The CISO Guide to Air-Gapped AI: Shrinking the Attack Surface and Killing Data Exfiltration
For the CISO who has to sign off on AI: a sovereign, air-gapped deployment removes the model-API exfiltration path entirely and binds every action to hardware-anchored identity.
The exfiltration path you cannot patch
Every time a prompt leaves your network for a public model API, your most sensitive data crosses a boundary you no longer control. Special-category records, deal terms, source code, customer PII, sanctions-screening context: all of it becomes a payload in transit to infrastructure you do not own, cannot inspect, and cannot subpoena. For a CISO, that is not a configuration risk. It is a structural one. You can rotate keys, scope tokens, and write the sternest acceptable-use policy in the industry, and the exfiltration path is still there by design, because the design assumes the model lives somewhere else.
Mickai starts from the opposite assumption. Mickai is a sovereign AI operating system (SIOS): AI that regulated businesses own and run inside their own walls, on-premises and air-gapped. There is no outbound call to a foundation-model vendor because the models run on your hardware, behind your perimeter. Built and LIVE, building to scale. When the network path does not exist, there is nothing to intercept, nothing to log at a third party, and nothing to leak. You are not trusting a data-processing agreement. You are removing the processor.
What air-gapped actually removes from your threat model
Air-gapping is often treated as a slogan. Under Mickai it is an architectural property with specific consequences for your risk register.
The model-API egress path is gone. No prompt, embedding, or completion leaves the boundary, so classical DLP no longer has to reason about a channel it was never built to see: natural-language exfiltration hidden inside an API body. The vendor-side breach radius collapses, because a foundation-model provider cannot lose data it never received, and a request served on that provider cannot reach records that never left your building. Shadow-AI risk shrinks too, since the sanctioned tool is the private one, and staff no longer route confidential work through consumer chatbots to get their jobs done. Retrieval stays inside the wall as well: Mickai runs air-gapped RAG, so the corpus your model reasons over is indexed, embedded, and queried entirely on your infrastructure, with no third-party embedding call carrying your documents out.
Hardware-bound identity, not a bearer token
The second structural weakness in cloud AI is identity. An API key is a bearer credential: whoever holds it is trusted, wherever they are. Exfiltrate the key and you have exfiltrated the identity.
Mickai binds identity to hardware. Actions are authorised against a hardware-anchored identity that cannot be copied off the machine and replayed from an attacker's laptop. For higher-consequence operations, Mickai supports voice-biometric quorum, so a sensitive action requires a live, verified human voice, not just a secret that could sit in a leaked environment file. For the CISO this changes the failure mode entirely. A stolen credential stops being game over, because the credential alone is not the identity. The identity is welded to a device you physically control.
Every action written to an audit record you can prove
Detection is only half the job. Attestation is the other half, and it is the half auditors and regulators actually ask about. Mickai writes every action to a tamper-evident audit record, the OAR, signed with ML-DSA-65, a post-quantum signature scheme. That last detail matters more than it looks. A record signed only with today's classical cryptography is a record an adversary can plausibly forge in the harvest-now, decrypt-later future. Post-quantum signing means the integrity of the log is designed to outlive the cryptographic era it was created in.
The practical effect is a chain of evidence rather than a chain of assertions. When your Head of Internal Audit or a supervisor asks what the AI did, who authorised it, and whether the log has been altered, the answer is a signed, ordered, verifiable record, not a screenshot and a trust exercise. That is the difference between a control you can demonstrate and a control you merely describe.
A deterministic arbiter, not a black box that improvises
CISOs are rightly wary of systems that behave differently on identical inputs. Mickai runs 50 specialised brains under a single deterministic arbiter. Requests are routed and resolved through that arbiter rather than left to a single opaque model to improvise, which makes behaviour reviewable and repeatable. When something goes wrong, Mickai supports compensating rollback: rather than hoping an action can be undone, the system can execute a defined compensating step to return state to a known-good position. For a security function that has to answer for blast radius and recoverability, deterministic routing plus compensating rollback is the difference between an incident you can bound and one you cannot.
Where this maps onto your obligations
The architecture is not abstract for a regulated CISO. Air-gapped deployment speaks directly to PRA and FCA operational resilience expectations and to DORA's demands around ICT third-party risk, because you have materially reduced the third party. Keeping special-category data inside the wall supports UK GDPR and a defensible DPIA, since the highest-risk processing no longer traverses an external model. NIS2 and sector security rules are easier to satisfy when the sensitive workload has no external dependency to attest. And for firms inside ITAR, EAR, or CLOUD Act exposure, the calculus is stark: data that never leaves the jurisdiction is data that cannot be compelled from a foreign provider.
Momentum and the moat
This is a deliberate architecture, filed and defended. Mickai LTD holds 104 filed UK patent applications spanning roughly 2,340 claims, inventor Micky Irons, covering the air-gapped design, the signing scheme, the arbiter, and the audit substrate. Filed, not granted, which is the point at this stage: it establishes priority and a prior-art moat around the way sovereign AI is built. As one third-party momentum signal, Crunchbase ranked me fourth globally among founders in June 2026, with the company placing in the top one to two percent. Mickai is positioned as an ally to the broader AI ecosystem, not a challenger to any lab. The frontier makes models; Mickai makes the sovereign operating system that lets regulated institutions run intelligence they can actually own.
The window
Mickai is built and live, and we are building to scale with a small number of selected partners rather than a broad rollout. If you are the person who has to sign the risk acceptance for AI, and the model-API exfiltration path is the line you cannot get comfortable with, this is the architecture designed to remove it rather than monitor it. To discuss a sovereign, air-gapped deployment, reach me directly at micky@mickai.co.uk.
Micky Irons, founder and CEO of Mickai.
Frequently asked questions
Does air-gapped deployment mean no data ever leaves our network?
Yes. Under Mickai the models run on your own hardware behind your perimeter, so there is no outbound call to a foundation-model vendor. No prompt, embedding, or completion crosses the boundary, which removes the model-API exfiltration path rather than trying to monitor it.
How is identity handled without cloud API keys?
Identity is bound to hardware. Actions are authorised against a hardware-anchored identity that cannot be copied off the machine and replayed elsewhere, and higher-consequence operations can require voice-biometric quorum. A stolen credential alone is not enough to act.
What makes the audit record defensible to auditors and regulators?
Every action is written to a tamper-evident audit record, the OAR, signed with ML-DSA-65, a post-quantum signature scheme. The result is a signed, ordered, verifiable chain of evidence you can demonstrate to a supervisor or your Head of Internal Audit, not a screenshot and a trust exercise.
Which regulatory obligations does this architecture support?
It maps onto PRA and FCA operational resilience expectations, DORA ICT third-party risk, UK GDPR and DPIA duties, NIS2, and ITAR, EAR, and CLOUD Act exposure, because materially reducing the external processor reduces the surface each regime is concerned with.
Is Mickai a competitor to the major AI labs?
No. Mickai is positioned as an ally to the broader AI ecosystem. The frontier labs make models; Mickai is the sovereign operating system that lets regulated institutions run intelligence they own, inside their own walls.






