Facebook Linkedin Twitter Whatsapp Threads

From Agenda to Implementation: A Policy Framework

Circular infographic showing four policymaking stages: agenda setting, formulation, implementation, evaluation

A secret enrichment plant carved into a mountain near Qom. Eleven million cars programmed to deceive emissions inspectors. Tens of millions of social media profiles quietly siphoned into a political consultancy. These episodes appear unrelated. They are not. Each one set in motion the same machinery—a process by which a hidden problem becomes a public priority, a priority becomes a negotiated rule, and a rule becomes an enforced reality. That machinery is policymaking, and it operates with remarkable consistency whether the actor is a sovereign state or a multinational corporation.

This article advances a single thesis: policymaking is not a sequence of disconnected events but a structured, cyclical system whose four stages—agenda setting, consultation, negotiation, and implementation—follow the same underlying logic across statecraft and corporate governance. Grasping that logic is a strategic asset. It tells decision-makers where leverage accumulates, when windows of influence open and close, and why some hard-won agreements endure while others quietly decompose. For policymakers, strategists, researchers, and senior executives, the framework is not academic decoration. It is a practical map of where power moves.

Abstract

This article presents an analytical framework for understanding policymaking as a unified system comprising four interdependent stages: agenda setting, consultation, negotiation, and implementation. Drawing on the prolonged international effort to constrain Iran’s nuclear program and a parallel set of corporate regulatory cases—including Facebook–Cambridge Analytica, Enron, and Microsoft—it demonstrates that diplomatic and corporate governance share a common architecture. The analysis applies established theoretical concepts, including Kingdon’s multiple-streams model of agenda formation and principal–agent dynamics in consultation, to show that the stages function not as a linear pipeline but as a recursive loop. It identifies the structural conditions under which agreements endure and those under which they erode, emphasizing the centrality of verification, legitimacy, and the alignment of underlying interests. Part 1 establishes the framework and examines the first two stages. Part 2 addresses negotiation and implementation and concludes with targeted guidance for chief executives, corporate boards, and regulators.

Executive Summary

How Policymaking Works: Agenda Setting, Consultation, Negotiation, and Implementation

Policy rarely arrives fully formed. It emerges through a structured sequence of stages, each shaped by competing interests, institutional rules, and the pressure of real events. This article advances a single thesis: policymaking is a structured, recursive four-stage system, and its underlying logic remains consistent whether the actor is a sovereign state or a multinational corporation. To demonstrate consistency, the analysis draws on two arenas that appear unrelated yet trace the same path—the decades-long international effort to manage Iran’s nuclear program, governed through the IAEA, the UN Security Council, and the JCPOA, and a parallel set of corporate regulatory cases, including Enron and Sarbanes-Oxley, Facebook–Cambridge Analytica, Microsoft, Boeing, Google, Volkswagen, and the GDPR.
The framework comprises four interdependent stages. Agenda setting determines which problems command scarce attention; latent conditions become urgent priorities only when a triggering event—a disclosure, a crisis, or new intelligence—reframes them, and only when an institutional channel exists to carry them upward. Consultation is the phase in which decision-makers gather expertise, sound out stakeholders, and assemble legitimacy. Because every counterpart operates inside its own architecture of advisers, agencies, and approval chains, identifying who must be consulted and who holds final authority often matters as much as the substance under discussion. Negotiation is where divided coalitions converge or fracture; parties bargain simultaneously at an external table and an internal one, and breakthroughs typically hinge on a single decisive concession rather than incremental trading. Implementation tests the durability of everything negotiated, resting on verification, enforcement, and the continued alignment of interests. Agreements that lack robust monitoring, or that ignore shifting incentives, erode regardless of how carefully they were drafted.
The article’s central analytical correction is to replace the linear pipeline with a recursive loop. The four stages overlap, double back, and feed one another: an implementation breakdown—Iran’s post-2019 noncompliance, Volkswagen’s exposed deception—routinely becomes the triggering event of the next cycle, often with higher stakes and a wider audience.
For chief executives, boards, and regulators, the practical lessons are consistent across both arenas. Leaders should prepare responses before triggering events arrive, map the escalation ladders and consultation architectures of every party, negotiate deliberately on internal and external fronts, design verification into agreements rather than around them, calibrate enforcement to both cost and legitimacy, stress-test commitments against shifting interests, and treat every breakdown as the agenda of the next cycle.
The overarching conclusion is that durable outcomes depend less on the elegance of an agreement than on the structures built to sustain it. To see the machinery clearly is to gain the strategist’s most valuable asset: the ability to anticipate rather than react, to position before positions harden, and to design agreements that survive the pressures certain to test them.
This executive summary distills a two-part analytical article and does not introduce evidence beyond what those parts establish; readers seeking full citations should consult the source documents. The discussion of Iran’s nuclear program rests on Congressional Research Service reporting by Paul K. Kerr and the International Atomic Energy Agency materials it cites—Director-General reports, Board of Governors resolutions, and the governing legal instruments under the JCPOA and the UN Charter. The corporate cases—Enron, Facebook–Cambridge Analytica, Microsoft, Boeing, Google, Volkswagen, and the GDPR—are drawn from the widely documented public record and are deployed here as illustrative, real-world comparisons rather than as primary research findings. They are selected to demonstrate the consistency of the four-stage framework across diplomatic and corporate settings, and the analytical parallels drawn between the two arenas are the author’s own.

Key Takeaways

  • Policymaking is a cyclical system, not a linear pipeline. The four stages overlap and loop back; implementation failures frequently become the agenda-setting triggers of the next cycle.
  • Triggering events convert latent problems into urgent priorities. The underlying issue often exists for years; a disclosure or crisis reframes it as demanding immediate action.
  • Institutional channels determine the speed and ceiling of escalation. An issue’s prominence depends as much on the available escalation ladder as on its substance.
  • Every counterpart sits inside its own consultation architecture. Identifying the final decision authority—a supreme council or a board committee—is a prerequisite for effective influence.
  • Institutional mandates define the achievable. A consultation process can deliver only what its constituent bodies are legally empowered to deliver.
  • Expert input bounds uncertainty rather than eliminating it. Technical analysis defines the range of plausible interpretations within which decisions get made; it is a guide to judgment, not a substitute for it.

Introduction: The Architecture Beneath the Headlines

Public attention treats policy as a series of dramatic moments: a signing ceremony, a landmark fine, a sudden withdrawal. These moments are real, but they are the visible surface of a deeper structure. Beneath them runs a process that political scientists have studied for decades and that practitioners navigate by instinct—often without naming its stages.

The framework presented here treats policymaking as four analytically distinct but operationally interwoven phases. Agenda setting decides what gets attention. Consultation assembles the knowledge and legitimacy to act. Negotiation reconciles competing interests into a workable bargain. Implementation determines whether that bargain produces results. The value of separating these stages lies not in tidiness but in precision: each stage has its own logic, its own characteristic failure modes, and its own points of leverage.

To demonstrate the framework’s reach, this analysis draws on two arenas that appear to share little. The first is the decades-long international effort to manage Iran’s nuclear program—among the most thoroughly documented cases of multilateral diplomacy in the modern era. The second is corporate regulation, where scandals, settlements, and enforcement actions trace the same four-stage path. Placing these arenas side by side is not a rhetorical flourish. It is the central analytical claim: the actors and stakes differ enormously, yet the mechanics are strikingly consistent. What governs the rise of a proliferation concern to the UN Security Council also governs the rise of a data-privacy scandal to a congressional hearing room.

Part 1 establishes the framework and examines the first two stages, where problems are defined and the conditions for action are assembled.

Stage One: Agenda Setting — How Issues Rise to Prominence

Every government and every governing body faces an effectively unlimited supply of problems and a strictly limited supply of attention, capital, and political will. Agenda setting is the competition that resolves this imbalance. It is the stage at which a latent condition becomes an active priority.

The scholarship here is instructive. John Kingdon’s multiple-streams model holds that issues reach the agenda when three independent currents converge: a recognized problem, an available policy solution, and the political conditions to act. When they align, a “policy window” opens—often briefly—and entrepreneurs who have prepared in advance push their issue through. The cases below illustrate that convergence with unusual clarity.

Triggering Events

Most issues climb the agenda because something forces them upward. The underlying condition may have existed for years; what changes is the catalyst that reframes it as urgent.

The Iran case offers a textbook example. The public controversy began in August 2002, when the National Council of Resistance on Iran, an exile group, revealed at a press conference that Tehran had built undeclared nuclear-related facilities at Natanz and Arak—some of the claims later proving accurate. Concern had existed quietly within intelligence circles for decades; U.S. assessments had flagged proliferation risks as early as the mid-1970s. The revelation did not create the problem. It made the problem impossible to ignore. Within months, the International Atomic Energy Agency (IAEA) began investigating, and inspectors visited the named sites in February 2003.

A second triggering moment came in September 2009, when Iran disclosed that it had been constructing a previously secret enrichment facility near Qom, later known as Fordow. President Obama’s observation that “the size and configuration of this facility is inconsistent with a peaceful program” captured how a single revelation sharpens collective perception. The disclosure did more than add a data point. As a November 2009 IAEA Board resolution noted, it “reduces the level of confidence in the absence of other nuclear facilities”—converting a specific concern into a generalized suspicion that more remained hidden.

Corporate scandals follow the same dynamic. In March 2018, reporting by The Observer and The New York Times revealed that the consultancy Cambridge Analytica had harvested the personal data of tens of millions of Facebook users without consent. The practice was not new; what changed was its exposure. Within weeks, data privacy and platform accountability vaulted to the top of regulatory agendas on both sides of the Atlantic, and by April 2018 the company’s chief executive faced two days of questioning before a joint session of U.S. Senate committees.

Enron’s 2001 collapse offers an even sharper illustration. The energy firm’s bankruptcy—then the largest in U.S. history—exposed accounting practices that had concealed billions in liabilities. The failure did not merely end one company; it reframed corporate accounting as a systemic risk. Within a year, Congress enacted the Sarbanes-Oxley Act of 2002, rewriting audit oversight and financial disclosure rules for every public company in the country.

The analytical common denominator is decisive. Whether the catalyst was an exile group’s press conference, a leaked dataset, or a bankruptcy filing, none of these events simply introduced new facts. Each reframed an existing condition as a matter demanding immediate action—precisely the moment a policy window opens. For the strategist, the operational implication follows directly: the time to prepare a response is before the triggering event arrives, because the window rarely stays open long enough to build one from scratch.

Escalation Mechanisms

Reaching the agenda is necessary but insufficient. An issue must also possess a pathway to escalate from technical concern to high-level priority. Institutions supply that pathway, and the structure of the escalation ladder determines both how fast an issue rises and how high it can climb.

In the Iran case, technical findings ascended a clearly defined ladder of authority. The IAEA Board of Governors expressed “concern” in June 2003 and adopted its first resolution that September. On September 24, 2005, the Board found Iran in noncompliance with its safeguards agreement for the first time. By February 4, 2006, it referred the matter to the UN Security Council—the body holding, under Article 24 of the UN Charter, “primary responsibility for the maintenance of international peace and security.” The Council subsequently adopted six resolutions between 2006 and 2010. Each rung widened the circle of decision-makers and raised the political stakes.

Corporate issues climb a structurally parallel ladder. The Cambridge Analytica revelations traveled from investigative journalism to a U.S. Federal Trade Commission (FTC) investigation, then to congressional hearings, and finally to a 2019 FTC penalty of $5 billion—at the time the largest ever imposed for a privacy violation. The Enron disclosures moved from financial analysts and short-sellers to Securities and Exchange Commission scrutiny, to congressional investigation, and ultimately to federal legislation. In each case, a technical finding gathered force as it passed through successive institutions, none of which could have acted alone.

The lesson for strategists is concrete. An issue’s prominence depends not only on its substance but on the institutional channels available to carry it upward. Those who understand the relevant ladder—whether it runs through an IAEA board or an FTC docket—can forecast where a problem will go and how quickly it will arrive. This is the essence of agenda intelligence: anticipating escalation before it becomes inevitable, and positioning to shape the issue while it remains malleable.

Stage Two: Consultation — Engaging Stakeholders, Institutions, and Experts

Narrow stairway with illuminated steps leading upward in a dim, concrete industrial basement
A glowing stairway in an abandoned industrial basement creates an eerie atmosphere.

Once an issue commands attention, decision-makers require three things they rarely possess in full: information, legitimacy, and buy-in. Consultation is the phase in which they gather expertise, sound out stakeholders, and assemble the institutional foundations for action. It is the least visible stage and frequently the most consequential, because it sets the boundaries within which negotiation can later occur.

Institutional Roles and Their Limits

Consultation depends on bodies with defined mandates—and those mandates have edges. In the Iran case, the IAEA served as the central monitoring and verification authority, tracking declared facilities, verifying the non-diversion of nuclear material, and reporting to its Board of Governors and the Security Council. Its mandate was nonetheless bounded. Director-General Mohamed ElBaradei stated plainly that the agency lacked “an all-encompassing mandate to look for every computer study on weaponization”; its role was “to make sure that all nuclear materials in a country are declared to us.” A 2006 report acknowledged that “absent some nexus to nuclear material the agency’s legal authority to pursue the verification of possible nuclear weapons related activity is limited.”

The same boundary logic governs corporate consultation. When the U.S. Department of Justice pursued its landmark antitrust case against Microsoft in the late 1990s, the consultation phase drew in a defined set of players: the DOJ’s Antitrust Division, attorneys general from twenty states, and the federal judiciary. Each operated within a specific mandate. The DOJ could allege that Microsoft had unlawfully maintained a monopoly by bundling its Internet Explorer browser with Windows; it could not, by itself, impose the remedy. That authority rested with the court. Knowing precisely where one institution’s authority ended and another’s began shaped every move the parties made.

The analytical point is that institutional mandates are not bureaucratic trivia. They define the achievable. A consultation process can deliver only what its constituent institutions are legally empowered to deliver—a constraint that disciplined strategists internalize early, because misjudging it leads to effort spent pursuing outcomes no institution in the room can grant.

Domestic and Internal Decision Structures

Consultation runs inward as well as outward, and here principal–agent theory becomes useful. Within any organization, those who negotiate (agents) act on behalf of those who hold ultimate authority (principals), and the gap between them shapes outcomes. The agent at the table is rarely the principal who decides.

Within Iran, decision-making flowed through a structured hierarchy. After June 2003, the Supreme National Security Council created a Supreme Nuclear Committee, drawing together the Atomic Energy Organization of Iran and the defense, foreign affairs, and intelligence ministries. President Rouhani later described the sequence directly: “we first had to discuss the matter in the Supreme Nuclear Committee, then we took that result to the Meeting of Leaders, and finally we acted in accordance with the decision of the leaders.” Ultimate authority rested with the Supreme Leader, described by U.S. negotiator Wendy Sherman as “the only one who really holds the nuclear file.” A counterpart who understood that hierarchy could distinguish a genuine concession from a position that had not yet cleared its own internal approval chain.

Corporations inhabit analogous architectures. During the U.S. debate over drug pricing reform—culminating in the Inflation Reduction Act of 2022, which for the first time permitted Medicare to negotiate the prices of certain prescription drugs—pharmaceutical firms engaged through a layered structure. Individual companies lobbied directly while also acting collectively through the Pharmaceutical Research and Manufacturers of America (PhRMA), which aggregated competing positions and presented a unified front to legislators and regulators. Anyone seeking to influence the outcome had to understand not only where a given company stood, but how the industry’s collective position flowed from member firms through the association to Capitol Hill.

For strategists, the implication is consistent across both arenas: knowing who must be consulted, and who holds the final word, is often as decisive as the substance under discussion. Mapping the consultation architecture in advance—identifying the principals behind the agents—is a prerequisite for influence rather than an afterthought.

Expert and Intelligence Input

Consultation also draws on technical and analytical expertise, which functions to bound uncertainty rather than eliminate it. The U.S. intelligence community produced National Intelligence Estimates reflecting interagency assessments. The 2007 estimate concluded that Iran “halted its nuclear weapons program” in 2003 but kept “the option” open, describing any future decision as “inherently reversible.” Foreign services—French, German, Israeli—offered concurring assessments, illustrating how cross-national information sharing feeds the consultative process while also introducing competing interpretations.

Corporate consultation leans on expertise just as heavily, though the experts wear different titles: economists, technical specialists, and industry consultants. The Microsoft proceedings turned substantially on economists debating the definition of the relevant market and the competitive effects of bundling. The drug pricing debate featured actuaries and health economists offering rival models of how negotiated prices would affect innovation and patient access.

In both contexts, expert input rarely settles a debate outright. It defines the range of plausible interpretations within which decisions get made. The disciplined policymaker treats such input as a structured guide to uncertainty—not a substitute for judgment, and not a shield against accountability. Expertise narrows the field of reasonable choices; it does not make the choice.

Part 1 has established the framework and examined the first two stages: agenda setting, where triggering events and institutional ladders elevate latent problems into urgent priorities, and consultation, where mandates, decision hierarchies, and expert input define the boundaries of feasible action. Part 2 turns to negotiation and implementation—where divided coalitions converge or fracture, where agreements are tested against the durability of underlying interests, and where the cycle either holds or begins again. It closes with targeted lessons for CEOs, boards, and regulators.

Stage Three: Negotiation — Reaching Agreement Amid Division

Negotiation is the stage where competing interests meet and either converge or fracture. It is the most visible phase of policymaking and frequently the most fraught. Robert Putnam’s concept of the two-level game offers the sharpest analytical lens. Negotiators bargain simultaneously at an external table with their counterparts and at an internal table with the constituencies they must ultimately satisfy. An agreement that cannot survive the internal table will not hold, however elegant it appears externally. The “win-set”—the range of outcomes a negotiator’s domestic constituency will accept—determines what is achievable, and a negotiator who misreads the other side’s win-set will misjudge the entire bargaining space.

Internal Divisions

Negotiating parties are rarely monolithic. They are coalitions containing factions with divergent priorities, and those internal fault lines shape every external position. Former Iranian negotiator Seyed Hossein Mousavian observed that in 2003 “there were two schools of thought in Iran. One group advocated engagement with the West, while others were proponents of resistance.” President Rouhani himself referred to confronting “both disharmony and sabotage” between the Foreign Ministry and the Atomic Energy Organization of Iran.

The dynamic operated identically on the other side. The United States and its European partners did not always align. A chief obstacle early in the process was “E3 opposition to a 2005 Iranian proposal that would have included a limited Iranian enrichment program.” Washington ultimately persuaded France, Germany, and the United Kingdom to reject any arrangement permitting enrichment. Each delegation arrived at the external table carrying the unresolved arguments of its internal one.

Corporate negotiations carry the same internal fault lines. When Boeing negotiated with the Federal Aviation Administration (FAA) following two 737 MAX crashes—Lion Air Flight 610 in October 2018 and Ethiopian Airlines Flight 302 in March 2019—neither party spoke with a single voice. Within the FAA, safety engineers pressed for a cautious recertification process while the agency faced political pressure to restore confidence in a flagship American manufacturer. Within Boeing, commercial divisions eager to return the grounded fleet to service had to be reconciled with engineering and legal teams managing safety and liability. The regulator that had once delegated significant certification authority to Boeing now had to renegotiate that very relationship. Negotiation, in short, proceeds on two fronts at once, and progress at the external table depends on a negotiator’s ability to manage the internal one.

Stalemates

Talks stall when positions harden or when timing works against settlement. A 2009 proposal to swap Iran’s low-enriched uranium for reactor fuel collapsed when Iran resisted transferring all 1,200 kilograms before receiving fuel in return. The May 2010 Tehran Declaration, brokered by Brazil and Turkey, was not accepted—partly out of concern that it would disrupt efforts to secure a UN Security Council resolution imposing additional sanctions. The timing of one negotiation track foreclosed another.

The European Union’s antitrust confrontation with Google illustrates the same pattern in a corporate setting. Beginning around 2010, the European Commission and Google explored a negotiated settlement rather than formal sanction. Google offered successive commitments to address concerns that it favored its own services in search results. Twice—in 2013 and 2014—the Commission appeared close to accepting voluntary remedies, only for competitor complaints and internal disagreement to harden positions and collapse the talks. Settlement gave way to formal proceedings, and in 2017 the Commission imposed a €2.42 billion fine for abuse of dominance in comparison shopping, the first in a series of penalties that would eventually exceed €8 billion across three cases.

Stalemates, properly read, are not always failures. They frequently reveal the true priorities of each party and reset the terms for a future settlement. The analytical task is to distinguish a genuinely closed door from a deliberate pause before recalibration—a distinction that often determines whether a negotiator holds firm or returns to the table with a revised offer.

Turning Points

Breakthroughs typically hinge not on incremental trading but on a single decisive shift in position. Former officials identified the U.S. decision, “first articulated to Iran during early 2013, to drop its previous insistence that Iran end its enrichment program,” as decisive for reaching a final agreement. Equally consequential were secret bilateral talks between the United States and Iran, brokered by Oman beginning in July 2012. These back-channels created the trust and flexibility that formal multilateral rounds could not, expanding both sides’ win-sets beyond what public negotiation allowed.

The subsequent chronology demonstrates how a turning point accelerates progress once a core obstacle is removed. The Joint Plan of Action was concluded in November 2013, a framework agreement reached in April 2015, and the Joint Comprehensive Plan of Action (JCPOA) finalized on July 14, 2015. Years of stalemate yielded to settlement within roughly two years.

Corporate negotiations turn on comparable pivots. In the Boeing case, the decisive shift came when the company accepted, rather than contested, a redesign of the flight control software at the center of both crashes and submitted to a comprehensive FAA-led recertification. That concession—surrendering the deference Boeing had previously enjoyed—was the move that ultimately allowed the 737 MAX to return to service in late 2020. As in diplomacy, the breakthrough arrived not when the parties traded marginal offers, but when one party abandoned a position it had long defended.

Stage Four: Implementation — Enforcement, Monitoring, and Breakdown

An agreement is a beginning, not a conclusion. Implementation determines whether commitments translate into outcomes, and it is where the largest share of policy failures actually occurs. Compliance theory distinguishes between two explanations for noncompliance. The managerial view attributes failures to ambiguity, capacity gaps, and unintended drift; the enforcement view attributes them to deliberate calculation by parties weighing the costs and benefits of defection. Effective implementation regimes address both—reducing ambiguity through verification and deterring calculation through enforcement. A regime designed for only one will fail against the other.

Monitoring and Verification

Effective implementation rests on the capacity to verify compliance. Under the JCPOA, the IAEA deployed inspections, environmental sampling, surveillance cameras, online enrichment monitors, and the Additional Protocol. Acting Director General Cornel Feruță described the result in September 2019 as “probably the most robust verification mechanism that we have developed anywhere in the world.” Verification performs a precise function: it converts abstract promises into observable, measurable behavior—the only durable foundation for trust between parties that do not fully trust each other.

Implementation Day arrived on January 16, 2016, when prior Security Council requirements terminated and the agreement’s limits took full effect. Iran had already shipped most of its low-enriched uranium to Russia in December 2015 and rendered the Arak reactor’s original core inoperable. The system functioned: until July 2019, reporting indicated Iran complied with its commitments.

Corporate regulation depends on its own verification machinery. The European Union’s General Data Protection Regulation (GDPR), effective May 2018, did not merely set rules for handling personal data; it constructed an enforcement architecture of national data protection authorities empowered to investigate, audit, and sanction. Like the IAEA, these authorities translate broad commitments into observable behavior—requiring firms to document data flows, demonstrate lawful bases for processing, and report breaches within seventy-two hours. The verification burden shifts much of the work onto the regulated party, just as the Additional Protocol obliged Iran to declare equipment and locations. Monitoring is precisely what converts a written rule into an enforceable standard. It is also the managerial view’s primary instrument: by reducing ambiguity, robust monitoring removes the excuse of inadvertent noncompliance.

Enforcement Tools

When parties stray, enforcement mechanisms come into play, and they characteristically escalate in graduated steps. The international framework relied heavily on sanctions. Six Security Council resolutions between 2006 and 2010—1696, 1737, 1747, 1803, 1835, and 1929—imposed escalating restrictions under Chapter VII of the UN Charter, with Resolution 1696 invoking Article 40 and the subsequent sanctions resolutions invoking Article 41’s authority for “measures not involving the use of armed force.” The JCPOA later added a “snapback” mechanism in Resolution 2231, permitting any permanent Council member to reimpose prior sanctions if Iran failed to resolve noncompliance claims.

Corporate enforcement escalates in much the same graduated fashion, with financial penalties standing in for sanctions. GDPR authorizes fines of up to €20 million or four percent of a firm’s global annual turnover, whichever is higher—a deliberately scaled deterrent calibrated to make defection irrational for even the largest firms. Regulators have used it. In 2021, Luxembourg’s data protection authority fined Amazon €746 million, and Ireland’s regulator has levied penalties exceeding €1 billion against Meta across multiple proceedings. The scale of these penalties speaks directly to the enforcement view: deterrence works only when the cost of noncompliance plausibly exceeds its benefit.

Enforcement, however, is only as strong as the legitimacy behind it. When the United States attempted to trigger snapback in August 2020, the Security Council President responded that the letter had “no legal effect” because the United States had withdrawn from the agreement. The most powerful member of the Council could not operate a mechanism for which it no longer had standing. Corporate enforcement faces an analogous test: cross-border cases routinely generate jurisdictional disputes, and penalties are frequently contested and reduced on appeal. The analytical principle is identical across both arenas—enforcement tools depend on standing and consensus as much as on legal text.

Breakdown and Remediation

Implementation can unravel, and the manner of its unraveling is itself analytically revealing. The U.S. withdrawal from the JCPOA on May 8, 2018, and the reimposition of sanctions removed a central pillar of the bargain. Iran initially pledged continued compliance contingent on economic benefits; as those failed to materialize, it began reducing its commitments, citing the agreement’s own provisions as grounds.

The breakdown was measurable. Beginning in July 2019, the IAEA verified that Iran had exceeded limits on its low-enriched uranium stockpile, surpassing the 300-kilogram ceiling, and raised enrichment above the 3.67 percent threshold to roughly 4.5 percent. Iran subsequently installed advanced centrifuges and resumed enrichment at the Fordow facility, both prohibited under the accord. In February 2021, Iran ceased implementing the Additional Protocol and the modified Code 3.1—steps that, in the words of Director General Rafael Grossi, produced “a significant reduction in the [IAEA’s] ability to verify whether Iran’s nuclear programme is entirely peaceful.” This is an enforcement-view breakdown in its purest form: deliberate, staged defection in response to a shifted balance of incentives, with each step calibrated as both leverage and signal.

The corporate equivalent is the scandal that forces a remediation regime. In September 2015, the U.S. Environmental Protection Agency disclosed that Volkswagen had installed “defeat devices”—software designed to detect emissions testing and reduce pollutant output only during those tests—in roughly eleven million diesel vehicles worldwide. Here the breakdown was not the failure of an existing agreement but the discovery that compliance had been fabricated from the outset. The remediation that followed was extensive and closely monitored: Volkswagen agreed to settlements exceeding $20 billion in the United States alone, funded vehicle buybacks and repairs, financed environmental mitigation programs, and operated under the oversight of an independent compliance monitor. The episode illustrates a hybrid breakdown—deliberate concealment (the enforcement view) that the existing verification regime, reliant on standardized laboratory tests, was structurally incapable of detecting (the managerial view).

The lesson is sobering and analytically precise. An agreement, or a compliance commitment, reflects the balance of interests at the moment it is made. When that balance shifts—through a change of government, an economic disappointment, a strategic recalculation, or simply the discovery that the commitment was never honored—implementation erodes even when the underlying drafting was sound.

Bringing the Stages Together: The Recursive Loop

Round table with two place settings on contrasting light and dark wood halves
A round wooden table split into light and dark sections set for two.

The four stages are not a tidy assembly line. They overlap, double back, and occasionally collapse into one another. A breakdown in implementation can push an issue back onto the agenda. A stalemate in negotiation can return parties to consultation. The most important analytical correction this framework offers is the replacement of the linear pipeline with a recursive loop.

Both arenas confirm the point. In the Iran case, by June 2025 the IAEA Board had again adopted a resolution—GOV/2025/38—finding Iran in noncompliance, restarting a process the international community had run before. The agenda-setting trigger of one cycle was the implementation breakdown of the last. In the corporate sphere, the loop is equally visible. The Volkswagen scandal—an implementation failure in one regime—became a triggering event that pushed diesel emissions and testing integrity back onto regulatory agendas across Europe and the United States, prompting tighter real-world emissions standards. Enron’s collapse produced accounting rules whose later enforcement gaps fed subsequent reform debates.

This recursive quality carries a strategic implication that purely linear models obscure. Because today’s implementation failure is tomorrow’s agenda trigger, the most effective practitioners design agreements with the next cycle already in view. They ask not only whether a deal can be reached, but whether it can withstand the predictable shifts in interest that will test it—and what the cost of its failure will be when the loop turns again.

Lessons for CEOs, Boards, and Regulators

The framework yields concrete, transferable guidance. The stages that govern a nuclear accord govern a corporate compliance regime, and the leaders who internalize that structure can act with foresight rather than reaction. The following lessons are organized by the leadership function to which they most directly apply, though each carries relevance across roles.

1. Build the response before the trigger arrives. Triggering events open policy windows that rarely stay open long. Enron, Cambridge Analytica, and Volkswagen each converted a latent condition into an urgent priority within weeks. Leaders should treat known vulnerabilities—a contested data practice, an unverified safety assumption, a concealed liability—as triggers in waiting. The organization that has war-gamed its disclosure scenarios in advance shapes the narrative; the one that improvises surrenders it. Boards should require management to maintain a standing inventory of latent exposures and pre-drafted response protocols.

2. Map the escalation ladder, internal and external. An issue’s trajectory depends on the institutional channels available to carry it upward—from internal audit to board committee to regulator to legislature. Regulators design these ladders; executives must read them. Understanding which body holds jurisdiction, what it is empowered to do, and how quickly a finding can ascend allows leaders to anticipate escalation rather than discover it. The Microsoft case demonstrates the cost of misjudging where authority resides: the remedy lay with the court, not the agency that brought the complaint.

3. Identify the principal behind every agent. Principal–agent dynamics shape every negotiation. The counterpart at the table is rarely the final authority, whether that authority is a supreme council, a board, or a regulatory commission. Before committing to a position, leaders should map the consultation architecture of every party—their own included—and identify whose approval a given concession actually requires. A concession granted by an agent who cannot deliver the principal is worthless.

4. Negotiate on both fronts deliberately. Putnam’s two-level game is not a metaphor; it is an operational reality. Boeing’s path back to service required reconciling commercial urgency with engineering caution internally before any external agreement could hold. Executives should treat internal alignment as a precondition for external credibility, not an afterthought. A position that cannot survive the internal table should never be advanced at the external one.

5. Design verification into the agreement, not around it. Compliance theory’s managerial view teaches that ambiguity breeds noncompliance. The most durable regimes—the JCPOA’s layered monitoring, GDPR’s documentation and breach-reporting requirements—shift the verification burden onto the regulated party and make compliance observable. Regulators should design for measurability from the outset; executives should assume that what cannot be verified will eventually be doubted. Volkswagen’s deception persisted precisely because the prevailing test regime could not detect it.

6. Calibrate enforcement to both cost and legitimacy. The enforcement view holds that deterrence works only when defection’s cost plausibly exceeds its benefit—hence GDPR’s turnover-scaled fines. But the failed 2020 snapback attempt shows that enforcement without standing collapses regardless of the underlying power. Regulators should secure jurisdictional clarity and consensus before acting; executives should recognize that a contested penalty invites appeal, while a legitimate one commands compliance.

7. Stress-test agreements against shifting interests. Every commitment reflects the balance of interests at the moment of signing. Iran’s staged withdrawal followed a change in that balance; the durable question is not whether a deal can be reached but whether it can survive a change of government, an economic shock, or a strategic recalculation. Boards should require scenario analysis that asks explicitly: what conditions would make our counterpart—or ourselves—prefer defection, and what structures would hold the agreement together when they arrive?

8. Treat every breakdown as the next cycle’s agenda. Because the process is recursive, an implementation failure is never merely an ending. It is the triggering event of the next round, often with higher stakes and a wider audience. Leaders who manage a breakdown with an eye toward the cycle it will launch—remediating transparently, preserving credibility, and addressing root causes rather than symptoms—shape the terms on which they will be judged when the loop turns.

Conclusion: The Discipline of the Cycle

Return to the three episodes that opened this analysis: the enrichment plant beneath the mountain, the cars engineered to deceive, the harvested profiles. They belong to different worlds—nonproliferation, automotive regulation, data privacy—yet each traveled the same road. A concealed condition surfaced through a triggering event. Institutions consulted, escalated, and assembled the authority to act. Divided coalitions negotiated their way to a bargain. And that bargain was tested, in time, against the durability of the interests beneath it. Some held. Others broke, and in breaking, set the next cycle in motion.

This is the central claim, now fully drawn: policymaking is a structured, recursive system, and its logic does not change when the actor changes. The proliferation analyst tracking centrifuge counts and the general counsel managing a regulatory settlement are operating the same machinery, even if neither would recognize the other’s vocabulary. To see that machinery clearly is to gain the strategist’s most valuable asset—the ability to anticipate rather than react, to position before positions harden, and to design agreements that can survive the pressures certain to test them.

The frameworks of agenda setting, consultation, negotiation, and implementation are not abstractions to be admired. They are instruments to be used. The leaders who use them well share a single discipline: they pair structural understanding with a clear-eyed reading of the people and incentives behind every decision. They know that an agreement is only as strong as the verification that sustains it and the interests that underwrite it. And they understand that in a recursive system, there is no final settlement—only the management of one cycle in a way that improves the position for the next. That combination of rigor and realism is what separates the practice of policymaking from the theory of it, and it is what turns a structured process into a strategic advantage.

Endnotes

  1. Agenda setting — Iran’s undeclared facilities (August 2002). The public controversy began when the National Council of Resistance on Iran, an exile group, revealed at a press conference that Tehran had built undeclared nuclear-related facilities at Natanz and Arak—some of the claims later proving accurate. U.S. intelligence concern predated the disclosure by decades, dating to assessments in the mid-1970s. The IAEA began investigating in fall 2002, and inspectors visited the named sites in February 2003 (CRS RL34544; CRS R40094, p. 15).
  2. Agenda setting — the Fordow disclosure (September 2009). Iran notified the IAEA in September 2009 that it was constructing a previously secret enrichment facility near Qom. President Obama observed on September 25, 2009, that “the size and configuration of this facility is inconsistent with a peaceful program.” A November 2009 IAEA Board resolution found that the late declaration “reduces the level of confidence in the absence of other nuclear facilities” (CRS RL34544, p. 23-24, citing GOV/2009/74).
  3. Escalation ladder — IAEA Board to UN Security Council. Technical findings ascended a defined institutional ladder: the Board expressed “concern” in June 2003 and adopted its first resolution that September; on September 24, 2005, resolution GOV/2005/77 found Iran in noncompliance with its safeguards agreement for the first time; and on February 4, 2006, GOV/2006/14 referred the matter to the Security Council—the body holding, under Article 24 of the UN Charter, “primary responsibility for the maintenance of international peace and security” (CRS R40094, pp. 16, 24).
  4. Corporate agenda setting — Enron and Sarbanes-Oxley. Enron’s 2001 bankruptcy, then the largest in U.S. history, exposed accounting practices that had concealed billions in liabilities and reframed corporate accounting as a systemic risk. Within a year, Congress enacted the Sarbanes-Oxley Act of 2002, rewriting audit oversight and financial disclosure rules for every U.S. public company (public record; deployed as illustrative comparison).
  5. Corporate agenda setting — Facebook–Cambridge Analytica. Reporting by The Observer and The New York Times in March 2018 revealed that the consultancy Cambridge Analytica had harvested the personal data of tens of millions of Facebook users without consent. Within weeks the issue climbed the regulatory ladder, and by April 2018 the company’s chief executive faced two days of questioning before a joint session of U.S. Senate committees; the matter culminated in a 2019 Federal Trade Commission penalty of $5 billion, at the time the largest ever imposed for a privacy violation (public record).
  6. Consultation — institutional mandates and their limits. Director-General Mohamed ElBaradei stated that the IAEA lacked “an all-encompassing mandate to look for every computer study on weaponization”; its role was “to make sure that all nuclear materials in a country are declared to us.” A 2006 report acknowledged that “absent some nexus to nuclear material the agency’s legal authority to pursue the verification of possible nuclear weapons related activity is limited” (CRS R40094, pp. 14-15). The parallel corporate point is illustrated by United States v. Microsoft, where the Department of Justice could allege unlawful monopoly maintenance but could not itself impose the remedy—that authority rested with the court (public record).
  7. Consultation — decision hierarchies and principal–agent dynamics. Within Iran, decision-making flowed through a structured hierarchy. After June 2003 the Supreme National Security Council created a Supreme Nuclear Committee drawing together the Atomic Energy Organization of Iran and the defense, foreign affairs, and intelligence ministries. President Rouhani described the sequence: “we first had to discuss the matter in the Supreme Nuclear Committee, then we took that result to the Meeting of Leaders, and finally we acted in accordance with the decision of the leaders.” U.S. negotiator Wendy Sherman testified that the Supreme Leader “is the only one who really holds the nuclear file” (CRS RL34544, pp. 12-15).
  8. Consultation — expert input bounds uncertainty. The November 2007 National Intelligence Estimate concluded that Iran “halted its nuclear weapons program” in 2003 but was “keeping open the option,” describing any future decision as “inherently reversible.” French, German, and Israeli services offered concurring assessments, illustrating how cross-national information sharing feeds—and complicates—the consultative process (CRS RL34544, p. 2).
  9. Negotiation — internal divisions (two-level game). Former Iranian negotiator Seyed Hossein Mousavian observed that in 2003 “there were two schools of thought in Iran. One group advocated engagement with the West, while others were proponents of resistance.” On the Western side, a chief early obstacle was “E3 opposition to a 2005 Iranian proposal that would have included a limited Iranian enrichment program,” which Washington persuaded France, Germany, and the United Kingdom to reject (CRS RL34544, pp. 13-14). The Boeing 737 MAX recertification illustrates the same internal-front dynamic, with safety engineers and commercial divisions pulling against one another inside both the FAA and Boeing (public record).
  10. Negotiation — stalemates. A 2009 proposal to swap Iran’s low-enriched uranium for reactor fuel collapsed when Iran resisted transferring all 1,200 kilograms before receiving fuel in return, and the May 2010 Tehran Declaration brokered by Brazil and Turkey was not accepted (CRS RL34544, pp. 65-67). The European Commission’s antitrust talks with Google stalled comparably: twice, in 2013 and 2014, the Commission neared acceptance of voluntary remedies before positions hardened, leading to a €2.42 billion fine in 2017 (public record).
  11. Negotiation — turning points. Former officials identified the U.S. decision, “first articulated to Iran during early 2013, to drop its previous insistence that Iran end its enrichment program,” as decisive for reaching a final agreement; secret bilateral talks brokered by Oman from July 2012 expanded both sides’ room to maneuver. The chronology followed quickly: Joint Plan of Action (November 24, 2013), framework (April 2, 2015), and JCPOA (July 14, 2015) (CRS R40094; CRS RL34544, p. 15).
  12. Implementation — verification. Under the JCPOA the IAEA deployed inspections, environmental sampling, surveillance cameras, online enrichment monitors, and the Additional Protocol. Acting Director General Cornel Feruță described the result in September 2019 as “probably the most robust verification mechanism that we have developed anywhere in the world.” Implementation Day arrived on January 16, 2016, terminating prior Security Council requirements under Resolution 2231 (CRS RL34544, p. 43; CRS R40094, p. 4). GDPR’s documentation, lawful-basis, and seventy-two-hour breach-reporting requirements perform the analogous function in the corporate sphere (public record).
  13. Implementation — enforcement and legitimacy. Six Security Council resolutions between 2006 and 2010 imposed escalating restrictions under Chapter VII, with Resolution 1696 invoking Article 40 and the sanctions resolutions invoking Article 41’s authority for “measures not involving the use of armed force.” When the United States attempted to trigger snapback in August 2020, Council President Djani replied that the United States “cannot invoke the snapback mechanism … because it has withdrawn from” the JCPOA and that the letter had “no legal effect” (CRS R40094, pp. 24-26). GDPR’s turnover-scaled fines—up to €20 million or four percent of global annual turnover—and penalties such as Luxembourg’s €746 million fine against Amazon (2021) illustrate the corporate analogue of scaled deterrence (public record).
  14. Implementation — breakdown. Following the U.S. withdrawal on May 8, 2018, Iran began staged reductions of its commitments. Beginning in July 2019 the IAEA verified that Iran had exceeded the 300-kilogram stockpile ceiling (~304 kg on July 1, 2019; ~372 kg by August) and raised enrichment above the 3.67 percent limit to roughly 4.5 percent, later installing advanced centrifuges and resuming enrichment at Fordow. In February 2021 Iran ceased implementing the Additional Protocol and modified Code 3.1; Director General Grossi stated that this “has led to a significant reduction in the [IAEA’s] ability to verify whether Iran’s nuclear programme is entirely peaceful” (CRS RL34544, pp. 24-27; CRS R40094, pp. 5, 16). The Volkswagen “defeat device” scandal disclosed by the U.S. EPA in September 2015—affecting roughly eleven million diesel vehicles and producing settlements exceeding $20 billion in the United States alone—illustrates the corporate counterpart: concealed noncompliance that the prevailing verification regime was structurally unable to detect (public record).
  15. The recursive loop. On June 12, 2025, the IAEA Board adopted resolution GOV/2025/38 again finding Iran in noncompliance, restarting a process the international community had run before—an implementation breakdown becoming the agenda-setting trigger of the next cycle (CRS R40094, pp. 23-24). The Volkswagen scandal performed the same function in the corporate sphere, pushing real-world emissions testing back onto regulatory agendas across Europe and the United States (public record).
  16. The sources underpinning this analysis fall into three groups: Congressional Research Service reporting, primary diplomatic and legal instruments, and the public record of corporate regulatory episodes, supplemented by the theoretical literature on the policy process.
  17. Congressional Research Service Reports
    Kerr, Paul K. Iran’s Nuclear Program: Status. CRS Report RL34544, Version 56. Washington, DC: Congressional Research Service, updated December 20, 2019. https://crsreports.congress.gov.
    Kerr, Paul K. Iran’s Nuclear Program: Tehran’s Compliance with International Obligations. CRS Report R40094, Version 151. Washington, DC: Congressional Research Service, updated August 7, 2025. https://crsreports.congress.gov.
    Katzman, Kenneth, and Paul K. Kerr. Iran Nuclear Agreement. CRS Report R43333. Washington, DC: Congressional Research Service, updated July 20, 2017. https://crsreports.congress.gov.
  18. International Atomic Energy Agency Materials
    International Atomic Energy Agency, Board of Governors. Implementation of the NPT Safeguards Agreement in the Islamic Republic of Iran: Report by the Director General. GOV/2003/75. Vienna: IAEA, November 10, 2003.
    International Atomic Energy Agency, Board of Governors. Implementation of the NPT Safeguards Agreement in the Islamic Republic of Iran: Resolution Adopted by the Board on 24 September 2005. GOV/2005/77. Vienna: IAEA, September 24, 2005.
    International Atomic Energy Agency, Board of Governors. Implementation of the NPT Safeguards Agreement in the Islamic Republic of Iran: Resolution Adopted by the Board on 4 February 2006. GOV/2006/14. Vienna: IAEA, February 4, 2006.
    International Atomic Energy Agency, Director-General Yukiya Amano. Implementation of the NPT Safeguards Agreement and Relevant Provisions of Security Council Resolutions in the Islamic Republic of Iran: Report by the Director General. GOV/2011/65. Vienna: IAEA, November 8, 2011.
    International Atomic Energy Agency, Director-General Mohamed ElBaradei. Implementation of the NPT Safeguards Agreement and Relevant Provisions of Security Council Resolutions in the Islamic Republic of Iran: Report by the Director General (Fordow Fuel Enrichment Plant). GOV/2009/74. Vienna: IAEA, November 16, 2009.
    International Atomic Energy Agency, Director-General Yukiya Amano. Final Assessment on Past and Present Outstanding Issues Regarding Iran’s Nuclear Programme: Report by the Director General. GOV/2015/68. Vienna: IAEA, December 2, 2015.
    International Atomic Energy Agency, Director-General Rafael Mariano Grossi. Verification and Monitoring in the Islamic Republic of Iran in Light of United Nations Security Council Resolution 2231 (2015): Report by the Director General. GOV/2025/25. Vienna: IAEA, May 31, 2025.
    International Atomic Energy Agency, Board of Governors. Resolution Adopted by the Board of Governors Finding Iran in Non-Compliance with Its Safeguards Obligations. GOV/2025/38. Vienna: IAEA, June 12, 2025.
  19. Legal Instruments
    Agreement between Iran and the International Atomic Energy Agency for the Application of Safeguards in Connection with the Treaty on the Non-Proliferation of Nuclear Weapons. INFCIRC/214. Vienna: IAEA, December 13, 1974.
    Statute of the International Atomic Energy Agency. As amended; Article XII.C. Vienna: IAEA, entered into force July 29, 1957. https://www.iaea.org/about/statute.
    Joint Comprehensive Plan of Action. Vienna, July 14, 2015; Implementation Day, January 16, 2016. United Nations Treaty registration via UN Security Council Resolution 2231 (2015).
    United Nations Security Council. Resolution 1696, S/RES/1696 (July 31, 2006); Resolution 1737, S/RES/1737 (December 23, 2006); Resolution 1747, S/RES/1747 (March 24, 2007); Resolution 1803, S/RES/1803 (March 3, 2008); Resolution 1835, S/RES/1835 (September 27, 2008); Resolution 1929, S/RES/1929 (June 9, 2010); and Resolution 2231, S/RES/2231 (July 20, 2015). New York: United Nations.
    Charter of the United Nations. San Francisco, June 26, 1945; entered into force October 24, 1945. Chapter VII, Articles 24, 25, 40, 41, and 103. http://www.un.org/en/sections/un-charter/un-charter-full-text/.
    Treaty on the Non-Proliferation of Nuclear Weapons, Articles II and III. Opened for signature July 1, 1968; entered into force March 5, 1970. INFCIRC/140.
  20. Corporate Regulatory Episodes (Public Record)
    Sarbanes-Oxley Act of 2002, Pub. L. No. 107-204, 116 Stat. 745 (July 30, 2002), enacted following the Enron Corporation bankruptcy of December 2001.
    United States v. Microsoft Corporation, 253 F.3d 34 (D.C. Cir. 2001). U.S. Department of Justice, Antitrust Division, with the attorneys general of twenty states.
    U.S. Federal Trade Commission. United States v. Facebook, Inc., Case No. 19-cv-2184 (D.D.C. 2019). Settlement and $5 billion penalty, July 24, 2019, following the March 2018 Cambridge Analytica disclosures reported by The Observer and The New York Times.
    U.S. Federal Aviation Administration. Rescission of Emergency Order of Prohibition; Boeing 737 MAX Return to Service. November 18, 2020, following the crashes of Lion Air Flight 610 (October 29, 2018) and Ethiopian Airlines Flight 302 (March 10, 2019). Washington, DC: FAA.
    European Commission. Google Search (Shopping), Case AT.39740. Decision of June 27, 2017, imposing a €2.42 billion fine for abuse of dominance. Brussels: European Commission.
    U.S. Environmental Protection Agency. Notice of Violation of the Clean Air Act to Volkswagen AG, Audi AG, and Volkswagen Group of America, Inc. September 18, 2015, concerning “defeat device” software in diesel vehicles; resulting U.S. settlements exceeding $20 billion. Washington, DC: EPA.
    Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). Official Journal of the European Union L 119 (May 4, 2016): 1-88. Effective May 25, 2018.
  21. Theoretical Frameworks
    Kingdon, John W. Agendas, Alternatives, and Public Policies. Boston: Little, Brown, 1984 (multiple-streams model of agenda formation).
    Putnam, Robert D. “Diplomacy and Domestic Politics: The Logic of Two-Level Games.” International Organization 42, no. 3 (Summer 1988): 427-460.
    Chayes, Abram, and Antonia Handler Chayes. The New Sovereignty: Compliance with International Regulatory Agreements. Cambridge, MA: Harvard University Press, 1995 (managerial and enforcement schools of compliance theory).

Discover more from Responsible Public Affairs

Subscribe to get the latest posts sent to your email.

Share On:

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Get A Quote
Get A Quote

Discover more from Responsible Public Affairs

Subscribe now to keep reading and get access to the full archive.

Continue reading