President Trump's new AI Executive Order, "Promoting Advanced Artificial Intelligence Innovation and Security," signed June 2, 2026, is a smart and welcome move. It keeps America building, and it hardens the cybersecurity around our most sensitive systems, including the rural hospitals that hold our diagnoses, our medical histories, and our genomes. The Order secures the pipes. At GenoBank.io we secure the relationship: a patient-owned BioNFT that imprints revocable HIPAA and GDPR consent into the data itself, so that a non-consented or revoked AI use is blocked in code. We call it AI privacy by code, and it is the natural complement to what this Order sets in motion.
What the Order gets right
This is a pro-innovation, security-first framework, and it deserves credit for choosing partnership over bureaucracy. A few things stand out.
- It protects builders instead of throttling them. Section 3(c) of the Order expressly forbids "a mandatory governmental licensing, preclearance, or permitting requirement for the development, publication, release, or distribution of new AI models, including frontier models." That keeps the door open for startups, researchers, and open development.
- It sends cybersecurity to the people who need it most. The Order directs DHS, through CISA, to facilitate access to cybersecurity tools and services for operators of critical infrastructure "such as rural hospitals, community banks, and local utilities." Rural and community hospitals are among the softest targets for ransomware, and a breach there is not just an IT incident. It exposes the most personal data a human being has.
- It builds collaboration, not red tape. It stands up an AI cybersecurity clearinghouse run "in voluntary collaboration with the AI industry and operators of critical infrastructure" to find, validate, and patch vulnerabilities at scale.
- It respects intellectual property. The voluntary frontier-model framework gives developers early-access options "subject to appropriate confidentiality, cybersecurity, insider-risk, and intellectual-property protection," so security and proprietary innovation can advance together.
- It goes after the criminals, not the innovators. Section 4 directs the Attorney General to prioritize prosecuting bad actors who weaponize AI to break into systems and steal data, under existing computer-crime statutes.
The posture is exactly right for this moment: partner with American innovators, protect our ingenuity, and deploy the best and safest technology rapidly. You can read the Order itself at whitehouse.gov and the accompanying fact sheet.
The gap it deliberately leaves
By design, this Order is light-touch. It secures systems and networks, and it leaves the substance of data ownership, consent, and provenance to the market and to technology. That is a reasonable choice. But it means one question is left open, and for genomics it is the whole game:
Once an AI agent is inside an authorized system, what governs how a patient grants, revokes, or is paid for the use of their own genome and health record?
Hardening the hospital's perimeter does not answer that. A model with legitimate access to a system can still read, retain, and reuse the most sensitive data a person owns, with no built-in way for that person to say no later. The Order secures the building. Someone still has to govern what happens to your data once a trusted agent is inside it. That someone should be you.
The red flag already in your feed
While policy hardens the infrastructure, a new class of consumer and agentic services is racing the other way. The pattern is everywhere now: "Upload your DNA here and get this AI-generated report." Connect your medical records, your wearable, your lab results, and let an autonomous agent read it all and act on it. Independent privacy analysts documented five major health-data AI hubs launched in a single quarter of 2026, each wiring identifiable health data into a chatbot or agent, with "we won't train on your data" bolted on as a promise rather than built in as a guarantee.
This is 23andMe's lack of governance, on steroids
The same collect-it-all, own-nothing, delete-if-you-can-find-the-button model, now strapped to autonomous AI agents that read, retain, and reuse your immutable genome at machine speed, while you still hold only a login, not your data.
We have already seen where that road ends:
- An account is not ownership. When 23andMe entered bankruptcy, the genetic data of roughly 15 million customers became a corporate asset to be sold, and the only recourse offered to consumers was to race to delete their accounts before a sale closed. The FTC had to formally warn that any buyer must honor the original privacy promises.
- Genomic data is immutable. You cannot reset your genome like a password. 23andMe confirmed in December 2023 that attackers stole ancestry data tied to about 6.9 million users. A leak like that exposes you and your blood relatives permanently.
- Retention is the default, deletion is a scramble. California's Attorney General had to issue an urgent consumer alert walking people through how to delete their genetic data and destroy stored samples, precisely because almost no one knew the option existed.
- Consent given once does not bind the next owner, or the next model. Secondary use and training on health data is exactly where the value is, which is exactly why a policy promise is not enough.
An "upload your DNA, trust our AI" service without cryptographic, revocable governance is not a convenience. It is a permanent, irreversible liability that you do not control.
AI privacy by code: how GenoBank.io closes the gap
Our answer does not wait for the law to catch up, and it does not depend on a company's good intentions. It puts the rule inside the data. At GenoBank.io, genomic and health data lives AES-256-encrypted in Google Cloud Storage (never IPFS, so a deletion request is actually a deletion), and it is exposed only through NFT-gated BioFS, our consent-gated filesystem and biorouting layer. Nothing reaches the bytes without passing the gate.
The BioNFT: ownership and consent are the same object
A BioNFT is a patient-owned, revocable ERC-721 token (on Avalanche, Story Protocol, or Sequentia) that carries both ownership of and consent over a biosample and its data. The consent terms (allowed uses, denied purposes, expiry, license) are bound into an EIP-712-signed manifest, so a service provider cannot quietly widen its own access. Because ownership and consent are one cryptographic object, a patient can revoke at any time, and the data goes dark within seconds.
The x402 biorouter: money is junior to consent
x402 is the HTTP 402 "Payment Required" standard that lets an autonomous AI agent pay for what it accesses with no human checkout. Our biorouter fuses x402 with on-chain BioNFT consent, so every single agent call runs a fixed authorization cascade before any byte moves:
- 1. Owner. Is the caller the data owner?
- 2. Consent. Is there active, unrevoked BioNFT consent for this purpose? A revoked token returns HTTP 410, GDPR Article 17, do not retry.
- 3. License. Does the caller hold a valid on-chain license (ERC-721 or Story PIL)?
- 4. Payment. Only now, if the patient has opened the data commercially, does x402 settle the micropayment.
Consent is structurally senior to money. An agent cannot pay its way past a patient's revocation, because the cascade short-circuits long before it ever reaches payment. Every authorized access is written to an audit log with its declared purpose.
Metamorphic Consent, attribution, and dividends
Consent here is not a one-time checkbox. It is Metamorphic Consent: an ongoing, revocable economic relationship. Contribution is attributed, and value flows back to the patient as Biodata Dividends, with the patient keeping the overwhelming majority of any payment. Privacy-preserving Bloom filters do the fast per-call permission checks without exposing the underlying genome. And we reject federated learning as biodata laundering: every computation stays attributable, audited, and revocable, instead of quietly extracting value from genomes while erasing the person they came from.
What an AI service provider actually gets
Consent enforced in code. Per-call payment-and-consent gating. Instant, cryptographic revocation. Full attribution and dividends to the patient. And a hard guarantee that no model, agent, or partner can touch non-consented or revoked data. That is how you make an agentic genomics or healthcare AI product HIPAA-ready, GDPR-ready, and CCPA-ready by construction, not by paperwork.
This is the complement the Order calls for
The Executive Order and consent-in-code are two halves of the same promise. The Order hardens the infrastructure and prosecutes the attackers. A patient-owned BioNFT governs the relationship between a person and their own biology once a trusted agent is inside that infrastructure. Secure pipes plus enforceable, revocable consent is how we actually deploy "the best and safest technology" for the most sensitive data class there is.
Washington just made the smart move on AI security. The next move belongs to the data layer, and to the patients who own it. If you are building an agentic genomics or healthcare AI product, build it on rails where consent is code. If you are a patient, your DNA should answer to you, not to a login.
Author. Daniel Uribe, Founder and CEO, GenoBank.io. Sources. The White House (EO and fact sheet, June 2026); Ars Technica and the California Attorney General on the 23andMe breach and bankruptcy; IAPP on the 2026 health-AI agent rush.