MICKAI
Article · 1 July 2026

Sovereign AI for Payments Institutions and E-Money Firms: Intelligence Inside the PCI Boundary

Payments and e-money firms can run AI across onboarding, monitoring and disputes without moving cardholder or transaction data outside the PCI boundary.

Sovereign AI for Payments Institutions and E-Money Firms: Intelligence Inside the PCI Boundary
Author
Micky Irons
Published
1 July 2026
Follow Micky Irons
LinkedInX
Sovereign AIMickaiArtificial IntelligenceOpen Audit RecordPatents

The data that runs payments cannot leave the building

Sovereign AI for Payments Institutions and E-Money Firms: Intelligence Inside the PCI Boundary, illustration 1

A payments institution or e-money firm holds some of the most sensitive operational data in financial services. Primary account numbers, transaction histories, device fingerprints, beneficiary details and the behavioural signals that separate a genuine customer from a mule account. The PCI DSS boundary exists precisely to keep that data contained, segmented and accountable. Most modern AI tooling asks you to do the opposite. It asks you to ship cardholder data, transaction streams and customer records out to a public-cloud model endpoint, accept a contractual assurance, and hope your scope assessment survives the next audit.

That trade is not acceptable for a regulated payments firm, and it should never have been the only option. Mickai removes the trade entirely.

Mickai is a sovereign AI operating system, an SIOS. It is AI that a regulated business owns and runs inside its own walls, on-premise and air-gapped, with every action written to a tamper-evident, post-quantum-signed audit record we call the OAR. For a payments institution that means the intelligence comes to the data. The data does not go to the intelligence. Onboarding, monitoring, fraud, AML and disputes all run inside the PCI boundary, on your own infrastructure, under your own keys. Nothing crosses the segmentation line. This is built and live today.

Intelligence inside the PCI boundary, end to end

Sovereign AI for Payments Institutions and E-Money Firms: Intelligence Inside the PCI Boundary, illustration 2

The payments lifecycle is where AI earns its place, and where data residency matters most. Mickai is organised into Greek-named Studios, each a focused capability that runs inside your environment rather than a vendor's.

Onboarding and KYC sit with Nomos, our compliance Studio, working alongside Trust Agent for identity and document checks. Names, identity documents and verification decisions are processed where they live, and every decision is logged to the OAR with the evidence that supported it.

Transaction monitoring, fraud and AML run on Nemesis. This is the Studio built for adversarial signal: velocity anomalies, structuring patterns, account-takeover behaviour and mule-network topology. It scores transactions against your own typologies and your own historical data, in your own environment, in real time. The model improves on your data without your data ever becoming someone else's training set.

Disputes and chargebacks draw on Iris for customer interaction and Aletheia for the audit trail. When a cardholder raises a dispute, the firm needs a defensible reconstruction of what happened, who decided what, and on what evidence. Because every action is signed to the OAR, the dispute file assembles itself from a record you can prove was not altered.

Finance, forecasting and reporting are handled by Plutus and Prometheus, so treasury, settlement exposure and liquidity projections are produced without exporting ledgers. Underwriting and merchant risk sit with Tyche. Business intelligence runs on Pythia. Legal questions route to Astraea and Themis. Each Studio is a specialist, and they operate as one system under a single audit spine.

Why the regulatory boundary is the whole point

Sovereign AI for Payments Institutions and E-Money Firms: Intelligence Inside the PCI Boundary, illustration 3

Payments firms do not live under PCI DSS alone. UK GDPR special-category and financial-data obligations, PRA expectations on operational resilience and outsourcing, the FCA's view on critical third parties, the EU AI Act's high-risk classification for systems that influence access to financial services, the NIS Regulations, and the extraterritorial reach of the CLOUD Act all bear on where data sits and who can compel access to it. Public-cloud AI puts a payments firm on the wrong side of most of those questions at once.

The sovereign-by-design answer is not a feature we bolted on. It is the architecture. Because Mickai runs on infrastructure you control, your data never enters a foreign jurisdiction, never sits under a provider subject to a foreign disclosure order, and never leaves the scope you have already assessed and certified. The OAR turns every model action into evidence: who asked, what the system saw, what it decided, and a post-quantum signature that proves the record has not been tampered with. For an examiner, that is the difference between asserting control and demonstrating it.

This is why the addressable wedge is so large. Around 0.85 million UK businesses, roughly 15 percent of the economy, and close to 5 million across the EU are effectively barred from putting regulated data through public-cloud AI. Payments and e-money firms sit squarely in that group. The sovereign AI market is estimated at around 40 billion US dollars in 2025 and is projected to reach roughly 148 billion by 2032. The firms in this category do not need convincing that the constraint is real. They live inside it every day.

A moat built on filings, not slideware

Sovereign AI for Payments Institutions and E-Money Firms: Intelligence Inside the PCI Boundary, illustration 4

The capability is protected. Mickai LTD holds 104 filed UK patent applications spanning approximately 2,340 claims, with Micky Irons as inventor. These are filed, not granted, which establishes a priority date and a prior-art moat covering the sovereign-substrate, audit-record and orchestration techniques the platform is built on. Independent analysis maps 196 companies and 311 patent-company pairs as potential licensees of that estate, including names such as Microsoft, AWS, NVIDIA, Google, Adobe and IBM. That is potential-licensee sizing, not booked revenue, but it shows where this work sits in the landscape. The same hyperscalers a payments firm cannot safely send its data to are the firms whose architectures intersect with the moat.

That is the dual-buyer thesis, and it is deliberately not adversarial. Mickai is an ally to the broader AI ecosystem, not an OpenAI-killer. We make it possible for regulated firms to adopt AI that the public-cloud model cannot serve, and the same primitives that make that possible are licensable to the infrastructure providers themselves.

As a third-party momentum signal, Micky Irons ranked number four on Crunchbase as of June 2026, with the Mickai company profile in the top one to two percent globally. Mickai is a UK company with Birmingham manufacturing secured, building to scale.

The strategic picture

Sovereign AI for Payments Institutions and E-Money Firms: Intelligence Inside the PCI Boundary, illustration 5

The economics follow the structure. A Year-5 revenue path to billions at high gross margin is underwritten by two things at once: the IP estate and dual-buyer demand. The Studios, Trust Agent, AMT, Vinis voice, OAR-as-a-Service and HELIOS hardware give a payments firm a complete sovereign stack rather than a point tool. This is the kind of category a hyperscaler would want to own, because owning it is the only way to serve the regulated firms it currently cannot reach.

For payments and e-money firms the question is simpler. You already know your data cannot leave the boundary. The only question is whether your AI respects that or fights it. Mickai respects it by design.

A narrow window, by selection

Sovereign AI for Payments Institutions and E-Money Firms: Intelligence Inside the PCI Boundary, illustration 6

We are opening this capability to a selected group of payments and e-money partners ahead of broader availability. This is deliberate selection, not a queue. We work with a small number of firms that want sovereign AI inside their own walls, want it auditable to the standard their regulator expects, and want it now while the field is still being defined.

If that is your firm, write to me directly at micky@mickai.co.uk.

Micky Irons, founder and CEO of Mickai.

FAQ

Does Mickai move cardholder or transaction data outside the PCI boundary? No. Mickai runs on your own infrastructure, on-premise and air-gapped. Onboarding, monitoring, fraud, AML and disputes all execute inside your environment under your own keys. No cardholder or transaction data crosses the segmentation line, which keeps your existing PCI scope intact.

How does Mickai help with audits and disputes? Every model action is written to the OAR, a tamper-evident, post-quantum-signed audit record. That gives you a provable account of who asked, what the system saw and what it decided. Dispute files and examiner evidence assemble from a record you can demonstrate was not altered.

Which parts of the payments lifecycle does Mickai cover? Onboarding and KYC through Nomos and Trust Agent, transaction monitoring and AML through Nemesis, disputes through Iris and Aletheia, finance and forecasting through Plutus and Prometheus, merchant and underwriting risk through Tyche, and business intelligence through Pythia. They operate as one system under a single audit spine.

Is Mickai available now or is this a roadmap? It is built and live today. The sovereign substrate, the Studios and the OAR audit record are running, not planned. Mickai is building to scale, and is opening to a selected group of payments and e-money partners ahead of broader availability.

How is the technology protected? Mickai LTD holds 104 filed UK patent applications spanning approximately 2,340 claims, with Micky Irons as inventor, covering the sovereign-substrate, audit-record and orchestration techniques. They are filed, not granted, which establishes a priority date and a prior-art moat.

Frequently asked questions

Does Mickai move cardholder or transaction data outside the PCI boundary?

No. Mickai runs on your own infrastructure, on-premise and air-gapped. Onboarding, monitoring, fraud, AML and disputes all execute inside your environment under your own keys. No cardholder or transaction data crosses the segmentation line, which keeps your existing PCI scope intact.

How does Mickai help with audits and disputes?

Every model action is written to the OAR, a tamper-evident, post-quantum-signed audit record. That gives you a provable account of who asked, what the system saw and what it decided. Dispute files and examiner evidence assemble from a record you can demonstrate was not altered.

Which parts of the payments lifecycle does Mickai cover?

Onboarding and KYC through Nomos and Trust Agent, transaction monitoring and AML through Nemesis, disputes through Iris and Aletheia, finance and forecasting through Plutus and Prometheus, merchant and underwriting risk through Tyche, and business intelligence through Pythia. They operate as one system under a single audit spine.

Is Mickai available now or is this a roadmap?

It is built and live today. The sovereign substrate, the Studios and the OAR audit record are running, not planned. Mickai is building to scale, and is opening to a selected group of payments and e-money partners ahead of broader availability.

How is the technology protected?

Mickai LTD holds 104 filed UK patent applications spanning approximately 2,340 claims, with Micky Irons as inventor, covering the sovereign-substrate, audit-record and orchestration techniques. They are filed, not granted, which establishes a priority date and a prior-art moat.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/sovereign-ai-for-payments-institutions-and-emoney-firms. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles