MICKAI
Article · 11 July 2026

Sovereign AI for Pension Funds and Asset Managers: What to Require Before It Touches Fiduciary and Trading Data

Before AI touches fiduciary or trading data, require an offline model, zero-egress perimeter, and a sealed audit chain a regulator can replay years later.

Sovereign AI for Pension Funds and Asset Managers: What to Require Before It Touches Fiduciary and Trading Data
Author
Micky Irons
Published
11 July 2026
Follow Micky Irons
LinkedInX
sovereign aipension fundsasset managementfiduciary dutyfca compliance

A pension fund or asset manager should require, before any AI touches fiduciary or trading data, three things: that the model runs on infrastructure the firm controls, that no data leaves that perimeter, and that every AI-assisted decision is sealed into a tamper-evident record the firm can replay to a regulator years later. The reason is fiduciary duty. A trustee who cannot show how a decision was reached, and cannot prove the underlying data never left the building, cannot demonstrate that the decision was made in members' best interests.

This matters more in 2026 than it did two years ago. Public AI services such as ChatGPT, Claude and Gemini send prompts to servers the firm does not control, which turns pre-trade and member data into an egress problem the market abuse regime was never designed to forgive. At the same time DORA, in force since January 2025, now binds financial firms to prove operational resilience across their whole technology supply chain, and the shifted EU AI Act deadlines give firms a window to build these controls properly rather than bolt them on later.

What should a fund require before AI touches fiduciary data?

Set the bar as a procurement checklist, not a vague policy. Before a single prompt runs against fiduciary or trading data, we would require every item below to be demonstrable, not promised.

  • The model runs offline on operator-owned hardware, not a shared cloud tenancy.
  • A zero-egress inbound perimeter: data can enter for processing, nothing leaves.
  • Hardware-attested identity for every user and agent, bound to the audit record.
  • A post-quantum signed audit ledger that seals every prompt, retrieval and output.
  • Operator-owned, offline infrastructure with no US-based provider holding or controlling the data, so there is no third party the US CLOUD Act can compel to disclose it.
  • Named human accountability, under the Senior Managers and Certification Regime, for every automated action.

The pass mark is one plain test. If you cannot replay the exact inputs, model version and reasoning behind a decision to a regulator in five years, the system is not fit for fiduciary data.

Sovereign AI for Pension Funds and Asset Managers: What to Require Before It Touches Fiduciary and Trading Data, illustration 1

How does this stop material non-public information from leaking?

Material non-public information is the sharpest risk in the whole question. A research prompt that includes a draft position, a corporate access note or an unannounced allocation is MNPI the moment it is typed. Sent to a public service, it has left the firm's control and may be retained, logged or used to train a third party's model. A Sovereign Intelligence Operating System closes that path by design: the model sits inside the firm's perimeter, the data never egresses, and nothing the firm holds is ever exposed to an outside operator. There is no external endpoint to leak to.

Sovereign AI for Pension Funds and Asset Managers: What to Require Before It Touches Fiduciary and Trading Data, illustration 2

What can an auditor check years after a trade?

Everything that shaped the decision. A sealed audit chain records, for each AI-assisted output, the exact prompt, the documents retrieved, the model version and configuration, the generated answer, the human who signed off, and a trusted timestamp. Each entry is cryptographically signed and appended so it cannot be altered after the fact. An auditor, a compliance officer or the FCA can replay the decision as it happened, not a reconstruction. This is the difference between saying a model was used and proving what it did.

An AI-assisted investment decision that cannot be proven to a regulator years after the fact is not a decision a fiduciary should be making.

Sovereign AI for Pension Funds and Asset Managers: What to Require Before It Touches Fiduciary and Trading Data, illustration 3

Which rules make this necessary?

Several regimes point the same way. The FCA expects firms to act in clients' best interests and to evidence it. The PRA expects operational resilience and clear accountability. The Senior Managers and Certification Regime puts a named person on the hook for each function, which an unauditable model makes impossible to satisfy. The market abuse regime treats MNPI handling as a control obligation. DORA extends all of this to ICT and third-party risk. GDPR governs member data. ISO/IEC 42001 gives a management-system baseline for AI itself.

On the EU AI Act, read the current position carefully. The high-risk Annex III obligations, once due on 2 August 2026, were deferred by the Digital Omnibus to 2 December 2027, with embedded Annex I high-risk uses moving to 2 August 2028 and the Article 50 transparency duties largely unchanged. We read that as a build window, not a reprieve.

Sovereign AI for Pension Funds and Asset Managers: What to Require Before It Touches Fiduciary and Trading Data, illustration 4

How does the sealed audit chain actually work?

Four mechanisms carry the weight. Hardware-attested identity ties every action to a specific device and person, so provenance is not merely a username. A post-quantum signed ledger uses FIPS 204 (ML-DSA) signatures, so signatures written today still hold when quantum attacks make older schemes brittle. An append-only structure means an entry, once sealed, cannot be quietly edited. Cross-model consensus routes high-stakes outputs through more than one sovereign model and records where they agree and diverge, so a single model's error is visible rather than silent. The architecture behind this is the subject of 104 filed UK patent applications, approximately 2,340 claims, owned by Mickai LTD; never granted or patented.

What should you ask a vendor first?

Ask the questions that separate architecture from marketing. Where does our data physically sit during inference. Can you show a network capture proving zero egress. Is the audit ledger cryptographically signed, and with which algorithms. Can a decision from twelve months ago be replayed in full. Who is legally accountable if the model errs. If a vendor answers any of these with a shared-cloud arrangement or a logging feature rather than a sealed, offline, operator-owned design, the fiduciary risk sits with the firm, not the vendor.

Frequently asked questions

Can a pension fund use ChatGPT for investment research?

Not on fiduciary or pre-trade data. Public services such as ChatGPT, Claude and Gemini process prompts on infrastructure the firm does not control, so anything sensitive typed into them has left the firm's perimeter. For general, non-confidential background reading they can be useful, but any material non-public information or member data should stay inside a system the firm owns and can audit.

What is material non-public information in an AI context?

It is any price-sensitive information not yet public: a draft trade, an unannounced allocation, a corporate access note, a merger rumour under review. In an AI context the risk is that this information enters a prompt and is then transmitted, retained or used to train an outside model. Keeping the model offline and inside the firm's perimeter removes the transmission step entirely.

Does DORA apply to AI systems used by asset managers?

Yes. DORA has been in force since January 2025 and covers ICT risk and third-party dependencies across financial firms. An AI system that handles trading or fiduciary data is ICT within scope, so its resilience, its supply chain and its failure modes must be evidenced. A sovereign, offline design reduces third-party dependency, which is exactly what DORA pushes firms toward.

Is the EU AI Act high-risk deadline still 2 August 2026?

No. The high-risk Annex III obligations once due on 2 August 2026 were deferred by the Digital Omnibus to 2 December 2027. Embedded Annex I high-risk uses move to 2 August 2028, while the Article 50 transparency duties are largely unchanged. Firms should treat the extra time as a window to build proper controls rather than a reason to delay.

How do you prove an AI-assisted trade to the FCA years later?

With a sealed audit chain. Every prompt, retrieved document, model version, output and human sign-off is cryptographically signed, timestamped and stored append-only, so the decision can be replayed exactly as it happened. Because the signatures use post-quantum algorithms, the record stays verifiable for the full retention period rather than degrading as cryptography ages.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/sovereign-ai-for-pension-funds-and-asset-managers-fiduciary-data. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles