Own, Do Not Rent: Why Regulated Firms Need AI Inside Their Own Walls
For special-category and controlled data, ownership and air-gapping are compliance requirements, not preferences, and Mickai delivers that as a live sovereign AI operating system.
The question regulated firms are actually being asked
When a bank, a hospital, a defence supplier, or an insurer sends data to a public-cloud AI service, it is not buying a feature. It is making a custody decision. The real question is not whether the model is good. It is who can touch this data, under which jurisdiction, with what legal compulsion, and whether every action can be proven after the fact. For ordinary commercial data, renting is fine. For special-category and controlled data, renting fails the test before the model ever runs.
This is a first-principles point, not a marketing one. If you cannot guarantee where data sits, who processed it, and that the record of processing cannot be altered, you do not have a compliance position. You have a hope. Regulators do not accept hope.
I founded Mickai to remove the hope and replace it with proof. Mickai is a sovereign AI operating system, an SIOS, that regulated businesses own and run inside their own walls, on-prem and air-gapped, with every action written to a tamper-evident, post-quantum-signed audit record we call the OAR. It is built and it is live.
Why ownership is a requirement, not a preference
Look at what the rulebooks actually demand and a pattern appears. The PRA outsourcing and operational resilience expectations under SS2/21 push firms to retain control and a clean exit over critical functions. UK GDPR treats special-category data as a class that needs the strongest safeguards and a clear, demonstrable basis for every processing event. The NHS Data Security and Protection Toolkit sets a hard bar for how patient data is handled. The EU AI Act puts high-risk systems under documentation, logging, and human-oversight obligations. ITAR and EAR restrict where controlled technical data may physically reside and who may access it. The NIS Regulations raise the resilience bar for essential services. And the US CLOUD Act means data held by a US-controlled provider can be compelled regardless of where it physically sits.
Read those together and the conclusion is not subtle. For the most sensitive categories of data, the firm must hold the keys, the location, and the audit trail itself. That is ownership. A rented endpoint, however well engineered, hands custody to a third party in another legal regime and asks you to trust the boundary. For controlled data, the boundary is the requirement, and the only way to guarantee it is to own the system.
This is why the addressable need is not a niche. Roughly 0.85 million UK businesses, about 15 percent, sit in scope of rules that make public-cloud AI a poor or impossible fit, alongside an estimated 5 million across the EU that are legally barred from it. The sovereign AI market reflects this gravity, sized at around USD 40 billion in 2025 and on a path toward USD 148 billion by 2032. The demand is structural. It follows from the law, not the hype cycle.
What air-gapping actually buys you
Air-gapping is often described as a constraint. In a regulated setting it is the opposite. It is the cleanest way to make a custody guarantee true rather than asserted. When the system runs on hardware the firm controls, with no path out to a third-party cloud, the questions a regulator asks become answerable with evidence instead of contracts. Where is the data. Here. Who processed it. These identities. Can the record be altered. No, because every action is signed into the OAR with post-quantum cryptography, so tampering is detectable.
That last point matters more each year. Audit records that rely on today's signatures risk becoming forgeable once cryptographically relevant quantum computing arrives. A controlled-data audit trail needs to survive that. Mickai signs the OAR with post-quantum schemes precisely because a compliance record has to outlive the threat model it was created under.
Built as an operating system, delivered as working studios
Mickai is not a wrapper around someone else's API. It is a full operating system for AI work, and the capabilities ship as Greek-named Studios that map onto real regulated functions. Nemesis handles fraud and AML. Plutus covers finance. Tyche does underwriting. Prometheus runs forecasting. Iris serves customer operations. Nomos and Astraea cover compliance and legal. Panacea works clinical data. Pythia drives business intelligence and Aletheia handles audit. Around them sit Trust Agent, the AMT agentic layer, Vinis voice, OAR-as-a-Service, and HELIOS hardware. Each Studio runs inside the same owned, air-gapped, auditable substrate, so adopting a function never reopens the custody question.
Underneath sits the moat. Mickai LTD has 104 filed UK patent applications carrying roughly 2,340 claims, with myself as inventor. Filed, not granted, which is the honest framing, and what filing secures is priority and a prior-art position across the architecture. The same estate has been mapped against 196 companies and 311 patent-company pairs as potential licensees, names that include Microsoft, AWS, NVIDIA, Google, Adobe, and IBM. That is potential-licensee sizing, not signed revenue, but it indicates the surface area of the work is broad and that the largest platforms operate in territory this estate touches.
A category, not a product
I am deliberate about positioning. Mickai is an ally to the model labs, not an OpenAI killer. The frontier labs build extraordinary models. What regulated firms lack is a way to run capable AI under their own custody with provable controls. Mickai is the operating system that closes that gap, which is why the thesis is dual-buyer: it serves the regulated enterprise that must own its AI, and it is the kind of sovereign-control layer a hyperscaler would rather own than compete with.
The momentum is showing externally as well as architecturally. In June 2026 I was ranked number four on Crunchbase, with the Mickai company profile placing in the top one to two percent globally, a third-party signal that the category is being noticed. We are a UK company with Birmingham manufacturing secured, building to scale and heading for the top. The economics follow the structure. A Year 5 revenue path toward billions at high gross margin, underwritten by the IP estate and the dual-buyer thesis, is what a category that the law itself creates looks like when it is built properly. It is the kind of substrate a hyperscaler would want to own.
The window
Mickai is built and live, and the work now is scaling it with the right partners. The advantage belongs to those who understand the structural point early: that owning the substrate beats renting the boundary, and that a category created by regulation does not wait for the hype cycle to validate it. That is the position Mickai occupies, and it is built to lead it.
To talk, write to me directly at micky@mickai.co.uk.
Micky Irons, founder and CEO of Mickai.
FAQ
Frequently asked questions
Why can't regulated firms just use public-cloud AI with strong contracts?
Because for special-category and controlled data the boundary itself is the requirement. Rules like UK GDPR, the PRA SS2/21 expectations, ITAR and EAR, and the US CLOUD Act mean a firm must be able to prove where data sits, who processed it, and that the record cannot be altered. A contract asserts the boundary. Owning and air-gapping the system proves it, with the evidence held by the firm rather than a third party in another jurisdiction.
What is the OAR and why does it use post-quantum cryptography?
The OAR is Mickai's tamper-evident audit record. Every action the system takes is signed into it, so any alteration is detectable. It is signed with post-quantum schemes because a compliance record must remain trustworthy for years, including after cryptographically relevant quantum computing arrives and weakens today's signatures.
What does Mickai actually deliver as a product?
A full sovereign AI operating system that runs on-prem and air-gapped on hardware the firm controls. Its capabilities ship as Greek-named Studios mapped to regulated functions, including Nemesis for fraud and AML, Plutus for finance, Tyche for underwriting, Nomos and Astraea for compliance and legal, and Panacea for clinical data, all on the same owned, auditable substrate. It is built and live.
Is Mickai trying to compete with the major AI labs?
No. Mickai is an ally to the model labs, not an OpenAI killer. The frontier labs build the models. Mickai is the operating system that lets regulated firms run capable AI under their own custody with provable controls, which is a different layer of the stack and the kind of sovereign-control layer a hyperscaler would rather own than compete with.
What is the state of Mickai's intellectual property?
Mickai LTD holds 104 filed UK patent applications carrying roughly 2,340 claims, with Micky Irons as inventor. They are filed, not granted, which secures priority and a prior-art position across the architecture. The estate has been mapped against 196 companies and 311 patent-company pairs as potential licensees, which is potential-licensee sizing rather than signed revenue.






