Abstract
Between Q4 2023 and Q2 2026, eight jurisdictions produced at least twenty-three governance-relevant regulatory events (declarations, statutes, enforcement milestones, and institutional restructurings) requiring organisational AI governance frameworks to adapt. Analysis of this dataset reveals a structural gap: the median organisational governance review cycle (annual) is mismatched to the observed regulatory velocity (~4.2 significant events per year). This mismatch produces what this paper terms the gatekeeper problem: governance frameworks authored under one set of conditions, maintained (or not) by a different set of people under different incentive structures, and consulted under conditions neither anticipated. Three failure modes (Snapshot, Calendar, and Committee Governance) are identified from observable practice. The TRACE framework (Trigger, Review, Accountability, Changelog, Escalation) is proposed as a governance maintenance protocol operationalising dynamic capabilities theory in the governance context. Implications are assessed for organisations navigating the EU AI Act’s high-risk obligations (deadlines the May 2026 Digital Omnibus postponed to December 2027 and August 2028) and the deeper structural challenge of adapting the New Legislative Framework, a product-safety architecture built for deterministic goods, to software that continuously infers and self-evolves. That challenge is most visible where the AI Act meets the Machinery Regulation (EU) 2023/1230, applicable January 2027. Finally, the analysis contrasts the EU’s folded governance architecture with Singapore’s unbundled governance stack: the architectural counterpart to TRACE, in which only the fast control layer has to move at all.
1. Introduction: The Gatekeeper Problem
Consider a governance page on an organisation’s public website. It carries a “last reviewed” date of March 2024. In the intervening period: the EU AI Act entered into force (August 2024), prohibited AI practices became enforceable (February 2025), the Paris AI Action Summit exposed a geopolitical fracture in multilateral governance (February 2025), and Malta enacted Legal Notices 226 and 227 designating its domestic enforcement authorities (10 October 2025). The framework the organisation published as current in March 2024 does not reference any of these events.
This is not unusual. It is the norm.
The gatekeeper problem has two components. First, governance frameworks are typically authored during a compliance sprint: a bounded period of intensive effort triggered by a regulatory signal, often the threat of enforcement. The framework reflects the regulatory environment at the moment of authoring. Second, after publication, responsibility for maintaining the framework is diffuse: a committee, a compliance function, or simply whoever created it. No mechanism exists to detect when the framework has drifted from regulatory reality, and no named individual has the authority to trigger a review outside the annual cycle.
The result is a governance infrastructure that was accurate once, at the moment of publication, and has been degrading since. The EU AI Act’s enforcement timeline makes this degradation consequential, and then demonstrated it. When the first version of this paper was published in April 2026, the high-risk compliance deadline was 2 August 2026. Weeks later, the EU’s May 2026 Digital Omnibus postponed it to December 2027 and August 2028. A paper about governance frameworks decaying as regulation moves had itself aged within a month of publication. The fines remain substantial: up to €15 million or 3% of global annual turnover for violations.
The global declaration series offers an uncomfortable parallel. Between November 2023 and February 2026, five AI governance declarations were produced by progressively larger coalitions. The signatories grew from 29 (Bletchley, 2023) to 92 (New Delhi, 2026). The commitments, systematically, grew weaker. Each summit gained broader participation by asking less of its members. Declarations are consensus documents; consensus is the enemy of specificity; and specificity is what governance requires.
This paper analyses the gap between the regulatory environment and typical governance maintenance practice, identifies structural failure modes, and proposes the TRACE framework as a protocol for closing it.
2. Theoretical Grounding
Three bodies of theory inform the analysis.
Institutional isomorphism (DiMaggio & Powell, 1983) predicts that organisations adopt structures not because they are effective but because peers have them. This explains why AI governance frameworks proliferate without being maintained: adoption provides legitimacy; maintenance provides compliance. The incentive is to have a governance page, not to keep it current. Where isomorphic pressure is the primary driver of adoption, governance quality will be uniformly low: every organisation has the form without the function.
Principal-agent theory provides a structural account of the gatekeeper problem. Principals (boards, regulators, customers) require governance; agents (product teams, engineering leads, commercial functions) execute under different incentive structures. The agent optimises for velocity: shipping products, closing deals, meeting sprint commitments. Governance review is a cost with diffuse benefits. Without explicit accountability structures and monitoring mechanisms, the rational agent defers maintenance. The governance framework ages while the deployment accelerates.
Dynamic capabilities (Teece, Pisano & Shuen, 1997) frames the solution. Sustainable advantage requires not static resources but the capacity to sense, seize, and reconfigure. Applied to governance: an organisation with governance sensing (a mechanism for detecting regulatory change), governance seizing (the authority and process to update frameworks rapidly), and governance reconfiguring (the ability to retire outdated elements) is more resilient than one with a better initial framework but no maintenance process. The TRACE framework proposed in Section 6 is a practical operationalisation of dynamic capabilities in the governance domain.
3. Methodology
This analysis is applied desk research, not a peer-reviewed empirical study. The regulatory velocity dataset (Section 4) was constructed from primary sources: official EU Commission registers, Council of Europe treaty records, national legislative gazettes (Malta Government Gazette LN 226/227, 2025), and summit declarations verified against official government publication channels.
Events were included if they met one of two criteria: (a) creation of new legally binding obligations on AI-deploying organisations in at least one EU jurisdiction, or (b) material change to the international governance architecture affecting how organisations interpret or communicate their AI risk posture. US and UK events were included where they created precedent effects or policy divergence relevant to EU-operating organisations. Events of purely national significance to non-EU, non-UK jurisdictions were excluded, with the exception of China as a significant trade partner with a divergent regulatory approach. Two further non-EU events are included on a separate basis. Singapore’s IMDA agentic-AI framework (its 22 January 2026 launch and 20 May 2026 v1.5) is non-binding and sits outside the EU obligation set, but is included as architecturally significant: the world’s first agent-native governance framework, and the clearest worked example of the unbundling discussed in Section 6. It is treated as corroborating global regulatory velocity, not counted in the EU-obligation event total or the ~4.2-events-per-year figure.
The TRACE framework is inductive: derived from pattern-matching across observable governance failure modes, grounded in the three theoretical frameworks above, and proposed as a practitioner protocol. It has not been validated against longitudinal governance performance data; that limitation is noted in Section 8.
The declaration timeline
The number of nations signing global AI governance declarations tripled in three years, from 29 at Bletchley Park (2023) to 92 at New Delhi (2026). Each summit gained broader participation by asking less of its signatories.
29 signatories. First global AI safety agreement. US and China in the same room for the first time on tech governance. Established the summit series and the vocabulary of "frontier AI."
16 companies signed Frontier AI Safety Commitments. Launched the AI Safety Institutes Network across 10 countries. The conversation expanded from governments to industry.
~60 signatories. Name shifted from "Safety" to "Action." First geopolitical fracture: the US and UK both refused to sign.
First legally binding international AI treaty. Covers human rights, democracy, and rule of law. Not yet in force; requires 5 ratifications.
Commonwealth Lawyers Association, 56 nations. Professional ethics framework with seven principles. First Asimov-inspired AI principle adopted by the legal profession.
92 signatories. Broadest consensus yet, achieved by explicitly rejecting the concept of "global governance of AI." Over $200 billion in announced AI investment.
Forthcoming. Expected to refocus on international law and fundamental rights at the centre of multilateral cooperation.
What happened at each summit
Bletchley Park was procedural. The declaration committed to no enforcement mechanisms, no timelines, no penalties. Its value was in getting 29 countries to agree that frontier AI poses risks requiring cooperation, and commissioning a State of the Science report led by Yoshua Bengio.
Seoul moved beyond governments. Sixteen companies (including Amazon, Anthropic, Google, Meta, Microsoft, and OpenAI) agreed to publish safety frameworks and halt deployment if risks couldn’t be mitigated. Seoul also explicitly recognised the need for accessible AI resources for SMEs, startups, and academia.
Paris exposed the first major crack. The US position, stated by VP JD Vance: AI "must remain free from ideological bias." The UK found the language "too restrictive." The conversation shifted from speculative long-term risks toward jobs, sustainability, and the digital divide.
Each summit gets broader participation but weaker commitments. The trade-off between inclusivity and substance is the defining tension of AI governance.
New Delhi was the largest summit yet: six days, 92 countries. India achieved US and China participation by explicitly rejecting global governance. Broader participation came at the cost of binding language. Reporters Without Borders identified a "gaping hole" around the right to reliable information. Chatham House observed that "people want clear rules, real enforcement and independent monitoring", none of which the declaration provides.
Primary sources
Bletchley Declaration (November 2023, 29 signatories) First global AI safety agreement. Commissioned the Bengio State of the Science report. Full text →
Seoul Frontier AI Safety Commitments (May 2024, 16 companies) First company-level safety commitments. Launched AI Safety Institutes across 10 countries. Commitments →
Paris AI Action Summit Statement (February 2025, ~60 signatories) Shifted from safety to inclusion and sustainability. US and UK refused. Statement →
New Delhi AI Impact Summit (February 2026, 92 signatories) Broadest consensus. US rejoined on condition of no global governance. Declaration →
Geneva AI Summit (2027, forthcoming) Expected refocus on international law and fundamental rights. Announcement →
Council of Europe Framework Convention on AI (September 2024, binding treaty) First legally binding international AI treaty. Not yet in force. Convention text →
Malta Declaration on the Use of AI (April 2025, 56 Commonwealth nations) Professional ethics framework with seven principles. Full text →
The document that already exists: Malta Declaration 2025
While governments were producing these summits, a different kind of declaration was adopted in Malta.
The Malta Declaration 2025 on the Use of AI was issued by the Commonwealth Lawyers Association at the 24th Commonwealth Law Conference in April 2025. It’s a professional ethics framework, not a government treaty, but it carries the CLA’s institutional weight across 56 Commonwealth nations.
Seven principles:
- Human protection: AI must never harm, and must always remain under human control
- Ethical principles and human rights: equity, transparency, accessible redress
- Privacy and data governance: informed consent, robust data protection
- Security and safety standards: risk assessment at every stage, emergency deactivation protocols
- Innovation and sustainability: aligned with sustainable development goals
- International collaboration: global standards respecting cultural diversity
- Environmental responsibility: minimise negative environmental impact from AI
The declaration’s first principle deliberately echoes Asimov’s Laws of Robotics: "A human being must never be harmed nor should a human being ever, by inactivity, be allowed to come to harm."
The Malta Declaration matters because it signals where the legal profession is heading. When lawyers across 56 Commonwealth nations adopt a shared framework for AI accountability, businesses should expect AI-related scrutiny from their lawyers, auditors, and regulators to increase, not as a possibility, but as a professional obligation.
This is voluntary. It doesn’t create legal obligations. But it establishes the ethical baseline that legal professionals across the Commonwealth will increasingly hold their clients to.
From declarations to law: the EU AI Act and the Council of Europe Convention
Two instruments have moved beyond declarations into binding legal territory.
The Council of Europe Framework Convention on Artificial Intelligence, opened for signature in September 2024, is the first legally binding international treaty on AI. Its signatories include the US, UK, EU, Canada, Japan, and Israel. It covers human rights, democracy, and rule of law in relation to AI systems. It has not yet entered into force (five ratifications are required, including three from Council of Europe member states) but it establishes a legal framework that will eventually bind all ratifying nations, Malta included.
The instrument with the nearest deadline, however, is the EU AI Act. Declarations set direction. The AI Act sets deadlines.
The Act entered into force on 1 August 2024. Its obligations phase in over three years. Here’s what’s already live and what’s coming:
Already in force (since February 2025): - Eight categories of AI practices are banned, including subliminal manipulation, social scoring, untargeted facial recognition scraping, and emotion recognition in workplaces and schools - AI literacy obligations apply to every organisation deploying AI in the EU: staff must understand how their AI systems work, where they can fail, and who is accountable
Originally due August 2026, now rescheduled. On 7 May 2026, the EU’s Digital Omnibus on AI postponed the high-risk obligations and split them into two tiers: - High-risk AI systems in the Annex III categories (hiring tools, credit scoring, education assessment, biometrics, critical infrastructure) must demonstrate full compliance (quality management, risk management, technical documentation, conformity assessment, EU-database registration) by 2 December 2027 - AI embedded in regulated products under Annex I (machinery, medical devices, and other CE-marked goods) follows by 2 August 2028 - Transparency obligations mostly hold their original date of 2 August 2026: AI chatbots must disclose they’re AI, deepfakes must be labelled, and emotion-recognition systems must notify the people exposed to them. The one piece that moved is the machine-readable marking of AI-generated content (Article 50(2)), where providers get a grace period to 2 December 2026 for systems already on the market before August - High-risk registration and every member state’s AI regulatory sandbox must be operational by 2 August 2027
The omnibus also narrowed scope: a tighter definition of "safety component," relief extended from SMEs to small mid-caps, and a new power for the Commission to disapply AI Act requirements where sector-specific rules already cover the same ground. The direction of travel is the point: even a regulation this central is being maintained in real time. The obligations did not disappear. The clock was reset.
On 16 June 2026 the European Parliament approved the omnibus (423 votes to 57, with 174 abstentions) confirming these rescheduled dates. The same vote added a prohibition on AI "nudifier" applications, systems that generate non-consensual intimate imagery, with a 2 December 2026 deadline, and widened the SME relief to small mid-cap firms. Formal Council adoption is the remaining step. The point stands: even the dates in this paragraph reached their current form through a vote held after the previous version of this post was published.
The enforcement infrastructure gap across the EU is significant. Member states were required to designate their market surveillance authorities by August 2025. According to the European Commission’s published register, as of early 2026:
Fully designated: Italy (National Cybersecurity Agency), Latvia (Consumer Rights Protection Centre), Cyprus (Commissioner of Communications), Ireland (Minister for Enterprise)
Pending final adoption: Luxembourg (CNPD), Slovenia (AKOS), Spain (AESIA)
No designation yet: Austria, Belgium, Bulgaria, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Lithuania, Netherlands, Poland, Portugal, Romania, Slovakia, Sweden
Domestic legislation passed, Commission notification pending: Malta (MDIA designated via LN 226 of 2025; IDPC designated via LN 227 of 2025)
The fines are not theoretical. Up to €35 million or 7% of global annual turnover for prohibited practices. Up to €15 million or 3% for other violations. The question is who will enforce them, and where.
The deeper mismatch: a product-safety framework meets adaptive software
There is a structural problem underneath the deadlines, and it is worth naming because it explains much of the friction.
The AI Act is not built from scratch. It is built on the New Legislative Framework, the system the EU formalised in 2008, building on the 1985 New Approach, to regulate physical products. CE marking, conformity assessment, harmonised standards, notified bodies, market surveillance: the machinery that puts a safe drill, a safe lift, a safe pressure vessel on the single market. That framework rests on one quiet assumption: a product is a fixed thing. You assess it once, certify it, mark it, and ship it. It behaves the same on day one thousand as it did on day one.
AI unsettles that assumption. A system that continuously infers, and, increasingly, adapts after deployment, is not fixed at the point of assessment. Asking a "test once, certify, ship" framework to govern software that keeps changing is a genuine adaptation challenge, not a paperwork detail. There has to be a starting point, and reusing the framework Europe already has is a reasonable one. But the jump is real, and it lands hardest on the smallest organisations, where the people who would do the compliance work are the same people running the business.
Nowhere is the strain clearer than where the two regimes physically meet: machinery. The Machinery Regulation (EU) 2023/1230, applicable from 20 January 2027, repeals the 2006 Machinery Directive and pulls AI directly into product-safety law. It adds two high-risk categories to Annex I: safety components with fully or partially self-evolving behaviour driven by machine learning, and machinery with embedded AI performing a safety function. Both lose the option to self-certify; both require a third-party notified body.
For a manufacturer putting intelligence into a robot or a cobot, two product-safety regimes now converge on the same machine, on overlapping timelines. The May 2026 omnibus tried to reduce the double-counting: AI embedded in machinery is handled under the Machinery Regulation rather than directly under the AI Act, with the Commission able to add AI-specific requirements by delegated act. The overlap is managed. The combined load is not removed.
Industry has said as much, in plain terms. CECE, the body for Europe's construction-equipment manufacturers, together with CECIMO, EGMF and FEM, formally asked the Commission to postpone the Machinery Regulation's AI and cybersecurity provisions. Their case: compliance costs north of €1 million per platform, reaching €5 million for some manufacturers, and harmonised standards that are unlikely to be published in time for a January 2027 start. They proposed aligning the timeline with the Cyber Resilience Act's December 2027 date.
This is the temporal mismatch from Section 1 and a structural mismatch compounding each other: a fast-moving body of law, built on a framework that was never designed for software that moves on its own. Governance maintenance burden does not come only from how often the rules change. It also comes from how far the rules have to stretch to cover what they now regulate.
Malta’s position: institutional depth
Malta’s approach to AI governance is distinctive for its institutional continuity. The MDIA has been regulating technology innovation (both AI and blockchain) since 2018, years before the EU AI Act was drafted.
Legal Notice 226 of 2025 designates MDIA as Malta’s principal market surveillance authority and Notifying Authority for the AI Act. Legal Notice 227 of 2025 assigns the IDPC (Information and Data Protection Commissioner) oversight of sensitive high-risk AI systems involving biometrics, law enforcement, and democratic processes. The domestic legislation is in place; formal notification to the European Commission’s register is pending, which places Malta ahead of the 19 member states that have taken no action at all.
The MDIA’s regulatory sandbox is operational, and SMEs get priority access free of charge. This is a material advantage, not just over non-EU jurisdictions, but over the majority of EU member states that have not yet established their enforcement infrastructure.
Malta’s trajectory (from the 2018 MDIA Act through the AI Strategy 2030, the voluntary AI ITA certification framework, and now the EU AI Act implementation via LN 226/227) represents eight years of continuous institutional development. That depth is difficult to replicate quickly, and it gives businesses operating from Malta a structured compliance pathway that most European competitors do not yet have.
It is worth holding that advantage honestly. Institutional depth at the regulator is not the same as readiness on the ground. Malta has been in the single market for two decades, and plenty of businesses are still working through the product-safety obligations (CE marking, the Machinery Directive) that have applied that whole time. The AI Act is a more demanding extension of exactly that framework. So the fair description of where Malta sits is not "far ahead". It is moving forward, with a genuine head start at the institutional level and the same adaptation curve as everyone else at the shop-floor level. The head start is real. It compounds only if businesses use it.
4. Regulatory Velocity Dataset
The following table records governance-relevant regulatory events from Q4 2023 through Q1 2026. Regulatory velocity across this period: approximately 4.2 events per year requiring substantive governance framework review.
| Date | Event | Jurisdiction | Type | Enforcement Effective | Organisational Impact |
|---|---|---|---|---|---|
| Nov 2023 | Bletchley Declaration | UK / Global (29 states) | Declaration | None | Voluntary safety vocabulary established |
| Mar 2024 | EU AI Act trilogues concluded | EU | Legislative | Aug 2024 | Compliance planning begins; scope confirmed |
| May 2024 | Seoul Summit + Frontier AI Safety Commitments | UK / Global | Declaration + voluntary | None | Industry safety framework reference standard |
| Aug 2024 | EU AI Act enters into force | EU | Regulation | Phased | Three-year compliance schedule activated |
| Sep 2024 | Council of Europe Framework Convention opens for signature | CoE (46 states) | Treaty | Pending (5 ratifications) | Future binding obligations for signatory states |
| Nov 2024 | Biden AI Executive Order: final implementation rules | USA | Executive action | Immediate | Federal contractor obligations; export controls |
| Jan 2025 | Trump rescinds Biden AI Executive Order | USA | Executive action | Immediate | US federal AI governance vacuum; policy divergence |
| Feb 2025 | EU AI Act: prohibited practices enforcement begins | EU | Regulation | Immediate | 8 categories banned; AI literacy obligation live |
| Feb 2025 | Paris AI Action Summit | Global (~60 states) | Declaration | None | Geopolitical fracture: US and UK refuse to sign |
| Apr 2025 | Malta Declaration: CLA, 56 Commonwealth nations | Malta / Commonwealth | Professional ethics | None (voluntary) | Legal profession AI accountability baseline |
| May 2025 | EU GPAI model rules effective | EU | Regulation | Immediate | General-purpose AI providers: transparency and safety obligations |
| Aug 2025 | EU AI Act: high-risk designation rules clarified | EU | Guidance | Aug 2026 | Compliance scope confirmed; ~40% more products in scope |
| Sep 2025 | UK AI Opportunities Action Plan published | UK | Policy | No fixed deadline | 50 recommendations; signals regulatory direction |
| Oct 2025 | Malta L.N. 226 + L.N. 227 of 2025 in force (10 Oct) | Malta | Regulation | 10 Oct 2025 | MDIA + IDPC designated; domestic AI Act enforcement operational |
| Oct 2025 | China Interim AI Security Assessment Measures effective | China | Regulation | Immediate | Cross-border operators: new assessment requirements |
| Nov 2025 | EU market surveillance authority audit: 19/27 states undesignated | EU | Administrative | Aug 2026 | Enforcement gap confirmed across majority of member states |
| Jan 2026 | US AI Safety Institute renamed and restructured | USA | Institutional | Immediate | Reduced federal AI safety coordination capacity |
| Jan 2026 | IMDA Model AI Governance Framework for Agentic AI launched (WEF Davos) | Singapore | Framework (non-binding) | None | World's first agent-native governance framework; four dimensions; humans accountable (corroborating; not in the EU count) |
| Feb 2026 | New Delhi AI Impact Summit | Global (92 states) | Declaration | None | Broadest consensus, weakest commitments; global governance rejected |
| Q1 2026 | EU standardisation bodies publish first AI Act technical standards | EU | Technical standard | Dec 2027 | Conformity assessment pathways clarified for high-risk systems |
| May 2026 | EU Digital Omnibus: AI Act high-risk deadlines postponed | EU | Regulation (amending) | Phased | High-risk obligations moved to Dec 2027 / Aug 2028; scope narrowed; AI-in-machinery overlap routed to Machinery Regulation |
| May 2026 | Machinery Regulation (EU) 2023/1230: industry bodies request postponement | EU / Industry | Regulatory signal | Jan 2027 (application) | AI in machinery triggers mandatory third-party assessment; CECE, CECIMO, EGMF, FEM cite cost and standards-readiness |
| May 2026 | IMDA MGF for Agentic AI v1.5 | Singapore | Framework (non-binding) | None | Adds multi-agent systems, third-party agents, automation bias; sharpens structural-over-prompt-layer controls (corroborating; not in the EU count) |
| Jun 2026 | EU Parliament approves Digital Omnibus simplification + "nudifier" app ban | EU | Regulation (amending) | Phased; pending Council adoption | Confirms omnibus: Art. 50(2) marking → 2 Dec 2026; high-risk → Dec 2027 / Aug 2028; new prohibition on AI generating non-consensual intimate imagery (2 Dec 2026); SME relief extended to small mid-caps |
| Aug 2026 | EU AI Act high-risk deadline (original), superseded by May 2026 omnibus | EU | Regulation | Postponed | Original full-compliance date; moved to 2 Dec 2027 (Annex III) and 2 Aug 2028 (Annex I products) |
Observed regulatory velocity across Q4 2023–Q1 2026: approximately 4.2 governance-relevant events per year. The median organisational governance review cycle is annual. The mismatch is structural.
5. Three Governance Failure Modes
Three failure modes recur in observable governance practice. They are not mutually exclusive; many organisations exhibit all three simultaneously.
Snapshot Governance treats governance as a deliverable rather than a process. A framework is commissioned, authored, approved, and published. The publication event is the end state. Observable indicator: governance documents with “last reviewed” dates more than 12 months in the past, unchanged across multiple consecutive regulatory events. Real-world cost: in a 4.2-events-per-year environment, a framework with an 18-month review gap will have missed at minimum six governance-relevant regulatory developments. If any created new obligations (as the EU AI Act’s February 2025 and August 2025 milestones did) the organisation is non-compliant without knowing it.
Calendar Governance improves on Snapshot by scheduling reviews, but schedules them to time rather than to events. An annual review conducted in January does not know that a major regulatory development will occur in October. Calendar governance produces systematic lag: in a high-velocity regulatory environment, the calendar cycle is too slow for time-sensitive events. Observable indicator: governance frameworks updated in Q1 that do not reflect regulatory developments from Q3 or Q4 of the preceding year. Real-world cost: under EU AI Act Article 9, the obligation to update risk management systems is ongoing, not annual. Calendar governance creates structural non-compliance in any domain with continuous obligations.
Committee Governance diffuses responsibility across a group with no named individual accountable for a specific framework component. Changes require consensus, creating decision latency proportional to committee size and meeting frequency. When committee composition changes (through staff turnover, restructuring, or role change) accountability gaps emerge. Observable indicator: governance documents where no individual is identified as the responsible author or custodian. Real-world cost: when a regulatory trigger occurs and the committee must convene, gather information, draft an update, and seek approval, typical latency is four to eight weeks. For Tier 1 triggers, this is too slow.
6. The TRACE Framework
TRACE is a governance maintenance protocol. It does not replace a governance framework; it maintains one. The five components map directly to the failure modes above.
T: Trigger Taxonomy
Not all regulatory events require governance updates. A trigger taxonomy distinguishes by consequence:
| Tier | Trigger type | Response window |
|---|---|---|
| 1 | New enforceable legal obligation; significant court ruling | ≤30 days |
| 2 | Regulatory guidance update; enforcement authority designation | ≤60 days |
| 3 | Major voluntary framework published by industry body | ≤90 days |
| 4 | Policy signal without enforcement mechanism | Annual review cycle |
| 5 | Declaration or summit statement | Note only; no update required |
A worked example of a Tier 3 trigger: IMDA’s 20 May 2026 revision of its agentic-AI framework (v1.5), which sharpened the preference for structural controls over prompt-layer ones. It carries no enforcement, so it does not demand a 30-day response, but reading the delta tells a Custodian where supervisory attention is heading before it becomes binding (IMDA, v1.5).
Five trigger categories: Regulatory (new law or enforcement date), Technical (new model capability class creating a new risk profile), Incident (AI-related harm triggering scrutiny), Competitive (peer organisation publishes materially different framework), Reputational (public scrutiny event requiring framework response).
R: Review Protocol
A review is not a discussion. A review has: a defined scope (which sections are affected), a named reviewer (one individual, not a committee), a draft output (the specific language that will change), and an approval authority (who signs off). The review protocol specifies all four in advance. Anti-pattern: scheduling an emergency meeting to decide whether a review is needed. By the time the meeting occurs, the trigger is past its response window.
A: Accountability Assignment
Every section of a governance framework must have a named Governance Custodian: one individual, not a team or committee, responsible for monitoring the trigger registry for their domain, initiating reviews when triggers fire, drafting updates, and presenting to the approval authority. Accountability is not shared. When it is shared, no one owns it. Anti-pattern: “the compliance team is responsible for keeping the AI policy current.” The compliance team is not a person.
C: Changelog Discipline
Every governance document must carry a public changelog: version number, date, and a summary of what changed and why. The changelog demonstrates to regulators, auditors, and partners that the framework is actively maintained; creates an audit trail showing specific regulatory events were addressed; and gives the Custodian a reference point for the next review cycle. Anti-pattern: updating a governance document without recording what changed. Undocumented updates are indistinguishable from no updates.
E: Escalation Thresholds
The annual review cycle cannot be the only pathway. Tier 1 triggers must bypass standard process and activate accelerated review. Escalation thresholds define: what constitutes a Tier 1 trigger in the organisation’s specific context, who has authority to declare an escalation, what the accelerated timeline is (typically ≤30 days), and what minimum viable output is required (a dated acknowledgement statement is sufficient if a full revision takes longer). Anti-pattern: requiring full committee approval for escalated reviews. Escalation exists precisely because full committee process is too slow.
The architectural answer: what Singapore unbundles
The decay this paper describes has two kinds of answer. TRACE is the process answer: it keeps a framework current as the rules move. There is also an architectural answer: design the framework in layers, so that only the fast layer ever has to move.
Singapore is the clearest working example. It does not issue one general AI regime. It unbundles governance into single-purpose instruments. FEAT is the values floor. MAS AIRG is the supervisory spine, and it is deliberately anchored to outcomes and ownership: what is the risk, and who owns it, rather than what is the tool. The IMDA Model AI Governance Framework for Agentic AI is the control layer: agent-native, and explicitly a living document. It launched at the World Economic Forum in Davos on 22 January 2026, billed as the first framework of its kind for AI agents that plan, reason, and act, and was revised to v1.5 on 20 May 2026 (MDDI; IMDA).
Because the floor and the spine are anchored to outcomes and ownership rather than to technique, they do not need rewriting when the engineering changes. Only the control layer flexes at engineering speed, by design.
The proof is empirical, not aspirational. The control layer moved from single-agent coverage (January 2026) to multi-agent and third-party-agent coverage, with explicit treatment of automation bias (v1.5, May 2026), in under five months: shipped and revised, while the values floor and the supervisory spine held still (framework PDF, v1.5). The v1.5 revision also sharpened a distinction worth carrying into any control layer: structural controls, which cannot be prompted away, are preferred over rule-based and prompt-layer ones. That is a signal of where regulatory attention is moving.
This attacks the maintenance burden from a different direction than TRACE. TRACE raises the maturity of the maintenance process. Unbundling shrinks the change-surface: the share of the framework that has to turn over for any given regulatory event. If only the control layer is technique-bound, only the control layer churns. A lower change-surface means a lower burden, structurally, before any process is applied. The two are complements, not alternatives. Unbundling reduces how much must change; TRACE keeps that smaller surface current.
The honest limit: the EU’s binding regime does not unbundle this way. The AI Act folds agentic scope into the New Legislative Framework, a single general product-safety architecture, and NIST and ISO fold too. That folding is part of why EU maintenance is harder, the structural mismatch described earlier in this piece, and it is why the Singapore instruments layer cleanly where a folded framework cannot. Unbundling is therefore a design lesson, not a regime an EU-operating business can simply adopt. What such a business can take from it is the principle: anchor the durable layers to outcomes and ownership, and isolate the technique-bound parts so they can change without disturbing the rest.
From national stack to company constitution
The unbundled pattern reproduces below national scale. Epic Growth’s Corporate AI Constitution (v1.0, February 2026) runs the same three layers at company scale.
The values floor is Article I, the Foundational Principles, which "cannot be overridden by any instruction ... or operational pressure." The supervisory spine is the single-director governance model, the autonomy tiers, and the Article XIV accountability chain, anchored, like MAS AIRG, to ownership rather than to technique. The control layer is the agent-specific provisions: the Redline Canvas, and the Article VIII inter-agent governance rules (cascading authority, circuit breakers, communication logging).
The sharpest parallel is in timing. IMDA added its multi-agent layer in v1.5, in May 2026. The Constitution shipped inter-agent governance in v1.0, in February 2026. The control layer was built for the fleet from the start, not retrofitted to it.
This is not a superiority claim. The point is narrower and more useful: the unbundled architecture scales down. An SME can run layered governance that flexes only where it must, without a compliance department.
And the architecture alone is not the whole answer, which is this paper’s own thesis. The Constitution pairs the unbundled structure with a maintenance process: its Article XIII quarterly review and version control. That is the argument in operation. You need both: the architecture that limits how much must change, and the process that keeps the changing part current.
7. Practical Recommendations
Five recommendations, each actionable within a single quarter:
1. Assign a named Governance Custodian for each framework component. Not a committee: one named individual with explicit authority to initiate unscheduled reviews. The Custodian role should appear in the framework document by role title (not personal name, so accountability survives personnel changes).
2. Implement a monitored Trigger Registry. A curated feed of Tier 1 and Tier 2 sources, reviewed at minimum fortnightly. Minimum viable registry: EU AI Act compliance tracker (European Commission register), EUR-Lex alerts for AI-related legislation, one national authority feed (MDIA, ICO, CNIL, or equivalent). Assign monitoring to the relevant Governance Custodian, not a generic compliance inbox.
3. Adopt public versioning. Governance documents should carry a visible version number, a “last reviewed” date, and a changelog. Three to five bullet points per version is sufficient. The primary audience is external: regulators, auditors, and partners assessing whether the framework reflects current obligations.
4. Map enforcement-date anchors. EU AI Act enforcement dates should appear in every relevant team’s planning calendar. Current anchors after the May 2026 omnibus: February 2025 (prohibited practices and AI literacy, already live), August 2026 (transparency obligations), August 2027 (high-risk registration and national sandboxes), December 2027 (Annex III high-risk compliance), August 2028 (AI embedded in regulated products). Each anchor should trigger a Tier 2 review 90 days in advance, and note that these dates moved once already, so treat them as pencil, not ink.
5. Test your escalation threshold. Run a tabletop exercise: a significant regulatory development occurs today. Trace the actual process: who detects it, who decides a review is required, who drafts, who approves, when the update is published. Measure elapsed time. Target: published update within 30 days of a Tier 1 trigger, dated acknowledgement within 10. If the actual time exceeds 30 days, the escalation pathway has a structural bottleneck to fix before the next real trigger.
What this means for your business
The declarations don’t create obligations for you. The EU AI Act does. Here’s the practical checklist:
Do now (these are already required): - Ensure your team has documented AI literacy training; this obligation has been live since February 2025 - Verify none of your AI tools fall into the eight prohibited categories
Do ahead of the high-risk deadlines, now December 2027 (Annex III) and August 2028 (AI in products). The omnibus moved the date, not the work, so start now: - Inventory every AI tool your business uses, including SaaS products with embedded AI features - Classify each against the Act’s risk levels (Annex III defines high-risk categories) - Document your oversight processes, decision-making frameworks, and vendor agreements - For any high-risk systems: establish quality management and risk management frameworks - Consider engaging MDIA’s sandbox; it’s free for SMEs and provides a structured compliance pathway
The pattern worth paying attention to
Step back from the checklist for a moment. There’s a story in this timeline that matters more than any single deadline.
Five summits. Three years. The name changed each time: Safety, then Action, then Impact. The signatories grew from 29 to 92. The commitments got softer. The US walked out in Paris, walked back in at New Delhi, on the condition that "global governance of AI" be explicitly rejected.
The pattern is clear: the more countries you include, the less you can ask of them. Declarations are consensus documents, and consensus is the enemy of specificity.
Meanwhile, the EU went ahead and legislated. The AI Act doesn’t wait for global consensus. It creates obligations, sets deadlines, and assigns fines. That’s the difference between a declaration and a regulation: one signals intent, the other creates consequences.
For Malta’s businesses, this is actually an advantage. While the majority of EU member states have not yet designated their enforcement authorities, Malta’s MDIA has been regulating AI and blockchain under one roof since 2018. The sandbox is open. The certification framework exists. The institutional knowledge is eight years deep.
The businesses that will come out of this well aren’t the ones scrambling to comply at the last minute. They’re the ones that recognised governance as a competitive advantage early, because clients, partners, and investors increasingly choose to work with companies that can demonstrate how they use AI responsibly. Not because a declaration told them to. Because trust compounds.
Blockchain as a Governance Infrastructure Solution
There’s a gap in every declaration on this timeline. They all call for transparency, auditability, and data provenance. None of them say how.
The EU AI Act gets closer: it mandates technical documentation, risk management systems, and conformity assessments. But the enforcement challenge is structural. When a handful of companies control the compute, data, and model layers, governance depends on those companies cooperating. The declarations assume they will. The track record suggests otherwise.
This is where blockchain enters the conversation, not as a buzzword, but as a potential answer to a specific problem. Immutable audit trails for AI decision-making. Verifiable data provenance for training datasets. Machine-readable compliance records that regulators can inspect without relying on self-reporting. These aren’t speculative capabilities. They’re working applications of distributed ledger technology that map directly to what the EU AI Act requires.
The harder question is whether decentralised infrastructure can go further: whether distributed compute and storage networks can offer a meaningful alternative to the concentration that makes AI governance difficult in the first place. That’s genuinely unproven at scale. The projects exist, the cost savings are real, but the reliability and maturity aren’t enterprise-grade yet. It’s an experiment worth watching, not a proven solution.
What’s not experimental is Malta’s position at this intersection. The Innovative Technology Arrangements and Services (ITAS) Act already provides a legal framework for smart contracts and decentralised technology arrangements. The MDIA regulates both AI and blockchain under one authority. That dual mandate, unique in the EU, means Malta has the institutional framework to test whether blockchain-based governance tools can make AI compliance more transparent, more verifiable, and more accessible to businesses that don’t have enterprise compliance departments.
The organisations shaping the governance landscape, not just reacting to it, are the ones building governance into their operations now. Not as a checkbox. As a capability.
The governance conversation has moved past declarations. The question is no longer whether AI needs governing. It’s how, and whether the infrastructure that enforces it will be centralised, decentralised, or something in between. That question will define the next phase of AI regulation, and Malta is one of the few places equipped to explore all three answers.
The institutional framework is here. The regulatory sandbox is open. The deadline is August. The opportunity is longer than that.
8. Limitations and Future Research
This analysis has three material limitations. First, it is applied desk research: the dataset is constructed from primary sources but no systematic sampling methodology was applied, and the eight-jurisdiction scope may not be representative globally. Second, the three failure mode categories are inductive, derived from observation rather than from a systematic survey of governance practices across a defined population. Third, the TRACE framework has not been validated against longitudinal governance performance data; it is proposed as a practitioner protocol, not an empirically tested model.
Research directions that would advance the field: (1) a cross-sector governance lag study measuring time between regulatory trigger and framework update across a sample of published corporate AI governance frameworks; (2) a controlled study of TRACE-implementing versus non-implementing organisations measuring compliance cost, audit finding rates, and time-to-update; (3) development of validated instruments for measuring governance infrastructure maturity; (4) analysis of whether automated regulatory monitoring tools materially reduce governance lag in practice.
9. Version History
| Version | Date | Summary |
|---|---|---|
| 1.0 | 2026-04-11 | Original post: five-declaration timeline, EU AI Act milestones, Malta enforcement position |
| 2.0 | 2026-04-15 | Added: gatekeeper problem framing, theoretical grounding (DiMaggio & Powell 1983; Teece et al. 1997), regulatory velocity dataset (20 events, Q4 2023–Q1 2026), three governance failure mode taxonomy, TRACE framework, five practical recommendations, limitations. All v1.0 content preserved. |
| 3.0 | 2026-06-05 | Corrected for the 7 May 2026 EU Digital Omnibus, which postponed the high-risk deadlines (2 August 2026 to 2 December 2027 for Annex III; 2 August 2028 for AI embedded in products) and narrowed scope. Added a section on the structural mismatch between the New Legislative Framework and adaptive software, anchored in the Machinery Regulation (EU) 2023/1230 and the CECE-led postponement request; grounded the Malta position with on-the-ground adoption reality; added two dataset events (now 22). All v2.0 analysis preserved. |
| 3.1 | 2026-06-19 | Updated for the 16 June 2026 European Parliament approval of the Digital Omnibus (423-57-174): confirmed the rescheduled high-risk deadlines, corrected the transparency timeline (most Article 50 duties hold at 2 August 2026; only the 50(2) machine-readable-marking grace period runs to 2 December 2026), and noted the new "nudifier" (non-consensual intimate imagery) prohibition and the SME→small-mid-cap relief extension. Formal Council adoption pending. Added one dataset event (now 23). All v3.0 analysis preserved. |
| 4.0 | 2026-06-27 | Added the Singapore architectural thread: unbundling as the structural counterpart to TRACE (FEAT values floor, MAS AIRG supervisory spine, IMDA MGF for Agentic AI control layer), grounded in the 22 January 2026 WEF Davos launch and the 20 May 2026 v1.5; connected unbundling to the change-surface argument and to the New Legislative Framework folding contrast; added the practitioner instance "From national stack to company constitution" (Epic Growth Corporate AI Constitution); added two corroborating Singapore dataset events with a methodology note on inclusion (the EU-obligation count and the ~4.2-per-year figure are unchanged); added a Tier 3 trigger worked example. Removed the Governance Maintenance Burden formula and its limitation for readability; the change-surface argument it expressed is retained in prose. All v3.1 analysis preserved. |

