The National AI Governance Playbook · Part III · Chapter 7
Sequencing the rollout
A governance regime arrives in an order, chosen or not. This chapter treats sequencing as a design decision: the three tracks every rollout runs, the criteria for choosing the first sectors, staging written into the instrument itself, and the record that keeps obligations from outrunning capability.
By Myriam Ayada · MindXO · July 2026
In brief
No jurisdiction has brought an AI governance regime into force in a single movement. Institutions, frames and rulebooks arrive over several years, and the order of arrival is either chosen or emergent. Public practice shows three patterns: one economy-wide act whose obligations switch on in waves, a sector-first order in which supervisory rules follow years of evidence, and a principles-first order in which evaluation capability is built ahead of any statute. All three arrange the same three tracks, the capability build, the horizontal frame and the sector waves, and the design decision is the set of offsets between them. The artefact that keeps the order chosen is a dated sequencing record in which no obligation takes effect before the capability it depends on.
Order is a decision
Every element of the architecture in Part II arrives on some date. The regimes of Chapter 4 are built by institutions that must be funded and staffed, the chain of Chapter 5 is written one instrument at a time, and the answers to the five questions of Chapter 6 take effect in whatever order their carrying instruments are adopted. A rollout therefore has an order whether or not anyone designs one. Treating the order as a design variable, with the same attention given to scope or institutional form, is what separates a sequenced program from a program with a history.
The order matters because it determines which failures are possible. Obligations that arrive before capability produce rules that cannot be met or verified: a duty to obtain accredited assurance is unenforceable while no assessor is accredited. Capability that arrives before any obligation produces evidence without a user: evaluations that inform no rule and oblige no one, a cost carried in advance of a mandate that may drift. Sector rulebooks that arrive before the horizontal frame produce divergence: each regulator defines its own terms, and the differences harden into the coherence gap of Chapter 6. Each of these is a sequencing failure before it is a legal or institutional one.
Public practice shows three ways of choosing the order. The European Union legislated once, economy-wide, and staged the obligations inside the act itself, with duties switching on in waves through 2027. Singapore let one sector lead: the Monetary Authority of Singapore published the FEAT principles in 2018, testing followed through AI Verify from 2022, and supervisory guidelines on artificial intelligence risk management reached public consultation in 2025, seven years after the principles they consolidate. The United Kingdom placed principles ahead of statute and capability ahead of both, asking existing regulators to apply cross-sector principles while the AI Security Institute built evaluation capacity in advance of any AI-specific law. The three patterns disagree on almost everything except the premise: the order was chosen, and the rest of each design follows from it.
Three tracks, one calendar
Beneath the differences, every rollout runs the same three tracks. The capability track builds the safety and security regime: the evaluation institute, the accreditation authority and the assessor market, the build specified in Chapter 10. The frame track produces the horizontal reference of Chapter 6: definitions, risk thresholds, the standards the rulebooks will cite, and the reporting formats that keep sectors comparable. The wave track writes the sector rulebooks of the usage-based regime, in a chosen order rather than all at once. The tracks share one calendar, and the design decision is the set of offsets between them: how far capability runs ahead of the frame, and how far the frame runs ahead of the first wave.
T1. Capability: what must exist before anything binds
Carries: the safety and security build of Chapter 10: the evaluation institute, the accreditation authority and the assessor market the mandates will draw on. Milestones: institute operating, first evaluations published, accreditation scheme live, assessors accredited in numbers the first wave can absorb. Paced by: hiring, tooling and accreditation lead times, which respond slowly to deadlines set elsewhere.
T2. Horizontal frame: what every sector will share
Carries: the coherence frame of Chapter 6: definitions, risk thresholds, the standards the rulebooks cite, and common reporting formats. Milestones: definitions adopted, thresholds set, standards designated, the frame published as a reference other instruments can cite. Paced by: drafting and consultation cycles; typically the fastest of the three tracks when the design phase is staffed.
T3. Sector waves: where obligations reach firms
Carries: the sector rulebooks of the usage-based regime, arriving in a chosen order with dates attached. Milestones: wave one named, wave-one rules in force, supervision and assurance running, wave two triggered by wave-one evidence. Paced by: supervisor readiness, and the assurance capacity the capability track has produced by each switch-on date.
Read as offsets, the three public patterns become settings of the same dials. The European Union set the offset between frame and waves close to zero, one act carrying both, and accepted that the capability track would have to keep pace with dates fixed in law. Singapore ran a single wave years ahead of the frame and let the frame consolidate what the wave had learned. The United Kingdom ran the capability track first and held the wave track deliberately late. None of the settings is neutral. Each buys speed on one track at the price of risk on another, which is why the offsets belong in the design record rather than in an implementation annex.
Sheet 07 of 13, three tracks on one calendar and the dependencies between them: three lanes, capability, horizontal frame and sector waves, run across one calendar from T0 to beyond three years. The capability lane stands up the evaluation institute and the accreditation scheme until assessors are accredited near the two-year mark. The frame lane drafts definitions and thresholds with the sectors and publishes the frame, with its standards cited, near the one-year mark. The wave lane opens with finance only after the frame is published, makes assurance mandatory only once assessors are accredited, and schedules wave two on wave-one evidence. A coral dashed block at the start of the wave lane marks the anti-pattern: obligations before capability.
Choosing the first sectors
The wave track opens with a choice: which sectors go first. Four criteria recur in public practice, and they tend to pull in the same direction.
- Supervisor maturity. Wave one lands best where an experienced regulator already runs licensing, inspection and sanction machinery, so the AI rulebook extends a working practice rather than founding one.
- Risk concentration. The first wave belongs where AI already makes consequential decisions about people and money at scale, so the new obligations govern live risk rather than anticipated use.
- Evidence availability. Early sectors need assurance that can actually be tested: documented models, measurable outcomes, and firms accustomed to producing evidence for a supervisor.
- Demonstration value. A visible wave-one success recruits wave two. The first sector's templates, guidance and trained assessors become the starting stock for every sector that follows.
Finance recurs as wave one across jurisdictions because it scores on all four criteria at once: mature supervision, concentrated algorithmic decision-making, an established model risk practice, and a demonstration effect the rest of the economy watches. Singapore's trajectory is the clean illustration: principles addressed to the financial sector in 2018, a testing toolkit generalised from that base, and a consultation on supervisory guidelines in 2025 once the evidence had accumulated. Wave-one criteria discipline wave two as well, because they state what must be true, in supervision, in evidence and in assessor capacity, before the next sectors switch on.
Staging inside the instrument
Sequencing can also be written into the law itself. Regulation (EU) 2024/1689 entered into force in August 2024 and applied almost none of its obligations on that date. Prohibited practices apply from February 2025, obligations on general-purpose models from August 2025, and the high-risk obligations in phases through 2026 and 2027. Staged application is sequencing made legal text. The waves carry dates inside the instrument, published in the official journal rather than in a program plan, which makes the order public, binding and expensive to revise.
Fixing the calendar in the instrument carries a presumption: every dated obligation assumes that the capability it draws on exists by the date named. A high-risk regime that switches on in 2026 presumes standards to cite, assessment bodies to test against them and supervisory capacity to act on the results. The instrument fixes the dates without building any of that, so the calendar in the law and the calendar of the capability track have to be managed as one program. Once the dates sit in legal text, the sequencing question becomes whether the capability track can keep them.
Common failure mode. Obligations that outrun capability. Rules take effect before any assessor is accredited or any evaluation capacity exists. Compliance becomes self-declaration, since no one is available to verify anything else; deadlines slip publicly, since the gap is visible to every firm regulated by it; and the regime's first formal contact with much of the market is an extension notice. The staged application of the EU act and the capability-first order of the United Kingdom read as designs against this failure, approached from opposite directions.
The sequencing record
A useful early artefact is a sequencing record: one page that states the chosen order and the conditions attached to it. The format is a grid, the three tracks as rows and quarters as columns, with every obligation, milestone and dependency placed on it. The record carries a single rule: no obligation appears on the wave row before its dependency appears on the capability row. Assurance becomes mandatory only after assessors are accredited, reporting duties begin only after the formats exist, and wave two opens only after the wave-one conditions are met.
The record needs an owner and a reader. It is owned by the design authority of Chapter 9, the body positioned to trade speed on one track against readiness on another, and it is read against the scorecard of Chapter 12, which reports whether the calendar is being kept and which dependencies are slipping. Artefacts of this kind tend to stay current only when one body owns them and another is required to read them, which is the pairing those two chapters supply. Kept current, the record turns sequencing from an implicit property of the program into a document that can be examined, funded and revised.
Sequencing presumes an instrument to stage. Obligations acquire dates only inside a legal carrier, and the choice of carrier, statute, decree, targeted amendment or existing plan, changes what staging can look like. Chapter 8 chooses the vehicle.
Three questions for every government
- In what order do the capability build, the horizontal frame and the sector waves arrive, and is that order written anywhere with dates?
- Which obligations depend on capability that does not yet exist, and what switches them on?
- Which sector leads wave one, against which criteria was it chosen, and what must be true before wave two begins?
Selected public sources
- Regulation (EU) 2024/1689 (AI Act), European Union, 2024
- A pro-innovation approach to AI regulation, white paper and government response, United Kingdom, 2023 and 2024
- AI Security Institute (formerly AI Safety Institute), United Kingdom, renamed 2025
- FEAT Principles, Monetary Authority of Singapore, 2018
- AI Verify, IMDA and AI Verify Foundation, Singapore, 2022
- Consultation Paper on Guidelines on Artificial Intelligence Risk Management, Monetary Authority of Singapore, 2025