MICKAI
Article · 1 July 2026

Panacea Inside the Trust: Clinical Decision Support That Satisfies the NHS DSP Toolkit

Panacea runs clinical decision support entirely inside the trust, with patient data that never leaves the building, mapped to the NHS Data Security and Protection Toolkit and UK GDPR special-category duties.

Panacea Inside the Trust: Clinical Decision Support That Satisfies the NHS DSP Toolkit
Author
Micky Irons
Published
1 July 2026
Follow Micky Irons
LinkedInX
Sovereign AIMickaiArtificial IntelligenceOpen Audit RecordPatents

The problem the NHS keeps running into

Panacea Inside the Trust: Clinical Decision Support That Satisfies the NHS DSP Toolkit, illustration 1

Clinical decision support is one of the most useful things AI can do inside a hospital. Flagging sepsis early, surfacing a drug interaction, ranking a differential, prioritising a radiology worklist. The clinical case is settled. The blocker has never been the medicine. It is the data path.

Patient records are special-category data under UK GDPR. Trusts answer to the NHS Data Security and Protection Toolkit, to the Caldicott principles, and to a governance culture that asks one hard question of any new system: where does the data go. For most AI clinical tools the honest answer is that it leaves the trust, travels to a vendor cloud, gets processed on shared infrastructure, and returns. Once that sentence is on the table, the Data Protection Officer, the Caldicott Guardian, and the information governance lead all have a legitimate reason to say no. And they do.

Panacea, the clinical Studio inside Mickai, is built so that sentence is never on the table. The data does not leave the trust. That single design decision is what turns a stalled procurement into one that can clear governance.

What Panacea is

Panacea Inside the Trust: Clinical Decision Support That Satisfies the NHS DSP Toolkit, illustration 2

Panacea is the clinical decision support Studio within Mickai, the sovereign AI operating system. Mickai is AI that regulated organisations own and run inside their own walls, on-premises and air-gapped, with every action written to a tamper-evident, post-quantum-signed audit record we call the OAR. Built and live.

Panacea applies that architecture to the clinical setting. Models run on hardware physically inside the trust. Inference happens against patient data in place. Nothing is sent to an external endpoint, because there is no external endpoint to send it to. The output is the decision support a clinician sees at the point of care. The input never touches a third party. The trust owns the system, runs the system, and controls the system.

This is the opposite of the standard SaaS clinical-AI pattern. We are not asking a trust to trust us with its data. We are handing the trust a capability it operates itself.

Mapped to the DSP Toolkit, not bolted on afterward

Panacea Inside the Trust: Clinical Decision Support That Satisfies the NHS DSP Toolkit, illustration 3

Information governance teams do not want a pitch. They want evidence against a framework. The DSP Toolkit is that framework, and Panacea is designed to answer it directly.

Because processing happens on-premises, the data-flow questions resolve cleanly. There is no third-party processor to add to the record of processing activities for the inference path. There is no international transfer to assess, which removes the CLOUD Act exposure that follows any US-headquartered cloud vendor regardless of where the region is hosted. Access is controlled by the trust inside its own perimeter.

The audit requirements are where Panacea goes further than the framework asks. Every action Mickai takes is written to the OAR, the tamper-evident, post-quantum-signed audit record. For a clinical system that means every model invocation, every piece of context retrieved, and every recommendation surfaced is logged in a record that cannot be quietly altered after the fact. When an auditor, a coroner, or a regulator asks what the system did and why, the answer is a signed, immutable trail rather than a vendor assurance. That is the difference between claiming accountability and being able to prove it.

UK GDPR special-category processing gets the same treatment. The lawful basis, the purpose limitation, and the data minimisation duties are all easier to satisfy when the data never moves and every access is recorded. Governance teams stop fighting the architecture and start working with it.

Why on-premises is the honest answer

Panacea Inside the Trust: Clinical Decision Support That Satisfies the NHS DSP Toolkit, illustration 4

There is a recurring argument that a well-configured cloud region is good enough for health data. For a great many UK trusts it is not, and the reasons are structural rather than reputational.

The CLOUD Act gives US authorities a route to data held by US-headquartered providers wherever that data physically sits. NIS Regulations raise the bar for operators of essential services, and a hospital is exactly that. The combination of special-category data, a public-sector duty of confidentiality, and a hostile threat environment means a meaningful slice of the NHS estate cannot responsibly put live patient data on shared public-cloud AI infrastructure. This is not caution for its own sake. It is the law and the threat model talking.

This is the same wedge Mickai is built around across every regulated sector. Roughly 0.85 million UK businesses and around 5 million across the EU are effectively barred from public-cloud AI by rules like UK GDPR special-category, the NHS DSP Toolkit, PRA SS2/21, the EU AI Act high-risk regime, and NIS. The sovereign AI market sized at around USD 40 billion in 2025 is on a path to roughly USD 148 billion by 2032. Healthcare is one of the heaviest concentrations of that demand, because few sectors carry more special-category data per transaction than medicine.

Mickai is the ally, not the disruptor

Panacea Inside the Trust: Clinical Decision Support That Satisfies the NHS DSP Toolkit, illustration 5

Panacea is not here to replace the clinical teams, the EPR, or the frontier labs doing extraordinary model research. Mickai is the layer that lets a trust use advanced AI on data it is legally obliged to keep inside its own walls. We sit alongside the existing estate and handle the sovereignty problem the cloud cannot. That is a complementary role, and it is deliberately so.

It is also part of a wider estate. Panacea is one of a family of Greek-named Studios built on the same sovereign substrate: Nemesis for fraud and AML, Plutus for finance, Tyche for underwriting, Prometheus for forecasting, Nomos and Astraea for compliance and legal, Pythia for business intelligence, Aletheia for audit, and more. A trust that adopts Panacea is adopting an architecture, not a point tool, and the same governance posture extends to every other regulated workload it runs.

The moat and the momentum

Panacea Inside the Trust: Clinical Decision Support That Satisfies the NHS DSP Toolkit, illustration 6

The reason this is defensible rather than easily copied is the IP estate underneath it. Mickai LTD holds 104 filed UK patent applications carrying roughly 2,340 claims, with Micky Irons as inventor. Filed, not granted, which gives a priority date and a prior-art moat over the sovereign, on-premises, audited-AI architecture that Panacea depends on. The same estate maps to 196 companies and 311 patent-company pairs as potential licensees, a sizing exercise that includes the largest names in the industry. That is potential-licensee sizing, not signed revenue, and we are clear about the distinction.

As a third-party momentum signal, Micky Irons was ranked number four on Crunchbase as of June 2026, with the Mickai company profile in the global top one to two percent. We are a UK company with Birmingham manufacturing secured, building to scale and heading for the top.

Where this is heading

Panacea is built and live. The architecture clears the questions that stall ordinary clinical-AI procurement, because the honest answer to where does the data go is that it never leaves the trust. The economics follow the same logic as the rest of Mickai: a Year 5 revenue path to billions at high gross margin, underwritten by the IP estate and the dual-buyer thesis of regulated operators on one side and the hyperscalers who would want to own this category on the other. This is the kind of category a hyperscaler would want to own.

We are working with a small number of NHS partners and strategic collaborators while the window is genuinely early. If your trust, your integrator, or your thesis touches sovereign clinical AI, the line is open.

Micky Irons, founder and CEO of Mickai. Reach me directly at micky@mickai.co.uk.

Frequently asked questions

Does patient data leave the trust when using Panacea?

No. Panacea runs on hardware physically inside the trust and performs inference against patient data in place. There is no external endpoint, so nothing is sent to a vendor cloud or shared infrastructure.

How does Panacea map to the NHS DSP Toolkit?

Because processing is on-premises, the data-flow questions resolve cleanly: no third-party processor on the inference path, no international transfer to assess, and access controlled inside the trust's own perimeter. Every action is also written to the OAR, a tamper-evident, post-quantum-signed audit record.

Why does on-premises matter for NHS data specifically?

The CLOUD Act exposes data held by US-headquartered providers regardless of region, and NIS Regulations apply to hospitals as operators of essential services. Combined with special-category data and a public-sector duty of confidentiality, a meaningful slice of the NHS estate cannot responsibly place live patient data on shared public-cloud AI infrastructure.

Is Panacea a standalone product?

Panacea is one of a family of Greek-named Studios on the same sovereign Mickai substrate. Adopting it means adopting an architecture whose governance posture extends to other regulated workloads, alongside the existing EPR and clinical estate rather than replacing them.

What is the OAR?

The OAR is Mickai's tamper-evident, post-quantum-signed audit record. For a clinical system it logs every model invocation, every retrieved context, and every recommendation in a signed, immutable trail that cannot be quietly altered after the fact.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/panacea-clinical-decision-support-under-nhs-dsp-toolkit. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles