MICKAI®
Article · 11 July 2026

What should a nuclear operator require from AI on safety-critical and security data?

Nuclear operators should require AI that runs offline on owned hardware, air gapped and sealed, so safety-critical and security data never leaves site.

What should a nuclear operator require from AI on safety-critical and security data?
Author
Micky Irons
Published
11 July 2026
Follow Micky Irons
LinkedInX
sovereign ainuclear operatorsonr complianceair-gapped aisafety-critical data

A nuclear operator should require artificial intelligence that runs entirely on operator-owned hardware inside the licensed site boundary, with a verified air gap so no safety-critical or nuclear security data can leave. Updates should arrive one way, every model and human action should carry hardware-attested identity, and every safety or security decision should be written to a tamper-evident, cryptographically sealed record that an ONR inspector can verify offline. The reason is direct: sensitive nuclear information and public cloud AI cannot be safely reconciled: sending it off site creates both a physical exposure and an unacceptable legal risk, so the intelligence must come to the data, not the reverse.

This matters more in 2026 because operators are under pressure to use AI for outage planning, ageing plant analysis, security monitoring and document control, while the rules on where regulated data may sit have tightened. The Office for Nuclear Regulation holds operators to standards that assume information stays under national control. A prompt sent to a data centre in another jurisdiction is not a small compliance gap; it can amount to a reportable loss of control.

Why can a nuclear operator not use public cloud AI?

Public cloud AI services such as ChatGPT, Claude and Gemini process prompts on infrastructure the operator does not own and cannot inspect. For ordinary business that is acceptable; for safety-critical and nuclear security data it is not, for three reasons. First, sending the data off site is itself the exposure a regulator would treat as a serious loss of control. Second, foreign-owned infrastructure can be reached by legislation such as the United States CLOUD Act, which can compel disclosure of data held anywhere. Third, the operator cannot prove to a regulator what happened to information once it left the perimeter. Sovereign AI removes the question: the data never leaves.

What should a nuclear operator require from AI on safety-critical and security data?, illustration 1

How does a verified air gap actually work?

An air gap is only meaningful if it is verifiable. Our SIOS runs on hardware inside the site with a zero-egress inbound perimeter: the network path lets information in under control and lets nothing out. Model updates, threat signatures and reference data arrive one way, through a data diode or equivalent transfer that cannot carry a return channel. Nothing an operator types, and nothing the models infer, has a route to the public internet. The air gap is not a policy staff must remember; it is an enforced property of the architecture.

What should a nuclear operator require from AI on safety-critical and security data?, illustration 2

What can an ONR inspector or auditor check?

Every action inside the system, from each query to each model output and human approval, is written to an append-only audit ledger. The ledger is sealed with post-quantum digital signatures under FIPS 204 (ML-DSA) as the primary standard, with FIPS 205 (SLH-DSA) available as a stateless hash-based alternative. These are signature standards, so any later edit, deletion or reordering breaks the chain and is immediately visible. An inspector can verify the record on site, with no network connection and no trust in the vendor, because verification is a mathematical check against the signatures.

For a nuclear operator, the only defensible position is that the intelligence runs where the data already lives, sealed and inspectable, and never leaves the site.

What should a nuclear operator require from AI on safety-critical and security data?, illustration 3

Which rules make this necessary?

Several regimes point the same way. The operator holds its site licence under the Nuclear Installations Act, and the ONR Security Assessment Principles and the Nuclear Industries Security Regulations govern how sensitive nuclear information is handled. DORA, in force since January 2025, requires control over digital operational resilience, and NIS2 extends security and reporting duties to essential and important entities, a category that includes energy. GDPR governs any personal data, and ISO/IEC 42001 sets a management standard for AI systems. On the EU AI Act, the high-risk obligations under Annex III once due on 2 August 2026 have been deferred by the Digital Omnibus to 2 December 2027, with embedded high-risk systems under Annex I moving to 2 August 2028 and the Article 50 transparency duties largely unchanged. We read that as a build window, not a reprieve.

What should a nuclear operator require from AI on safety-critical and security data?, illustration 4

How do you trust the AI's answer on a safety-critical decision?

A single model can be confidently wrong, which is unacceptable when the output informs a safety case. Our design runs cross-model consensus: several sovereign models answer the same question independently, and disagreement is surfaced, so an engineer sees where they diverge before relying on the result. Each answer is bound to hardware-attested identity, so the specific machine, model and authorised person are cryptographically recorded against the decision in the ledger. Accountability is anchored in that same sealed chain, not a log file that could be edited.

What should be on the procurement checklist?

An operator can reduce this to pass or fail tests:

  • Does the AI run entirely on operator-owned hardware inside the licensed boundary, with no dependency on an external service?
  • Is the air gap verifiable, with a zero-egress perimeter and one-way updates that can be demonstrated?
  • Is every safety and security decision written to a post-quantum signed, append-only ledger that verifies offline?
  • Is each action bound to hardware-attested identity for the machine, model and person?
  • Can an ONR inspector reproduce and check the full record without trusting the vendor or connecting to a network?

Mickai is a Sovereign Intelligence Operating System (SIOS) built to meet these tests, backed by 104 filed UK patent applications, approximately 2,340 claims, owned by Mickai LTD; never granted or patented. The point is not the count, but that a nuclear operator keeps the intelligence, the data and the proof under its own control.

Frequently asked questions

Can a nuclear operator legally use ChatGPT or other public cloud AI for safety-critical work?

No, not for safety-critical or nuclear security data. Sending it to a public cloud service moves it outside the operator's control and national jurisdiction, which conflicts with ONR security expectations and exposes it to foreign legislation such as the US CLOUD Act. Public cloud AI can be used for ordinary administrative tasks, but not for information that touches the safety case or site security.

What is a verified air gap and how is it different from a firewall?

A firewall filters traffic that could still flow both ways. A verified air gap enforces that data can enter under control and cannot leave, often through a data diode that is physically one-way, and the operator can demonstrate that zero-egress property rather than trust a configuration. For nuclear data the distinction matters: a misconfigured firewall can leak, whereas a one-way path cannot carry a return channel.

How does an ONR inspector verify an AI audit trail offline?

Every action is written to an append-only ledger sealed with post-quantum digital signatures under FIPS 204, with FIPS 205 as an alternative. Verification is a mathematical check of those signatures, so an inspector can confirm on site, with no network and no trust in the vendor, that no record has been altered, deleted or reordered, because any tampering breaks the signature chain and is immediately visible.

Does the EU AI Act deferral to 2027 mean nuclear operators can wait?

We do not read it that way. The high-risk Annex III obligations once due on 2 August 2026 were deferred by the Digital Omnibus to 2 December 2027, with embedded Annex I high-risk systems moving to 2 August 2028. That is extra time to build the controls properly, not permission to defer them. The controls take real engineering, so the window is best used now.

What is sensitive nuclear information and why does it change AI requirements?

Sensitive nuclear information covers data whose disclosure could aid an attack on a nuclear site or material, governed under the Nuclear Industries Security Regulations and overseen by the ONR. Because its exposure is a security risk in itself, it cannot be processed on infrastructure the operator does not control. That is why AI for this data must run offline, on owned hardware, with a sealed and inspectable record of every use.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/sovereign-ai-for-nuclear-operators-and-the-onr-safety-critical-data-offline. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles