MICKAI®ArticlesThe End of Public AI in Regulated…
Article · 16 July 2026

The End of Public AI in Regulated Industries

Why finance, healthcare, defence and legal are bifurcating their AI estate, and why the line runs through consequence rather than the org chart

The End of Public AI in Regulated Industries
Author
Micky Irons
Published
16 July 2026
Follow Micky Irons
LinkedInX
sovereign airegulated industriesai governanceevidential burdenjurisdiction

Regulated industries are not walking away from public AI because they distrust the cloud. They are walking away because three obligations cannot be delegated to a supplier: governance, the evidential burden, and jurisdiction. Once a board accepts that it cannot sign over accountability for an automated decision, the architecture question answers itself, and the migration to privately controlled AI stops looking like a preference and starts looking like an inevitability. Public AI does not disappear. It gets confined to the workloads where nobody has to prove anything.

What exactly do we mean by "public AI"?

Public AI is shared-tenant inference where the provider controls the weights, the update cadence, the moderation layer, the logging boundary and the physical estate. The defining feature is not the address of the data centre. It is the control surface. A dedicated region, a private link and a contractual residency clause can all be present and the workload is still public AI, because the decisions that matter are still taken by someone else.

Privately controlled AI is the inverse. The organisation holds the weights, the runtime, the keys, the logs and, critically, the decision about when the model changes. The test is not technical: when a regulator, an auditor or a court asks what happened, can you answer without asking a vendor for permission, for a log export, or for a retention exception?

Cerberus planted across a single threshold, three heads turned outward and jaws set, his collar fused into his own stone throat so no other hand can be given the watch, in a void of pure black, satin gold light...
Cerberus planted across a single threshold, three heads turned outward and jaws set, his collar fused into his own stone throat so no other hand can be given the watch, in a void of pure black, satin gold light...

Why can't a regulated firm delegate governance to its provider?

Because liability does not travel with the workload. Under DORA Article 5, the management body of a financial entity retains ultimate responsibility for managing its ICT risk, and outsourcing a critical function does not outsource that responsibility. Under GDPR Article 22, a person subject to a solely automated decision has the right to human intervention, to express a view and to contest the outcome; the separate duty to give meaningful information about the logic involved sits in Articles 13, 14 and 15. Both duties fall on the controller, not on the sub-processor four contracts down. Under the EU AI Act, a deployer of a high-risk system carries obligations for human oversight and record-keeping in its own name; application of that regime has been deferred, but the deferral moves the date, not the allocation of duty.

A supplier contract can indemnify money. It cannot indemnify a duty. This is the structural point most procurement processes miss: the firm negotiates hard on service credits and liability caps, then discovers that the thing the regulator wants is not compensation, it is an explanation. And the explanation lives inside the supplier.

There is a quieter version of the same problem. The model changes underneath you. A checkpoint is deprecated, a safety layer is retuned, a routing policy shifts. None of it is malicious and all of it is normal engineering practice. But a decision made about a customer eighteen months ago becomes unreproducible, and "the model that made that decision no longer exists" is not a position a firm should expect to survive scrutiny.

Charon standing at the stern of one stone barge that is his and never his passengers, one fist closed on the pole, the other palm open and waiting for a toll, in a void of pure black, satin gold light sliding down...
Charon standing at the stern of one stone barge that is his and never his passengers, one fist closed on the pole, the other palm open and waiting for a toll, in a void of pure black, satin gold light sliding down...

What is the evidential burden, and why does shared tenancy break it?

The legal test is not whether the system performed well. It is whether you can prove what happened to a third party who assumes, correctly, that you are a motivated narrator of your own conduct. That demands three properties of a record.

  • Contemporaneity: the record was made before or at the moment of the act, not reconstructed afterwards from telemetry.
  • Integrity: any alteration is detectable, including alteration by the organisation that holds the record.
  • Independence: the record can be verified by someone who does not trust, and does not need, the party that produced it.

Provider-held logs are strong on the first, adequate on the second, and structurally weak on the third. They are produced by an interested party, exported on that party's terms, retained for that party's window, and shaped by a schema you did not design and cannot compel. In a dispute, the evidence you most need is held by the counterparty most exposed by it. That is not an accusation of bad faith. It is a description of a conflict a contract cannot engineer away.

A deeper distinction ends the argument. A system that logs after the fact records what it did. A system that seals the authorisation before the action executes records what it was permitted to do, and therefore makes the gap between permission and behaviour visible. Only the second is evidence in the sense a court means.

Argus turning slowly, a hundred carved eyes across his body, only the few caught in the gold open and the rest sealed blind in shadow, both hands lifted empty as if called to testify to what he cannot see, in a void...
Argus turning slowly, a hundred carved eyes across his body, only the few caught in the gold open and the rest sealed blind in shadow, both hands lifted empty as if called to testify to what he cannot see, in a void...

Isn't this just data residency, which regional cloud already solves?

No, and conflating the two is why so many sovereignty programmes stall after eighteen months of spend. Residency answers one question: where are the bytes at rest. It does not answer who holds the key, who can be compelled to disclose, whose control plane orchestrates the workload, who decides that the model changes on Tuesday, and which court hears the dispute. Jurisdiction is a property of control, not of geography. A regional data centre with a control plane and a corporate parent elsewhere has moved the storage and left the authority where it was. For most workloads that is an acceptable trade. Where a foreign legal process or a unilateral service change would itself constitute a regulatory incident, it is not a trade at all. It is an unpriced option written against your licence to operate.

Hades seated at the exact edge of his own realm, one hand opened upward to release a shaft of light freely into the air, the other clamped shut over the dark beneath him, drawing the boundary himself, in a void of...
Hades seated at the exact edge of his own realm, one hand opened upward to release a shaft of light freely into the air, the other clamped shut over the dark beneath him, drawing the boundary himself, in a void of...

Where does public AI remain the right answer?

For most of what most organisations do. Drafting marketing copy, assisting on non-sensitive code, summarising public filings, translation, prototyping, internal search over material that is already public: these carry no evidential burden, create no legal duty, and are reversible when wrong. The worst case is an embarrassing sentence. Standing up owned infrastructure for that class of work is a bad allocation of capital.

Public AI also moves faster. Frontier capability lands in shared tenancy first, and a firm that refuses it on principle will be outrun on the majority of its work, where speed is the only thing that matters. The honest position is not that public AI is wrong. It is that it is right for one class of workload and structurally unsuited to another, and that regulated firms have been running both classes on one architecture because it was easier to buy.

What does the migration actually look like?

It is not a migration in the lift-and-shift sense. It is a bifurcation of the estate, and the useful move is to classify by consequence rather than by department. Legal has plenty of low-stakes drafting; marketing occasionally touches personal data with real teeth. The line runs through the workload, not the org chart.

  • Classify every AI-touched process by consequence: does it create a legal duty, an audit obligation, or an irreversible effect on a person?
  • Draw the control boundary at the action, not the model. What matters is what the system is permitted to do, not which weights suggested it.
  • Make the record the deliverable. If the output cannot be proven, it has not been produced.
  • Keep the exit real. An exit plan you have never executed is a document, not a control.
  • Buy capability where it is cheap and own it where it is dear.

Firms that do this find the controlled estate is smaller than they feared and more load-bearing than they expected. The end of public AI in regulated industries is not the end of public AI. It is the end of pretending that one architecture can carry both an ad campaign and a credit refusal.

Frequently asked questions

Does a private cloud region count as privately controlled AI?

Usually not. A private region typically relocates storage and compute while leaving the control plane, the key custody, the update decision and the corporate parent with the provider. If a supplier can change the model, alter the logging schema, or be compelled to disclose without your involvement, the workload is provider-controlled regardless of where the racks sit. The test is authority, not address.

Are provider audit logs sufficient for a regulator?

Often yes for operational assurance, and often not for contested evidence. They are produced by an interested party, retained on that party's schedule, and exported in a form you did not specify. In an ordinary supervisory conversation that is fine. Where the counterparty's interest diverges from yours, a record that cannot be verified independently and offline carries far less weight than firms assume.

Doesn't running AI privately mean falling behind on capability?

On the frontier, sometimes, and that is a real cost to state plainly. The mitigation is architectural rather than heroic: run fast-moving, low-consequence work on whatever is best available, and hold the consequential class in the controlled estate, where a slightly older model with a provable record beats a newer one with an unprovable one. Regulated decisions are rarely lost on capability. They are lost on evidence.

How many workloads actually belong in the controlled estate?

Fewer than most boards fear, and they are almost always the ones that carry the licence. The classification exercise surfaces a minority of processes that create a duty, an audit trail or an irreversible effect on a person. Those are worth owning outright. The rest should go wherever the economics are best, and the discipline is refusing to let the two categories share an architecture by default.

Mickai is a British Sovereign Intelligence Operating System, built and live today, running offline on hardware the organisation owns, in its own jurisdiction. Its Open Audit Record seals every consequential action before it executes, signs it with post-quantum FIPS 204 ML-DSA-65, and hash-chains it so a regulator or a court can verify it offline without our involvement. Its agents operate inside a gated sandbox under per-action clearance, which makes the permission boundary a fact rather than a policy. The architecture is protected by 104 filed UK patent applications carrying 2,340 claims, held by Mickai LTD. Read /sovereign-ai for how the controlled estate is drawn, /oar for the evidential mechanism, and /ai-readiness to classify your own estate by consequence before committing capital.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/the-end-of-public-ai-in-regulated-industries. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles