MICKAI
Compliance · Controlled technical data that never crosses a border

ITAR and Export Control

The US ITAR and EAR regimes, alongside UK and EU export-control law, restrict who may access controlled technical data and where it may travel, and they treat exposure of that data to a foreign person or a foreign server as an export in itself. Mickai keeps controlled technical data on hardware the organisation owns, fully offline and air-gapped, so it is never transmitted to a cloud AI service, never stored on a foreign server and never exposed to an unauthorised person. Because the data physically cannot leave the building, the core export-control obligations, no unauthorised export, access limited to authorised persons and a complete record of who accessed what, are enforced by architecture and sealed to a post-quantum Open Audit Record.

Why the cloud cannot satisfy this

Export-control law turns on a simple fact: allowing a foreign person or a foreign server to access controlled technical data is itself a controlled export, whether or not any physical item moves. Sending controlled data to a cloud AI service can constitute an export the moment the data lands on infrastructure outside the authorised jurisdiction or is handled by non-authorised persons, and multi-tenant cloud environments make it hard to prove that neither has occurred. ITAR restricts defence-related technical data tightly, the EAR governs dual-use technology, and UK and EU regimes impose parallel controls, all requiring that access be limited to authorised persons, that data not be exported without a licence, and that the organisation can evidence exactly who accessed controlled data and where it resided. Mickai removes the exposure entirely by keeping controlled technical data on hardware the organisation owns, fully offline and air-gapped, so it is never transmitted to a foreign server and never exposed to a shared environment. Access is gated to authorised persons through hardware-attested identity, the data never crosses a border in the inference path, and every access is sealed to an immutable Open Audit Record that proves who accessed controlled data, when and where it resided.

How Mickai meets it

The 6 obligations this framework imposes, each met by construction on hardware you own and mapped to the subsystem that enforces it.

Enforced by Air-gapped architectureRemoves Cloud regions and cross-border data flows that constitute exports

No Cross-Border Transfer or Deemed Export

Because controlled technical data is processed on air-gapped hardware you own and never transmitted to a cloud AI service, there is no transfer to a foreign server and no deemed export through access by a non-authorised person in a shared environment. The data never crosses a border in the inference path, which removes the single largest export-control exposure that cloud AI introduces. There is no jurisdiction question to resolve, because the data stays where you place it. The obligation is met by architecture rather than by a transfer-control policy.

Enforced by TPM attestationRemoves Cloud identity layers with uncertain foreign-person access

Access Limited to Authorised Persons

Mickai gates every access to controlled technical data behind hardware-attested identity and clearance, so only authorised persons can reach it, satisfying the requirement to prevent access by non-authorised or foreign persons. Access descends to the record level and can be scoped per clearance and per tenant. Nothing is exposed to a shared cloud identity layer that the organisation cannot control. Every access decision is enforced inside your air-gapped perimeter.

Enforced by Open Audit RecordRemoves Cloud access logs outside the organisation's control

Access Record for Controlled Data

Export-control regimes require the organisation to evidence exactly who accessed controlled technical data and where it resided, and Mickai meets this by sealing every access to a post-quantum Open Audit Record with the actor, the data touched, the time and the location. The trail is tamper-evident and reproducible for an auditor or an enforcement authority. There is no reliance on a vendor's logging tenancy. The access record is generated as a by-product of the work itself.

Enforced by SentinelRemoves Shared cloud tenancies with weak programme segregation

Tenant Isolation for Controlled Programmes

Mickai isolates controlled programmes and jurisdictions with cryptographic tenant separation on owned hardware, so technical data from one controlled programme cannot leak into another or to an uncleared context. Tenant switching is attested and every boundary crossing is recorded. This supports the requirement to segregate controlled data by authorisation and jurisdiction. Isolation is enforced by the architecture rather than by administrative process alone.

Enforced by Air-gapped architectureRemoves Internet-connected cloud AI workflows over controlled data

Air-Gap Survivability for Controlled Work

Because Mickai operates fully air-gapped, controlled technical data can be worked on with no network connection at all, so there is no path by which data could egress to an external service or a foreign server. The absence of connectivity is the strongest possible export control, because there is nothing to transmit and nowhere for the data to go. The full AI capability functions in this state. Controlled work proceeds with the export surface reduced to zero.

Enforced by Open Audit RecordRemoves Unattributable cloud-generated outputs from controlled data

Signed Provenance of Controlled Outputs

Mickai seals the provenance of every output derived from controlled technical data to the Open Audit Record, so the organisation can evidence what controlled inputs informed a given deliverable and which authorised person produced it. This supports export-control record-keeping and helps demonstrate that controlled data was handled only by cleared persons. The provenance chain is tamper-evident and reproducible. Every controlled output carries an attributable, sealed history.

The sovereign advantages

The advantages hold across every framework, and they are architectural, not promotional. The third-party cloud-exposure vector is removed; your own physical, insider and compliance controls remain yours.

Zero-trust data privacy

The data never leaves your hardware, so no third party and no cloud-provider employee ever sees it. What happens in the server room stays in the server room.

No vendor lock-in or outage exposure

You own the compute and the capability, so the system runs independent of the internet and of any cloud vendor's pricing, terms, or availability.

Data residency by default

The data never crosses a geographical or digital border because it never leaves the building, which removes the cross-border-transfer and third-party-processing friction of UK GDPR, Schrems II, and the sector rules. You keep your own obligations.

Proprietary advantage stays private

Fine-tune and run retrieval on your deepest archives to build a hyper-customised co-pilot, with no risk of your proprietary edge training a public model or leaking.

Predictable total cost of ownership

After the hardware and licence, queries cost essentially electricity. A capital asset you own and depreciate, instead of volatile per-token cloud bills.

The zero-espionage trust vault

There is no third-party cloud path, so no competitor and no vendor insider can scrape, intercept, or subpoena your prompts or your fine-tuned weights from the internet. The trust vault is closed by architecture.

Immunity to regulatory drift

You own the software snapshot on your own hardware, so a change to a cloud vendor's terms, a model deprecation, or an outage cannot reach you. The system stays predictable and auditable on-premise as the rules evolve.

Questions
How does air-gapped AI satisfy ITAR and export-control law?

Mickai keeps controlled technical data on hardware the organisation owns, fully offline and air-gapped, so it is never transmitted to a cloud AI service, never stored on a foreign server and never exposed to an unauthorised person. Because the data physically cannot leave the building, the core obligations, no unauthorised export, access limited to authorised persons and a complete access record, are enforced by architecture and sealed to a post-quantum Open Audit Record.

Does using a cloud AI service risk a deemed export?

It can. Sending controlled data to a cloud AI service may constitute an export the moment the data lands on infrastructure outside the authorised jurisdiction or is handled by non-authorised persons, and multi-tenant environments make it hard to prove neither has occurred. Mickai removes the risk entirely by processing controlled data on air-gapped hardware you own, so there is no transfer to a foreign server and no deemed export through shared access.

How does Mickai limit access to authorised persons?

Mickai gates every access to controlled technical data behind hardware-attested identity and clearance, so only authorised persons can reach it, and access descends to the record level and can be scoped per clearance and per tenant. Nothing is exposed to a shared cloud identity layer, and every access decision is enforced inside your air-gapped perimeter. Every access is sealed to a tamper-evident record.

Can the organisation prove who accessed controlled data?

Yes. Mickai seals every access to a post-quantum Open Audit Record with the actor, the data touched, the time and the location, which meets the export-control requirement to evidence exactly who accessed controlled data and where it resided. The trail is tamper-evident and reproducible for an auditor or an enforcement authority, generated as a by-product of the work with no reliance on a vendor's logging.

Can controlled work run with no network at all?

Yes. Mickai operates fully air-gapped, so controlled technical data can be worked on with no network connection whatsoever, and there is no path by which data could egress to an external service or a foreign server. The absence of connectivity is the strongest possible export control, and the full AI capability functions in this state with the export surface reduced to zero.

Is Mickai a cloud service that would raise export concerns?

No. Mickai is a Sovereign Intelligence Operating System acquired as an owned asset that runs on air-gapped hardware you own, not a cloud service that receives controlled data. Because the data never reaches an external provider, there is no cross-border transfer or foreign-server exposure. The public cloud remains useful for non-controlled work; Mickai is the answer for the controlled-data boundary.

Lawful B2B engagement

Bring ITAR and Export Control in-house.

Briefings are for organisations weighing a sovereign, on-premise deployment. Tell us about your estate and we will walk the obligations, the regulatory crosswalk and the deployment that fits.

Other frameworks
Regulated markets this bites hardest in