What should a sovereign wealth fund require before using AI on its holdings and strategy data?
Run any AI offline on hardware the fund owns, behind a zero egress perimeter, with every decision written to a verifiable post-quantum signed ledger.
A sovereign wealth fund should require any AI that touches its holdings or strategy data to run offline on hardware the fund itself owns, behind a zero-egress inbound perimeter that lets prompts in but sends nothing out, with every AI-assisted decision written to a post-quantum signed audit ledger the fund can verify without trusting a vendor. That is the bar because a fund's positions and rebalancing intent are market-moving, material non-public information and often national-interest sensitive, so a single silent exfiltration, or a decision that cannot be proved, is a sovereign-scale loss, not a support ticket.
This matters now because the useful AI and the safe AI have split apart. The models a fund wants for research and scenario work are, by default, hosted services like ChatGPT, Claude and Gemini, and every prompt sent to them leaves the building. A state asset owner cannot put its book, its counterparties or its geopolitical positioning into a system it neither controls nor audits.
Why can a sovereign wealth fund not simply use a public AI service?
Because the data is the problem, not the prompt. A fund's holdings, hedges and rebalancing schedule are price-sensitive and, in most jurisdictions, material non-public information. Sending that to a third-party model processes it on infrastructure the fund does not own, under contracts it cannot fully see, under foreign legal reach: the US CLOUD Act, for example, can compel a US-headquartered provider to disclose data it holds regardless of where the servers sit. Enterprise tiers and retention promises narrow the surface, they do not remove it: the data still crosses a boundary the fund cannot police.
What does sovereign AI actually mean for a state asset owner?
It means the intelligence comes to the data, and the data never leaves. A fund should require four properties: the system runs offline on hardware the operator owns; a zero-egress inbound perimeter lets research in while no prompt, embedding or output flows out; every human and agent carries a hardware-attested identity the ledger records; and the models are sovereign, held and run by the fund, so there is no external call to fail or leak. Mickai is a Sovereign Intelligence Operating System, a SIOS, built to this shape, with every action cryptographically sealed.
What can an auditor or regulator actually check?
The sealed ledger, independently, without trusting the vendor. Every AI-assisted action, the prompt, the model used, the retrieved context, the human who approved it and the output, is written to an append-only chain and signed. The signatures use the NIST post-quantum standards: FIPS 204 (ML-DSA) as the primary scheme, with FIPS 205 (SLH-DSA) as a hash-based alternative. Because these are signature standards, an auditor can confirm years later that a record is authentic and unaltered, even against a quantum-capable adversary. Key encapsulation (FIPS 203, ML-KEM) protects data in transit but never signs, so provability rests on the signatures. The test is blunt: given only the ledger and the public keys, can an independent auditor confirm every AI-assisted decision offline, with the network unplugged? If yes, the record is sovereign; if it needs a vendor's live dashboard, it is not.
“For a state asset owner, an AI decision that cannot be proved after the fact is indistinguishable from one that never happened.”
Which rules make this necessary?
Several, and they are converging. DORA, in force across the EU financial sector since January 2025, holds financial entities and their critical technology providers to operational-resilience and oversight duties a black-box external model struggles to meet. NIS2 raises security and incident-reporting obligations for essential and important entities, a category many large asset owners fall into. GDPR still governs any personal data, and ISO/IEC 42001 gives a certifiable management-system standard for AI itself. On the EU AI Act, note the position carefully: the high-risk Annex III obligations once due on 2 August 2026 have been deferred by the Digital Omnibus to 2 December 2027, with embedded high-risk systems under Annex I moving to 2 August 2028 and the Article 50 transparency duties largely unchanged. We treat that not as a reprieve but as a build window: the architecture should be in place before the deadlines, not scrambled for afterwards.
How does a sovereign fund keep AI honest as well as contained?
Containment stops leakage; it does not stop error. A single model can be confidently wrong, and a fund cannot rebalance on a hallucination. The requirement is cross-model consensus: material outputs are generated by more than one sovereign model and reconciled, so agreement raises confidence and disagreement is surfaced for a human. Because every step is sealed, the reasoning behind a view is reconstructable months later, which is what an investment committee, an auditor or a regulator will ask to see.
What should the procurement checklist require?
Set these as pass or fail conditions before any AI touches the book:
- Runs fully offline on hardware the fund owns, with the air-gap test passed: unplug the network and it still works.
- A zero-egress inbound perimeter, verified by inspection, with no telemetry, no model call-home and no cloud dependency.
- Hardware-attested identity for every human and agent, bound into the audit chain.
- A post-quantum signed audit ledger, FIPS 204 as primary and optionally FIPS 205, that an independent auditor can verify offline.
- Cross-model consensus on material outputs, with disagreement escalated to a named human.
- Sovereign models held by the fund, no third-party model in the decision path.
The mechanisms described here are covered by 104 filed UK patent applications, approximately 2,340 claims, owned by Mickai LTD; never granted or patented.
Frequently asked questions
Can a sovereign wealth fund use ChatGPT or Claude on its portfolio data?
Not for holdings, hedges or strategy. Public services like ChatGPT, Claude and Gemini process prompts on infrastructure the fund does not own, sending material non-public information across a boundary it cannot audit or, under laws such as the US CLOUD Act, fully protect. They suit public work; the book, counterparties and rebalancing intent should stay inside a system the fund controls.
Is a fund's data safe with an enterprise AI contract and a no-training clause?
It reduces the risk, it does not remove it. A no-training clause and a retention limit narrow how the data is used, but the data still leaves the fund's perimeter and sits under a third party's operational and legal control. For price-sensitive, national-interest information the safer standard is that the data never crosses the boundary at all: run the model offline, on hardware the fund owns, with nothing egressing.
Is the EU AI Act high-risk deadline still 2 August 2026?
No. The high-risk Annex III obligations once due on 2 August 2026 were deferred by the Digital Omnibus to 2 December 2027, with embedded high-risk systems under Annex I moving to 2 August 2028 and the Article 50 transparency duties largely unchanged. We treat the extra time as a window to build compliant architecture, not as a reason to delay it.
What is a zero-egress AI system?
A system where information flows in but nothing flows out. Prompts, documents and data enter; no output, embedding, telemetry or model call-home leaves the fund's security domain. It is the opposite of a cloud service, and the only way to guarantee market-moving data cannot be exfiltrated is to remove the exit entirely.
How do we prove to an auditor that an AI-assisted decision was not tampered with?
By verifying the sealed ledger. Every AI-assisted action is written to an append-only chain and signed with a post-quantum signature standard, FIPS 204 as primary and FIPS 205 as an alternative. An independent auditor, given only the ledger and the public keys, can confirm offline that each record is authentic and unaltered, with no need to trust the vendor. If it depends on a supplier's live dashboard, it is not real provability.




