What Is Three Lines of Defence?
Three Lines of Defence is an organisational risk governance model in which the first line (business/operations) owns and manages risk, the second line (risk and compliance functions) provides oversight and frameworks, and the third line (internal audit) provides independent assurance.
Three Lines of Defence — an organisational risk governance model in which the first line (business/operations) owns and manages risk, the second line (risk and compliance functions) provides oversight and frameworks, and the third line (internal audit) provides independent assurance.
The three lines model is the dominant framework for organising AI governance accountability in regulated industries. The first line includes AI product teams, data scientists, and business units using AI. The second line includes AI risk, model risk, and compliance functions. The third line — internal audit — independently tests whether the first and second lines are functioning as claimed. APRA CPS 230, the FCA, and EBA all expect AI governance to be embedded within the three lines structure.
Source: IIA Three Lines Model (2020); APRA CPS 230
Plain-language explanation
The three lines model is the dominant framework for organising AI governance accountability in regulated industries. The first line includes AI product teams, data scientists, and business units using AI. The second line includes AI risk, model risk, and compliance functions. The third line — internal audit — independently tests whether the first and second lines are functioning as claimed. APRA CPS 230, the FCA, and EBA all expect AI governance to be embedded within the three lines structure.
See where you stand on AI governance
Take the free 7-question maturity assessment and get a personalised action plan.
Free assessment — 3 minutes →