MICKAI
Article · 8 July 2026

Zero-Egress AI: An Inbound Perimeter That Classifies, Firewalls and Signs

Nothing should reach a model unclassified, and every routing decision an inbound perimeter makes should be signed and auditable.

Zero-Egress AI: An Inbound Perimeter That Classifies, Firewalls and Signs
Author
Micky Irons
Published
8 July 2026
Follow Micky Irons
LinkedInX
zero-egressdata-sovereigntyai-governanceinbound-perimeteraudit

On 2 August 2026 the substantive obligations of the EU AI Act reach full application, and the questions a regulator will ask stop being hypothetical. What data reached the model, who classified it, and on what basis was it routed to one system rather than another. Whether an organisation can answer with evidence rather than assurances has become the dividing line between a defensible deployment and an undocumented one. The UK Sovereign AI programme, sustained NHS concern over where patient data comes to rest, and the arrival of ISO/IEC 42001 have converged on one expectation: an operator must be able to show, not merely state, that sensitive information stayed inside its own boundary.

Most current architectures cannot meet that expectation, because they were built the wrong way round. They defend the output, filtering what a model says and redacting what it returns after the fact. The harder control point sits earlier, when data first meets a model. Nothing should reach a model unclassified, and an inbound perimeter that classifies by sensitivity, enforces an egress firewall and signs every routing decision turns that principle into an enforced property rather than a policy on a page.

The output is the wrong place to stand guard

Filtering a model's response assumes the sensitive data already went in, and by then the exposure has happened. If the input carried a patient identifier, a legal privilege or a trade secret, and it crossed into an external service, no amount of downstream redaction unwinds the transit. The record of what left already exists on someone else's infrastructure, under someone else's retention policy and jurisdiction.

A perimeter that stands at the input flips the burden. Every prompt, document, record and tool call is inspected and classified before any model sees it. Classification is not a label bolted on afterwards; it is the gate. A payload marked as containing personal or protected data is bound by that marking to a routing rule that decides which model may receive it and which may not. The default posture is refusal, not permission.

Zero-Egress AI: An Inbound Perimeter That Classifies, Firewalls and Signs, illustration 1

Zero egress as an enforced property

Zero egress means the sensitive class of data has no network path out of the operator's boundary. This is not a promise made in a privacy notice; it is enforced at the perimeter, where the egress firewall treats an external model endpoint as an untrusted host: something a classified payload is structurally forbidden from reaching.

Mickai is a Sovereign Intelligence Operating System, a SIOS, and it runs offline on operator-owned hardware. That matters because zero egress is only credible when the models capable of handling the most sensitive classes live inside the same boundary as the data. A payload classified as restricted is routed to a sovereign model running locally, and the firewall guarantees it never had the option of leaving. Where a payload is genuinely low sensitivity, an operator may permit an external route, but that is now an explicit, logged decision rather than an unexamined default.

An input that has not been classified has not earned the right to reach a model, and a routing decision that has not been signed cannot later be trusted.

Zero-Egress AI: An Inbound Perimeter That Classifies, Firewalls and Signs, illustration 2

Classification is the load-bearing decision

Everything downstream depends on getting the classification right, so the perimeter cannot treat it as a single fragile judgement. Sensitivity is assessed across several dimensions at once: the presence of regulated categories such as health or biometric data, the jurisdiction the data belongs to, the duties attached to it, and the risk profile of the task. A record can be low risk for one purpose and high risk for another, so the perimeter classifies against the purpose. Where the stakes justify it, classification is corroborated rather than taken on the word of one system: cross-model consensus lets several independent models assess the same input, and disagreement routes the payload to the more restrictive path and flags it for human review.

Zero-Egress AI: An Inbound Perimeter That Classifies, Firewalls and Signs, illustration 3

Hardware-attested identity underneath every decision

A routing rule is only as trustworthy as the machine enforcing it and the identity of whoever asked. The perimeter binds every request to a hardware-attested identity, so the operator knows not merely that a request arrived but that it came from an authenticated actor on an attested device inside the boundary. An unattested device does not get a discretionary route; it gets the default, which is refusal. This closes a gap that policy-only controls leave wide open, because rules written in a document can be misconfigured, bypassed or silently disabled. When enforcement is anchored to attested hardware and cryptographic identity, the perimeter's behaviour is a property of the system rather than a matter of trust in its operators, and the control survives a determined insider and an honest mistake alike.

Zero-Egress AI: An Inbound Perimeter That Classifies, Firewalls and Signs, illustration 4

Signing the decision, not just recording it

An audit log that an administrator can edit proves nothing to a regulator entitled to demand better. The perimeter therefore signs every routing decision and chains those signatures into a tamper-evident record: what was classified, at what sensitivity, on what basis, and where it was allowed to go, each sealed at the moment it happens. Because the signing must hold against future cryptographic attack, the audit chain uses post-quantum signatures, so a record sealed today remains verifiable when the algorithms of a decade hence are commonplace. Verification is offline: an auditor does not have to trust a live service or a vendor's dashboard, but can take the sealed chain and confirm, on their own hardware, that no decision was altered, removed or backdated. This is the difference between an assurance and a proof.

What this gives the buyer, the regulator and the clinician

For a CISO, the argument shifts from defending a boundary that leaks by design to operating one that is closed by default and opens only on a classified, signed, attested decision, so the quiet outbound flow of sensitive input to an external model has no path. For a public-sector buyer, the ISO/IEC 42001 posture stops resting on documented intent and starts resting on a verifiable record of what happened at every input. For a clinician or a data controller inside the NHS, patient data classified as restricted has no route out of the estate, and that absence of a route can be demonstrated after the event to anyone entitled to ask. The mechanisms behind this, offline verifiability, hardware-attested identity, post-quantum signed audit chains, cross-model consensus and a zero-egress inbound perimeter, are the subject of a filed patent estate that stands at 104 filed UK patent applications and approximately 2,340 claims, owned by Mickai LTD, all filed and patent pending.

Where the perimeter goes next

The direction of travel in 2026 is toward agentic systems that act, not merely answer, and the governance conversation is moving with it toward agentic audit. An inbound perimeter is well placed for that shift, because an agent's every tool call, retrieval and sub-task is itself an input that can be classified, firewalled and signed before it executes, so the discipline that keeps a sensitive document from crossing a boundary keeps an autonomous action from reaching a system it was never authorised to touch. The reasonable expectation is that classification at the input, enforced egress and signed decisions will become a baseline, as encryption in transit once did. Regulation is drawing the outline; the remaining work is engineering. An organisation that can prove, on its own hardware, that sensitive data never had anywhere to go is the one that will still be operating confidently when the questions get harder.

Subscribe
Get every new Mickai article by email.

Long-form essays on sovereign AI from Micky Irons. One email per article. No tracking, no marketing, no third parties. Every email includes a one-click unsubscribe link.

Prefer RSS? Subscribe at /articles/feed.xml.

Originally published at https://mickai.co.uk/articles/zero-egress-ai-an-inbound-perimeter-that-classifies-firewalls-and-signs. If you operate in a regulated sector or want sovereign AI on your own hardware, the audit form on mickai.co.uk is the entry point.
More articles