Compliance isn't a checklist bolted on at the end; it shapes the boxes: On-device retrieval — keeps PHI local Outbound guard + audit log — provable minimum-necessary Encryption at rest via Keychain/Keystore BAA + zero-retention with any LLM provider that sees snippets Explicit consent + delete A "not a medical diagnosis; consult your clinician" boundary on every answer Being able to narrate why each architectural choice exists in compliance terms is exactly what an "AI Innovator" hire for a genomics product is being tested on.