I worked in internal control for years, and I can confidently say how valuable the “Three Lines of Defence” model is within any governance and risk management framework. Most organisations already understand the concept of the Three Lines of Defence in general governance. But when it comes to AI, many organisations unintentionally collapse all three lines into one. We see the same people build the AI then approve the AI then monitor the AI and sometimes even assess their own compliance!!!
Surely that is not AI governance!
As AI adoption accelerates, organisations need clearer separation of responsibilities across the AI lifecycle. A practical AI governance model with three lines of defence could look something like this:
1st Line of Defence
The AI team who develops AI solution (including AI engineers, data scientist and AI officer) as well as the AI business owner and operational teams who use AI are part of this line. These two parties own the risks and operate the controls day-to-day (hence the importance of embedded controls).
2nd Line of Defence
This line includes “Catalysts” & “Facilitators”, and they are the AI governance, risk, compliance, legal, privacy, and internal control teams. They define policies, challenge decisions, oversee risk, and provide independent governance oversight.
3rd Line of Defence
This includes internal and external audits. They independently assess whether AI governance and controls are actually working as intended.
Three layers, Three safety nets!
Without this three-line separation model the accountability becomes blurred, risk decisions become inconsistent, independent challenge disappears and governance can quickly become a “rubber stamp” exercise. The objective of AI governance is not to create more bureaucracy. It is to ensure AI can scale in a controlled, trusted, and accountable way.
The organisations getting this right are usually not the ones with the most AI policies. They are the ones with the clearest operating model.