. A high-risk system is conformant only while it stays conformant. Retrain a model and your accuracy and robustness evidence is stale until refreshed. Change a data source and your data-governance attestation needs to follow. Most organisations discover these gaps during an audit, which is the worst possible time.

Nomos collapses the distance between the system as it runs and the system as it is documented. The audit record is generated from operations rather than reconstructed after them. That changes the economics of compliance: instead of a large periodic spend to assemble a snapshot, you hold a standing system of record that is always current and always exportable for inspection. When a regulator or a notified body asks how a decision was reached on a given date, the answer already exists, signed and timestamped.

Why on-prem is the whole point

Nomos and the EU AI Act: Continuous High-Risk Conformity Mapping Without Data Egress, illustration 4

The wedge here is structural. Roughly 0.85 million UK businesses, around fifteen percent, and close to five million across the EU, are legally barred from putting regulated workloads on public-cloud AI. The constraints are not preferences. They are PRA SS2/21, UK GDPR special-category handling, the NHS DSP Toolkit, EU AI Act high-risk duties, ITAR and EAR, NIS Regulations, and the cross-border reach of the CLOUD Act. For these operators, a compliance tool that requires data egress is disqualified before the evaluation starts.

Nomos runs where the data already lives, inside the operator's own infrastructure, air-gapped where required. The evidence never leaves. The conformity mapping, the documentation generation, and the signed record all happen locally. That is what makes the system of record genuinely auditable: there is no third party in the chain who could have altered it, and no foreign jurisdiction that could compel its disclosure.

This is also why we describe Mickai as an ally rather than a competitor to the large model providers. The hyperscalers serve the unregulated majority well. Nomos and the Studios serve the regulated cohort that those platforms structurally cannot reach. The sovereign AI market sat at roughly USD 40 billion in 2025 and is tracked toward USD 148 billion by 2032. The buyers in that market are defined by exactly the constraints Nomos is built around.

A defensible position, not a feature

Nomos and the EU AI Act: Continuous High-Risk Conformity Mapping Without Data Egress, illustration 5

Continuous on-prem conformity sits on a deep technical estate. Mickai holds 104 filed UK patent applications spanning roughly 2,340 claims, filed in the name of Mickai LTD with Micky Irons as inventor. Filed is the operative word: this is a priority and prior-art moat, the early ground in sovereign AI infrastructure. The OAR substrate, the air-gapped runtime, and the control-mapping architecture that Nomos depends on are part of that estate.

That estate has a second buyer. We have identified 196 companies and 311 patent-company pairs as potential licensees, including names you would expect at the centre of this market, among them Microsoft, AWS, NVIDIA, Google, Adobe, and IBM. That is potential-licensee sizing, a measure of where the architecture intersects with the industry's direction, and it speaks to why this is a category a large platform would rather own than build against.

The momentum is showing externally. As of June 2026, Micky Irons is ranked number four on Crunchbase, with Mickai placing in the top one to two percent of companies globally. That is a third-party signal, not our own claim, that the market is taking the sovereign thesis seriously. Mickai is a UK company with Birmingham manufacturing secured, built and live, and building to scale.

Where Nomos fits in the platform

Nomos and the EU AI Act: Continuous High-Risk Conformity Mapping Without Data Egress, illustration 6

Nomos is one Studio in a working platform that also runs Nemesis for fraud and AML, Plutus for finance, Tyche for underwriting, Prometheus for forecasting, Panacea for clinical work, Astraea for legal, and Aletheia for audit, all on the same sovereign substrate with the same signed record underneath. The compliance layer is not bolted on. It is native to how the system runs.

For regulated operators the proposition is direct: continuous EU AI Act conformity, mapped to your real controls, with no data leaving your walls. For those weighing the wider picture, the IP estate and the dual-buyer thesis underwrite the enterprise value, and the category is one a hyperscaler would have reason to own. If your obligations are high-risk and your data cannot leave your walls, Nomos was built for you.

Reach me directly at micky@mickai.co.uk.

Micky Irons, founder and CEO of Mickai.

Frequently asked questions

What is Nomos?

Nomos is the compliance Studio inside Mickai, the sovereign AI operating system. It maps an operator's real controls to EU AI Act high-risk obligations continuously and entirely on-prem, generating technical documentation and conformity records that are signed into a tamper-evident, post-quantum-signed audit record (the OAR).

Does Nomos send any data to the cloud?

No. Nomos runs inside the operator's own infrastructure, air-gapped where required. The conformity mapping, the documentation generation, and the signed audit record all happen locally. The evidence never leaves your walls, which is what makes the system of record genuinely auditable and free from foreign-jurisdiction disclosure.

What does continuous conformity mean in practice?

A high-risk system is conformant only while it stays conformant. Nomos binds each obligation to live operational evidence, so a control that drifts out of conformity shows as drifted the moment it drifts, not at the next annual review. The audit record is generated from operations rather than reconstructed after them.

Which regulations does Nomos map to?

EU AI Act high-risk requirements alongside connected duties under UK GDPR, NIS Regulations, and sector rules such as PRA SS2/21 and the NHS DSP Toolkit. Obligations are held as a control framework, so when guidance or a harmonised standard updates, every downstream mapping inherits the change.

Who is Nomos built for?

Regulated operators that are legally barred from putting workloads on public-cloud AI, including banks, healthcare providers, and any organisation handling special-category or export-controlled data. For these operators, a compliance tool that requires data egress is disqualified before the evaluation starts.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/nomos-eu-ai-act-high-risk-conformity-on-prem. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles