By Andres Garcia, J.D., CAMS

Senior compliance management professional · 10+ years BSA/AML and fintech regulatory experience · Drafter, Technology Accountability and Social Harm Prevention Act (TASHPA) framework.

On June 2, 2026, the President signed an executive order on artificial intelligence. The headline provision is a thirty-day review: the government asks the most capable AI companies to submit their most powerful models for testing before they release them. The order also stands up an information-sharing clearinghouse for software vulnerabilities and directs federal agencies to harden their own defenses.

Read it the way a compliance person reads a new rule, and one word organizes the whole thing. The review is voluntary. Not just unenforced in practice. Voluntary by design. The order goes out of its way to say that nothing in it should be read to create “a mandatory governmental licensing, preclearance, or permitting requirement” for building or releasing AI models. A voluntary review, a voluntary clearinghouse, and a written promise not to require anything.

I spent more than a decade building and running compliance programs under the Bank Secrecy Act. Head of AML at a brokerage. Compliance management at a payments company and a digital bank. This order is reaching, carefully, for the model I lived inside. And the one feature it leaves out is the feature that makes the model work.

What voluntary does to a reporting system

A voluntary review is the one a company can decline in the quarter it has something it would rather not show you. That is not cynicism about technology companies. It is how incentives run inside any organization, including the ones I worked for. The duty has to be the part that does not move.

The Bank Secrecy Act works because the duty does not move. A bank does not file a suspicious activity report because it feels public-spirited. It files because the law requires it, on a clock, with liability attached to getting it wrong. And once an institution has to file the same pattern month after month into a central agency, a second thing happens that the statute never quite says out loud. Someone, eventually, asks why the bank keeps reporting a problem it has not fixed. The obligation to report drags the obligation to fix in behind it. Reporting is the forcing function for the whole compliance program, not the paperwork at the end of it.

Take the requirement away and you do not get a lighter version of the same system. You get a different system. You keep the good intentions and lose the machinery. What a voluntary regime produces is a trust-and-safety page and a quarterly blog post, written by the company and graded by no one.

They already know voluntary isn’t enough

Here is what makes the timing of this order strange. In the same window, the chief executives of the largest AI companies in the world, OpenAI, Anthropic, Google DeepMind, and Microsoft AI, signed an open letter asking Congress to make screening and recordkeeping mandatory on synthetic DNA. By law. Not the voluntary screening that parts of that industry already do. A statutory requirement, because, in their words, AI is starting to erode the barriers that have kept biological weapons out of reach.

Screen the customer. Keep the record. File it centrally. That is the Bank Secrecy Act in a different vocabulary, asked for by the people with the most to lose from regulation.

They reached for the mandatory version in the one corner where the harm is a mushroom cloud. They know, because their own engineers told them, that voluntary is not enough there.

Then this executive order answered the rest of what those same models can do with a review nobody has to show up for.

An order is not a law

There is a second problem with doing this by executive order, and it has nothing to do with whether thirty days is the right number.

An executive order lasts exactly as long as the administration that signs it. The next President can undo this one with a pen, the way this one undid others. The clearinghouse, the review window, the careful drafting, all of it survives at the pleasure of whoever holds the office. That is no way to build a system meant to outlast a news cycle, let alone a technology that will be reshaping the economy for decades.

We should not be leaving it to one administration, or to the executive branch alone, to decide what the public is allowed to know about the most powerful technology being built.

A decision with that weight belongs to Congress, in a law, with an independent function standing behind it that does not change hands every four years.

What the reporting is actually for

The objection I take seriously is that mandatory reporting is a brake on a technology the country has every reason to want to win at. I ran these programs. I sat in the room on the days the examiner was there and the data could not answer the question being asked. I am not romantic about paperwork.

The Bank Secrecy Act was never mainly about catching the crime in the moment. It usually does not. It did not stop the September 11th financing or the Epstein network in real time. What it did was build a contemporaneous record, filed when the activity happened, that investigators could read later to map the network, trace the money, and do the attribution that would otherwise have been impossible. The value of a reporting regime shows up on a longer clock than the quarter the report was filed in. Records compound.

That is the thing a voluntary review cannot create: a real body of evidence about what these systems are doing, held somewhere other than the company that built them. Without it, every decision we make about how to govern this technology is made in the dark, on the industry’s own telling. With it, we can at least argue about the controls we need from a shared set of facts. You can keep people safe and still let the economy and the technology move forward. Reporting is how you do both, because it informs the controls we will need instead of banning the ones we have.

The framework

Closing this gap on paper is what I have spent the past several months doing. I have drafted a legislative framework, the Technology Accountability and Social Harm Prevention Act, that does for artificial intelligence and social media what the Bank Secrecy Act did for finance. The same architecture, translated. A mandatory incident report modeled on the suspicious activity report. A central intelligence unit modeled on FinCEN, to receive those reports and connect patterns no single company can see. Risk-tiered obligations, so a startup carries a lighter load than a system reaching hundreds of millions of people. And a safe harbor, because without protection for the people who report in good faith, the rational move is silence, and the system collapses. A full white paper and the legislative text are forthcoming.

The order is a start, and the people who wrote it know it is a start. There are already calls to have Congress codify it. They are right, and Congress should go further than the order did. The most credible people in artificial intelligence have already said, in writing, that the banking model works when the stakes are high enough. The stakes are already high enough across the rest of what their technology touches.

Voluntary is the version that does not work. I know, because I spent a decade inside the version that does, and the first thing it required was that you could not opt out.