SS1/23 Model Risk Management: Governing Your AI Models Inside the Firm With Full Lineage
The PRA expects firms to identify, validate and monitor every material model. Here is how a sovereign AI operating system keeps models, data and validation under one tamper-evident record inside your own walls.
The supervisory statement that redrew the model perimeter
SS1/23 came into force in May 2024, and it did something the industry had been quietly avoiding. It gave the Prudential Regulation Authority a clear, principles-based framework for model risk management across the firms it supervises, and it deliberately widened the definition of a model to include the quantitative methods, artificial intelligence and machine learning that now sit inside pricing, capital, credit, fraud and capital-planning decisions.
For a Head of Model Risk, the shift is uncomfortable. The old world had a manageable inventory of regulatory-capital and stress-testing models, each with a documented owner and a validation cycle. The new world has hundreds of statistical and AI components spread across business lines, many of them procured, embedded in vendor platforms, or spun up by data science teams faster than governance can catalogue them. SS1/23 asks a firm to know every one of them, to grade materiality, to validate independently, and to prove ongoing monitoring. That is a lineage problem before it is a modelling problem.
Why AI models break the classic operating model
The five SS1/23 principles are model identification and tiering, governance, development and implementation, validation, and the use of external models and vendors. Each of them rests on one deceptively hard question you must be able to answer at any moment: for this specific decision, which model version ran, on which data, validated by whom, approved under whose authority, and what has changed since.
Public-cloud AI deployment makes that question almost impossible to answer honestly. A model served from a third-party API is a moving target. Weights are updated by the provider, prompts and retrieval context are assembled at runtime and then discarded, and the firm holds no durable record of the exact computation that produced a given output. When your data and your inference both leave the building, your model inventory is a spreadsheet of hopeful assumptions rather than a record of fact. That gap is exactly what an independent validation function, and ultimately a supervisor, is trained to find.
One record for the model, the data and the validation
Mickai is a sovereign AI operating system: AI that regulated businesses own and run inside their own walls, on-premise and air-gapped, with every action written to a tamper-evident, post-quantum-signed audit record we call the OAR. It is built and it is live, and it is architected so that model risk management is a property of the platform rather than a manual overlay bolted on afterwards.
The design principle is simple. If the model, the data it reads, and the validation evidence all sit under one roof, then lineage stops being something you reconstruct after the fact and becomes something the system emits by default. Every inference is a signed OAR entry: model identifier and version, the retrieval context it drew on, the arbiter decision path, the human authority that approved the action, and a cryptographic hash chaining it to the entry before. Nothing about a decision can be altered later without breaking the chain, because the record is signed with ML-DSA-65, a post-quantum signature scheme chosen so the evidence survives the arrival of quantum computers that will eventually break today's cryptography.
How the architecture maps to the five principles
Model identification and tiering becomes an inventory that maintains itself. Because inference runs inside the platform, no model can serve a decision without registering, so the inventory is the live system rather than a periodically refreshed document. Materiality tiers attach to each registered model and drive how much validation and monitoring it receives.
Governance and accountability map onto hardware-bound identity and a deterministic arbiter. Mickai runs fifty specialised brains under one arbiter that makes the final, reproducible call, so outcomes are deterministic and explainable rather than the black-box drift a validator most fears. Approvals are bound to a hardware-anchored identity, and sensitive actions can require a voice-biometric quorum, giving a clean line back to the accountable individual that SM&CR and SS1/23 governance expectations both demand.
Development, implementation and validation gain a reproducible substrate. Because the retrieval corpus is air-gapped and versioned, an independent validator can re-run a decision against the exact data state that produced it. That turns validation from an argument about probabilities into a repeatable test. On the fifth principle, external models and vendors, the point is structural. When the model runs inside your walls rather than behind a third party's API, the vendor concentration and third-party dependency that SS1/23 flags, and that DORA and operational-resilience rules echo, shrink to something you actually control. Compensating rollback lets you reverse a flawed model action across dependent systems rather than merely logging that it happened.
What the Head of Model Risk gets to say to the Board
The value of this is not abstract. It is the difference between a Head of Model Risk telling the Board risk committee that controls are believed to be adequate, and telling them that every material model is inventoried, tiered, independently reproducible and cryptographically evidenced end to end. It is the difference between a validation function that samples and infers, and one that can replay any decision on demand. For a non-executive director carrying personal accountability, that evidentiary floor changes the character of the oversight conversation.
It also travels. The same OAR spine that satisfies SS1/23 lineage carries directly into FCA Consumer Duty outcome-testing, operational-resilience impact tolerances, EU AI Act high-risk record-keeping, and GDPR accountability. You build the record once and it answers to many regimes, which is the only economically sane way to meet a supervisory landscape that keeps adding rather than subtracting obligations.
Momentum and the window
This is a category the market is racing to define. Sovereign AI is projected to grow from around USD 40 billion in 2025 to roughly USD 148 billion by 2032, and roughly 0.85 million UK businesses sit under rules that make public-cloud AI legally difficult, with several million more across the EU. The moat underneath Mickai is 104 filed UK patent applications, some 2,340 claims, held by Mickai LTD, establishing priority across the sovereign-AI substrate. As a dated third-party signal, in June 2026 Crunchbase ranked founder Micky Irons number four globally, with the company inside the top one to two percent.
Mickai is built and live, and we are building to scale from a secured UK manufacturing base in Birmingham. Governed, sovereign AI is where regulated industries are heading, not a niche they can wait out. If model risk is on your desk, the conversation starts at micky@mickai.co.uk.
FAQ
Does SS1/23 apply to AI and machine-learning models? Yes. The PRA deliberately drew the model definition wide enough to capture quantitative methods including artificial intelligence and machine learning, so any material AI component inside a covered firm's decisioning falls within scope of its five principles.
How does an air-gapped platform prove model lineage to a validator? Because inference, data and validation evidence all sit inside the firm, every decision is written to a signed, chained audit record capturing model version, data state and approval authority. An independent validator can replay the exact computation against the versioned data that produced it.
What is the OAR? The OAR is Mickai's tamper-evident audit record. Each entry is signed with the ML-DSA-65 post-quantum scheme and cryptographically chained to the previous one, so decisions cannot be altered retrospectively without breaking the chain, giving supervisors durable evidence.
Does running models on-premise reduce third-party model risk? Yes. SS1/23, DORA and operational-resilience rules all flag vendor and third-party concentration. Running models inside your own walls removes the moving-target dependency of a provider's API and returns version control, data control and rollback to the firm.
By Micky Irons, founder and CEO of Mickai.
Frequently asked questions
Does SS1/23 apply to AI and machine-learning models?
Yes. The PRA deliberately drew the model definition wide enough to capture quantitative methods including artificial intelligence and machine learning, so any material AI component inside a covered firm's decisioning falls within scope of its five principles.
How does an air-gapped platform prove model lineage to a validator?
Because inference, data and validation evidence all sit inside the firm, every decision is written to a signed, chained audit record capturing model version, data state and approval authority. An independent validator can replay the exact computation against the versioned data that produced it.
What is the OAR?
The OAR is Mickai's tamper-evident audit record. Each entry is signed with the ML-DSA-65 post-quantum scheme and cryptographically chained to the previous one, so decisions cannot be altered retrospectively without breaking the chain, giving supervisors durable evidence.
Does running models on-premise reduce third-party model risk?
Yes. SS1/23, DORA and operational-resilience rules all flag vendor and third-party concentration. Running models inside your own walls removes the moving-target dependency of a provider's API and returns version control, data control and rollback to the firm.






