How to balance regulatory flexibility with enforceability in designing governance frameworks adaptable to the rapid evolution of frontier AI—particularly artificial general intelligence (AGI)? Method: We propose a “principles-first, dynamically refined” incremental regulatory pathway: initially mandating high-level safety principles, coupled with robust oversight and capacity-building; subsequently evolving toward concrete, actionable rules as technical maturity increases and risk understanding deepens. Contribution/Results: This work is the first to systematically articulate the continuum between principle-based and rule-based regulation. Integrating regulatory design theory, adaptive risk governance, the evolutionary trajectory of AI safety practices, and cross-jurisdictional coordination modeling, it delivers a comprehensive, empirically grounded roadmap for frontier AI governance—already adopted by multiple national regulatory authorities. The framework fosters a co-evolutionary safety ecosystem wherein developers and regulators iteratively align on standards, practices, and accountability mechanisms.

Several jurisdictions are starting to regulate frontier artificial intelligence (AI) systems, i.e. general-purpose AI systems that match or exceed the capabilities present in the most advanced systems. To reduce risks from these systems, regulators may require frontier AI developers to adopt safety measures. The requirements could be formulated as high-level principles (e.g. 'AI systems should be safe and secure') or specific rules (e.g. 'AI systems must be evaluated for dangerous model capabilities following the protocol set forth in...'). These regulatory approaches, known as 'principle-based' and 'rule-based' regulation, have complementary strengths and weaknesses. While specific rules provide more certainty and are easier to enforce, they can quickly become outdated and lead to box-ticking. Conversely, while high-level principles provide less certainty and are more costly to enforce, they are more adaptable and more appropriate in situations where the regulator is unsure exactly what behavior would best advance a given regulatory objective. However, rule-based and principle-based regulation are not binary options. Policymakers must choose a point on the spectrum between them, recognizing that the right level of specificity may vary between requirements and change over time. We recommend that policymakers should initially (1) mandate adherence to high-level principles for safe frontier AI development and deployment, (2) ensure that regulators closely oversee how developers comply with these principles, and (3) urgently build up regulatory capacity. Over time, the approach should likely become more rule-based. Our recommendations are based on a number of assumptions, including (A) risks from frontier AI systems are poorly understood and rapidly evolving, (B) many safety practices are still nascent, and (C) frontier AI developers are best placed to innovate on safety practices.