AI Governance
Re-engineering the Three Lines of Defense for the AI Era

Jeremiah Ssekabira
May 22, 2025 · 9 min read
Executive Summary
Most directors are familiar with the three-lines-of-defense model for risk: business ownership, independent oversight functions, internal audit. Applied to AI, the model still works — but each line has new responsibilities. This article reframes the three lines for the AI era and identifies the most common gaps.
Context
AI risk crosses functional boundaries. A single AI use case can touch product, technology, legal, data protection, model risk, cyber, procurement and ethics. Without a clear model for who owns what across those domains, AI risk lands by default with whoever is most senior in the room — usually the wrong outcome.
Key Issues
First line — business ownership
The business owns the use case. That means owning the impact assessment, the human-oversight design, the user communications and the day-to-day monitoring. The first line cannot delegate AI risk to a central function.
Second line — independent oversight
Risk, compliance, data protection and (where it exists) the AI ethics function provide independent challenge, frameworks and monitoring. The second line should have authority to halt deployments, not merely to comment on them.
Third line — internal audit
Internal audit provides assurance that the first and second lines are doing what they say. That requires audit teams with AI literacy, an AI-aware audit plan and access to model documentation.
Strategic Implications
The three-lines model breaks down when first-line teams adopt AI through SaaS features without engaging the second line, or when the second line lacks the authority or capability to challenge. Boards should expect explicit reporting on how each line is operating in practice for AI.
Governance Considerations
- Confirm the second line has the right to require an impact assessment before high-risk deployment.
- Confirm internal audit has at least one engagement on AI use cases planned in the current year.
- Ensure the AI risk taxonomy is shared across all three lines — divergent taxonomies produce blind spots.
Practical Recommendations
- Publish a one-page RACI for AI risk across the three lines.
- Brief the audit committee on first-line AI adoption pipelines, not only second-line frameworks.
- Build an internal community of practice that crosses the three lines without collapsing their independence.
Conclusion
The three-lines model is not obsolete in the AI era — it is more important than ever. The boards that operationalize it for AI will know who owns what, who can stop what, and who confirms that the system is working as designed.
Share this article
Bring AI Governance to Your Boardroom
Book an executive masterclass or advisory session with Jeremiah Ssekabira.
Previous
ISO/IEC 42001: The AI Management System Standard Every Board Should Know
Next
Foundation-Model Concentration Risk: A New Item for the Board Risk Register
The AI Governance Brief
Weekly insights on AI governance, board leadership, responsible AI and emerging technologies — delivered to executives across Africa and beyond.