Regulatory network effects are not subtle. The first jurisdiction to ship a working framework sets the baseline. Everyone else either conforms or gets locked out of cross-border traffic. FATF's Travel Rule played out exactly this way: the US announced, the rest of the world complied, and debates about whether it was the right design became irrelevant around year three.
The same dynamic is running on AI agents right now. It is not running out of Brussels or Washington.
What APAC already shipped
In January 2026, Singapore's IMDA published the Agentic AI Framework, the first national-level governance document specifically scoped to autonomous agents rather than foundation models. In April, MetaComp launched KYA (Know Your Agent) for regulated financial services, building on that framework. It is, per their announcements, the first compliance-grade agent identity layer for regulated finance anywhere in the world.
Around the same window, Ant Digital published a full-stack 4R reference architecture for what they call the agent economy: identity, permissions, behavioral monitoring, and settlement. Moonshot AI open-sourced K2.6 with swarm-native coordination built into the model itself, skipping the external-framework layer entirely.
Those four artifacts are not coordinated policy. They are four working implementations that all assume the same thing: agents are an infrastructure category, and the governance layer is not optional.
What the West is doing
The EU is debating whether to delay AI Act enforcement to 2027 or 2028. The US has no federal agent-specific framework and no timeline for one. Both are still treating agents as a subset of the broader AI regulation problem, which means whatever ships will be a general-purpose compromise negotiated over years.
Meanwhile MetaComp is onboarding regulated financial institutions today.
Why first working standard wins
Regulatory frameworks are not adopted because they are well-designed. They are adopted because someone with jurisdiction needs to say yes or no to a deal, and the first framework that gives them a defensible answer becomes the reference.
Three mechanics push APAC standards outward:
Cross-border finance will not wait for symmetry. A Singapore bank onboarding a US fintech's agent needs an answer on identity and permissions in 2026, not 2028. If the Singapore framework is the only one that gives that answer, the US fintech conforms to the Singapore framework. The US regulator inherits it by default.
Vendor defaults propagate. If the identity layer a builder plugs in was designed against KYA, the same implementation ships globally. The framework gets exported through the SDK, not through treaty.
Governance gaps become competitive moats. A jurisdiction that can answer "who called this tool, with what authority, and what happened" wins regulated enterprise deployments. A jurisdiction that cannot answer loses them, regardless of model quality.
The three mechanics compound. None of them require any Western regulator to do anything.
The practitioner read
Western builders waiting for US or EU clarity are not being cautious. They are optimizing for a framework that, when it ships, will either codify what APAC already built or be structurally incompatible with the deployments their enterprise customers already bought. Either way, the integration work that matters was done two years earlier on the other side.
The pragmatic move is to build against the existing APAC primitives now: identity, permission, and behavioral monitoring, structured the way a regulator will recognize. Not as compliance theater for a future rule. As the actual interface for cross-border agent traffic that is already happening.
First working standard wins. That is the rule. The only remaining question is how long it takes Western builders to notice which standard is working.