MICKAI
Article · 1 July 2026

SM&CR and AI: Personal Accountability When a Model Touches a Regulated Decision

Under SM&CR a named Senior Manager owns the outcome even when a model made the call. The defensible position is an AI the firm owns, one that signs, attributes and can prove every regulated action it took.

SM&CR and AI: Personal Accountability When a Model Touches a Regulated Decision
Author
Micky Irons
Published
1 July 2026
Follow Micky Irons
LinkedInX
Sovereign AIMickaiArtificial IntelligenceOpen Audit RecordPatents

By Micky Irons, founder and CEO of Mickai

The regime that does not care that a model decided

SM&CR and AI: Personal Accountability When a Model Touches a Regulated Decision, illustration 1

The Senior Managers and Certification Regime does something most technology procurement never anticipated. It attaches a human name to an outcome. When a customer is treated unfairly, when a suitability call goes wrong, when a financial promotion misfires, the FCA and PRA do not open an investigation into a software vendor. They open a file on the Senior Manager whose Statement of Responsibilities covered that decision. The Duty of Responsibility means that individual must show they took reasonable steps to prevent the failing. There is no clause that pauses when the decision was made by a model.

This is the quiet collision at the centre of enterprise AI in regulated markets. Firms are deploying models into credit, underwriting, complaints handling, communications and monitoring. Every one of those touchpoints sits inside someone's prescribed responsibility. Yet the mainstream deployment pattern is a call to a public model behind an API, where the firm cannot see the weights, cannot reconstruct the exact decision path, and cannot produce a tamper-evident record of what the model did on a given day at a given time. A Senior Manager cannot attest to reasonable steps over a process they cannot inspect.

Why the usual AI stack fails an SM&CR test

SM&CR and AI: Personal Accountability When a Model Touches a Regulated Decision, illustration 2

Reasonable steps is an evidential standard. It asks what you knew, what controls you had, and whether you could show they operated. A public-cloud model gives you a prompt, a response and a bill. It does not give you an immutable log of which internal knowledge the model was allowed to read, who authorised the action, which version of the model ran, and whether the output was altered afterwards. When a regulator asks a Head of Model Risk to evidence governance under SS1/23, or asks the Chief Compliance Officer to reconstruct a Consumer Duty outcome, best-efforts screenshots are not a control environment.

The deeper problem is attribution. If you cannot bind a specific action to a specific model identity, a specific human approval and a specific point in time, you cannot allocate accountability. And if you cannot allocate accountability, SM&CR has no anchor. The regime assumes a chain that ends in a named person. AI that runs as an opaque external service breaks that chain precisely where the regulator expects it to hold.

The Mickai answer: every regulated action is signed and attributable

SM&CR and AI: Personal Accountability When a Model Touches a Regulated Decision, illustration 3

Mickai is a sovereign AI operating system. It runs inside the firm's own walls, on-prem and air-gapped, so the model, the data and the decision never leave the perimeter the Senior Manager is responsible for. That alone changes the accountability picture, because the firm owns and can inspect the whole system rather than renting a black box.

The part that speaks directly to SM&CR is the Operational Audit Record, or OAR. Every action the system takes is written to a tamper-evident record and signed with ML-DSA-65, a post-quantum digital signature standard. Signing matters because it converts a log into evidence. A signed record proves the action happened, proves which model identity produced it, and proves the record has not been altered since. Hardware-bound identity means the signing identity is tied to the machine and cannot be spoofed or lifted. Post-quantum signing means that evidence remains verifiable for the long retention horizons that regulated recordkeeping demands, rather than resting on cryptography a future computer could forge.

Underneath, 50 specialised brains operate under a single deterministic arbiter. Determinism is not a detail. It is what lets a firm reproduce a decision and show a regulator that the same inputs yield the same governed output, rather than a probabilistic guess that cannot be re-run. Where an action needs to be undone, compensating rollback provides a controlled, recorded reversal instead of an untraceable edit. Air-gapped retrieval means the model reasons only over knowledge the firm has explicitly admitted, so a Data Protection Officer can state exactly what the system could and could not see.

What each accountable role actually gets

SM&CR and AI: Personal Accountability When a Model Touches a Regulated Decision, illustration 4

For the Senior Manager holding the prescribed responsibility, the OAR is the reasonable-steps file, generated continuously rather than assembled after an incident. For the Head of Model Risk, deterministic execution and versioned model identity supply the model-governance evidence SS1/23 expects. For the Chief Compliance Officer, Consumer Duty outcomes become reconstructable, because every customer-facing action carries a signed trail of what was decided and why. For the Chief Risk Officer and the Board, operational resilience improves because the system runs inside owned infrastructure with recorded, reversible actions rather than an external dependency the firm cannot govern. For the General Counsel, attribution turns a defensive posture into an evidential one.

This is the difference between claiming you supervised an AI and being able to prove it.

Built and live, and where the wider case sits

SM&CR and AI: Personal Accountability When a Model Touches a Regulated Decision, illustration 5

The architecture is not a roadmap. It is built and live, and we are building to scale, with UK manufacturing secured in Birmingham. It is delivered through named Studios that map to regulated functions: Nemesis for fraud and AML, Plutus for finance, Tyche for underwriting, Nomos for compliance, Astraea for legal, Aletheia for audit, and the OAR itself is available as a service where a firm wants signed attribution across systems it already runs.

The market context is straightforward. Roughly 0.85 million UK businesses and around 5 million across the EU are legally constrained from putting regulated workloads on public-cloud AI, sitting under regimes from PRA SS2/21 to the EU AI Act and DORA. The sovereign AI market is projected to grow from around USD 40 billion in 2025 toward USD 148 billion by 2032. As a dated third-party signal, in June 2026 Micky Irons was verified at number 4 on Crunchbase, with the company placed in the global top one to two percent. Mickai holds 104 filed UK patent applications with roughly 2,340 claims, establishing priority and a prior-art position around exactly this architecture. Filed, not granted, and framed here as a priority and prior-art moat.

Mickai is built to sit alongside the AI a firm already values, not to replace the industry. The point is not that models are dangerous. The point is that when a model touches a regulated decision, a named human owns the result, and that human deserves a system that can prove what happened.

FAQ orientation

SM&CR and AI: Personal Accountability When a Model Touches a Regulated Decision, illustration 6

If SM&CR accountability over AI is on your risk register, the questions below are the ones a Senior Manager, a Head of Model Risk and a General Counsel tend to raise first. The short answers set out how a signed, attributable, air-gapped architecture responds to each.

Frequently asked questions

Does SM&CR accountability change when an AI model makes the decision?

No. The Senior Managers and Certification Regime attaches responsibility to a named individual for the outcomes within their Statement of Responsibilities, and there is no exemption for decisions made by a model. The Duty of Responsibility still requires that person to show reasonable steps. This is why an AI that cannot produce an attributable, tamper-evident record of what it did leaves the Senior Manager exposed.

What does reasonable steps mean when a model is in the decision loop?

Reasonable steps is an evidential standard. The Senior Manager must be able to show which controls were in place and that they operated. In an AI context that means being able to evidence which model version ran, what knowledge it was allowed to read, who authorised the action, and that the record has not been altered. Mickai generates that evidence continuously through the Operational Audit Record rather than reconstructing it after an incident.

How does the OAR support SS1/23 model risk governance?

The OAR pairs deterministic execution with versioned model identity, so the same inputs yield the same governed output and every action is bound to the model that produced it. A Head of Model Risk can reproduce a decision and evidence its governance, which is closer to what SS1/23 expects than probabilistic outputs that cannot be re-run.

Why does post-quantum signing matter for regulated recordkeeping?

Regulated records are retained for long horizons. Signing with ML-DSA-65, a post-quantum standard, keeps a record verifiable across those horizons rather than resting on cryptography a future computer could forge. Combined with hardware-bound identity, it means the signing identity is tied to the machine and cannot be spoofed.

Does Mickai replace the AI a firm already uses?

No. Mickai is designed to sit alongside the AI a firm already values, inside its own perimeter, so that regulated actions are signed and attributable. It is an ally to the wider AI a firm runs, not a replacement for the industry.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/sm-and-cr-personal-accountability-when-ai-touches-a-regulated-decision. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles