The National AI Governance Playbook · Part I · Chapter 2
The implementation gap
Between a published governance program and a working governance system sit two intermediate states: a designed policy and a binding instrument. This chapter examines the stage where both are produced, and what tends to happen when it is compressed.
By Myriam Ayada · MindXO · July 2026
In brief
Governance programs pass through four states: strategic intent, designed policy, binding instrument and operating system. The difficult questions concentrate in the second state, where scope, institutional roles and funding are resolved. Jurisdictions that run policy design as a distinct stage, with an owner and a mandate, tend to reach implementation with fewer overlaps and clearer accountability.
Four states between intent and operation
A governance program begins as strategic intent: an objective, a description and a delivery lead, published in the national AI strategy. It ends, when it succeeds, as an operating system: entities staffed, instruments in force and measurement running. Between the two sit intermediate states that receive far less attention than either end. The designed policy resolves what the program governs, which entities carry which functions, and how capabilities with upfront cost are funded. The binding instrument then carries that design into force, through whichever vehicle the jurisdiction has available.
Sheet 02 of 13, four states and the shortcut that skips two of them: strategic intent (published program, cabinet or ministry), designed policy (scope, roles, funding, policymaker), binding instrument (adopted instrument, legislature or executive), operating system (entities and measures, regulators and agencies). A dashed arc from the first state to the fourth marks delivery assigned directly: the gap.
The implementation gap opens when delivery is assigned directly from the first state to the fourth. The intermediate work does not disappear; it migrates into the delivery entities, where it is performed piecemeal, under operational pressure, and without a mandate to resolve questions that cross program boundaries.
How a compressed design stage presents
The pattern is observable in published programs before any implementation begins. Five symptoms recur.
- Overlapping mandates. The same concepts, a risk regime, standards, testing, trustworthiness, recur across several programs with the boundary between them undrawn. Each delivery lead reads the shared vocabulary as its own scope.
- Scattered capability. A safety, evaluation or standards function appears in more than one program, with no single institutional home, no funding line and no sequencing between the appearances.
- Unassigned risk. AI risk in critical sectors, energy, telecommunications, health and financial infrastructure among them, belongs to no program explicitly, and the interface with existing cybersecurity mandates is left open.
- Vertical compression. One entity is expected to set the rules, evaluate against them, assure compliance and enforce outcomes, a span that few institutions carry well and that concentrates design risk in a single mandate.
- Undated commitments. International alignment and future instruments are cited without a named domestic carrier, an owner or a date, so the commitments remain declaratory.
A design stage in practice
Jurisdictions with working governance systems inserted a visible design stage between intent and delivery, each through its own institutional route.
European Union
A white paper and impact assessment (2020) preceded the legislative proposal (2021), which moved through co-legislation to adoption as Regulation (EU) 2024/1689. Obligations reached regulators and firms after four years of visible design, and application is itself staged through 2027.
United Kingdom
A white paper (2023) set out a principles-based, regulator-led model, and a consultation response (2024) confirmed the approach before any statutory step. Evaluation capability was built in parallel through the AI Security Institute, so assurance capacity preceded binding obligations.
Singapore
Sectoral principles (FEAT, 2018) were followed by industry testing through the Veritas consortium, a public evaluation toolkit (AI Verify, 2022), and a consultation on supervisory guidelines for financial institutions (2025). Each step produced evidence for the next.
What the design stage produces
Run properly, the stage yields five artefacts, and each maps to a later part of this playbook.
- Drawn boundaries. Each program's scope stated against its neighbours, in a shared vocabulary of functions (Chapters 3 and 4).
- An institutional model. Functions allocated to named entities, with the span of each mandate deliberately set (Chapters 6 and 9).
- A funding decision. Capabilities with upfront cost, evaluation and testing above all, financed explicitly (Chapter 10).
- A legal vehicle. The instrument, or set of instruments, that will carry the design into force in the jurisdiction (Chapter 8).
- A measurement baseline. Leading indicators and milestones defined before delivery begins, so progress is observable from the first year (Chapter 12).
Common failure mode. Delivery entities drawing their own mandates. When implementation is assigned before policy is designed, each delivery entity interprets its boundaries from inside its own mandate. Overlaps surface later, as duplicated functions and contested ownership, at the point in the program cycle where adjustment is most expensive.
Drawing those boundaries requires a shared vocabulary for what AI governance contains. Chapter 3 sets out the four functions that recur in every national program, standard-setting, evaluation and testing, assurance and use-regulation, and the properties that keep them distinct.
Three questions for every government
- For each governance program, does a designed policy exist between the published intent and the assigned delivery lead, covering scope, institutions and funding?
- Which entity owns the design stage, and does it stand apart from the entities that will deliver the programs?
- Where two programs reference the same function, which document draws the boundary between them, and when was it last reviewed?
Selected public sources
- White Paper on Artificial Intelligence: a European approach to excellence and trust, European Commission, 2020
- Regulation (EU) 2024/1689 (AI Act), European Union, 2024
- A pro-innovation approach to AI regulation, white paper and government response, United Kingdom, 2023 and 2024
- FEAT Principles, Monetary Authority of Singapore, 2018
- AI Verify, IMDA and AI Verify Foundation, Singapore, 2022
- Consultation Paper on Guidelines on Artificial Intelligence Risk Management, Monetary Authority of Singapore, 2025