Last month, President Trump issued an Executive Order entitled Promoting Advanced Artificial Intelligence Innovation and Security. The Order seeks to advance American leadership in artificial intelligence (“AI”) while addressing the cybersecurity, infrastructure, and national security risks posed by increasingly sophisticated AI systems. To that end, the Order directs federal agencies to undertake several initiatives, including the following:
- Directs federal agencies to accelerate adoption of advanced AI technologies and reduce barriers to AI innovation;
- Establishes a voluntary program through which developers of the most advanced AI models may submit those models for government-led cybersecurity testing and evaluation before public deployment;
- Directs federal agencies to strengthen cybersecurity capabilities through the use of AI-enabled tools and technologies;
- Prioritizes the protection of critical infrastructure sectors from AI-enabled cyber threats;
- Encourages the development of security standards, testing methodologies, and best practices for advanced AI systems;
- Promotes information sharing regarding AI-related vulnerabilities and threats; and
- Directs federal agencies to evaluate risks associated with increasingly capable AI models and their potential misuse.
Although these initiatives primarily target federal agencies and frontier AI developers, the Executive Order signals the Administration’s broader priorities to accelerate AI deployment while strengthening security and risk management practices across the broader ecosystem.
For healthcare organizations, the Executive Order’s significance lies less in its direct legal effect than in what it signals about the trajectory of AI governance and cybersecurity expectations. Healthcare is among the nation’s most targeted critical infrastructure sectors, and AI technologies are becoming deeply embedded across clinical, operational, and administrative functions.
AI and Cybersecurity Are Converging
Healthcare AI discussions have long centered on privacy, bias, transparency, explainability, and patient safety. While those concerns remain important, the Executive Order highlights a different and increasingly urgent issue, which is the intersection of AI and cybersecurity.
AI systems can serve both defensive and offensive purposes. AI technologies can help organizations automate threat detection, identify vulnerabilities, and strengthen incident response. Conversely, malicious actors can leverage AI to accelerate cyberattacks, enhance phishing campaigns, discover vulnerabilities, generate malicious code, and automate exploitation activities. For healthcare organizations, the implications are significant. AI must be evaluated not only as a technology or innovation initiative but as part of the organization’s overall cybersecurity and enterprise risk management programs. Organizations deploying AI across clinical, operational, or administrative functions may want to assess whether their governance frameworks adequately address AI specific security risks, including model manipulation, unauthorized access, data poisoning, prompt injection attacks, and misuse of AI enabled workflows.
AI Adoption Is Expanding the Healthcare Attack Surface
The Executive Order arrives as healthcare organizations are rapidly integrating AI into core business and clinical functions, from clinical documentation and coding to claims processing, cybersecurity operations, and patient communications. While these technologies offer substantial efficiency gains, they also introduce new risks. Many AI systems interact with sensitive data repositories, electronic health records, and enterprise applications, and may be granted broad access to organizational data in order to perform their intended functions. As healthcare organizations expand their use of AI, it is important to carefully evaluate whether existing security controls adequately account for these new technologies. Traditional cybersecurity assessments may not fully address risks associated with model behavior, third-party foundation models, autonomous decision-making, or AI-enabled access to enterprise systems. The Executive Order reinforces cybersecurity review integration into the AI deployment lifecycle from the outset, rather than treated as a downstream consideration.
Enhanced Focus on AI Vendor Risk Management
The Executive Order also underscores the importance of understanding the security posture of AI systems before deployment. The underlying principle of the Order suggests that organizations deploying AI should understand the capabilities, limitations, and security characteristics of the technologies they use. Many healthcare organizations evaluate AI vendors through procurement processes designed for traditional software. AI systems, however, raise additional considerations relating to model training, data usage, third-party dependencies, model security, and ongoing monitoring. Organizations evaluating whether existing vendor review processes are sufficient, may consider addressing questions such as:
- How was the model developed and tested?
- What security controls protect the model and underlying infrastructure?
- How does the vendor use customer data?
- Is customer data incorporated into future model training?
- What subcontractors or third-party models are involved?
- How are vulnerabilities identified and remediated?
- What monitoring and incident response capabilities are in place?
As AI adoption accelerates, healthcare organizations should increasingly seek contractual protections addressing AI-specific risks, including data usage restrictions, audit rights, security commitments, and incident notification requirements.
Agentic AI Creates New Governance Considerations
The Executive Order’s focus on advanced AI systems is particularly relevant as healthcare organizations begin exploring agentic AI, which refers to systems capable of acting with significant autonomy. Unlike traditional software, agentic AI systems may independently execute tasks, interact with multiple applications, access enterprise systems, and make decisions with limited human intervention. In healthcare, these systems could eventually assist with administrative processes, such as scheduling, revenue cycle functions, patient communications, clinical workflows, and supply chain operations.
While these capabilities offer significant benefits, they also create novel governance and security challenges. An AI agent that interacts with enterprise systems effectively functions as a new category of user within the organization. Existing governance structures may not adequately address issues such as access management, activity monitoring, escalation procedures, auditability, human oversight, and operational controls for these systems. As deployment of increasingly autonomous systems advances, these considerations will likely become critical to AI governance programs.
What Healthcare Organizations Should Consider Now
The Executive Order serves as an important signal regarding the future direction of AI governance and cybersecurity policy. In light of these developments, healthcare organizations several near-term priorities are worth consideration:
- evaluating whether existing AI governance programs adequately address cybersecurity risks;
- assessing whether AI vendor diligence processes are sufficiently robust;
- developing governance frameworks for advanced, emerging AI technologies such as agentic AI deployments; and
- ensuring that AI-related risks are addressed through enterprise-wide governance structures.
As AI becomes increasingly embedded within healthcare operations, organizations that proactively address governance, cybersecurity, and operational resilience will be best positioned to realize the benefits of AI while effectively managing the risks that accompany its adoption.