☠️ Farewell, Old Friend: Three Lines of Defence Retires (Sort Of)
Once the rockstar of risk management, the Three Lines of Defence – that iconic diagram we all pretended to understand in 2013 – is slowly being nudged aside. Cause of death? Algorithmic obsolescence.
Born in the late ‘90s, during the corporate drama of Enron and WorldCom, the model was officially knighted by the Institute of Internal Auditors in 2013. By 2015, it had made its way into every boardroom slideshow from Sydney to São Paulo, promising a simple, structured view of an increasingly chaotic risk landscape.
You know the drill:
- First Line owns the risk.
- Second Line oversees it.
- Third Line assures it.
And it worked — mainly because it was clear, comprehensible, and helped restore trust when trust was in short supply.
💻 Enter AI: A New Line of Assurance
Fast forward to 2025, and a quiet revolution is underway. Explainable AI (XAI) and model governance frameworks are now doing in milliseconds what used to take weeks of meetings and memos.
AI doesn’t wait for quarterly audits. It spots exceptions, flags anomalies, and — here’s the kicker — documents everything with timestamped precision. The old lines, once comfortably distant from each other, are now compressed into a single feedback loop. The reassuring triangle has flattened into a circle.
We’re witnessing the birth of something new:
“Continuous Autonomous Assurance.”
Sounds fancy. Might even work.
🧍What About the Humans?
No one feels the shift more than Internal Audit, proud stewards of the now-defunct Third Line. Independence, once defined by distance, must now be reimagined when ownership, oversight, and assurance live inside the same chatbot.
The question is no longer, “Who’s watching the watchers?” but rather,
“Who’s training the model that’s watching everything?”
To stay relevant, Internal Auditors may need to become curators of model integrity – gatekeepers of algorithmic fairness, transparency, and ethical governance.
🚨 Standards, Please!
With AI steamrolling into the governance arena, the urgency for clear regulatory standards has never been greater. The risks aren’t just technical; they impact how governance structure’s function — and whether Internal Audit can still justify its mission.
We’re not saying the Three Lines are completely obsolete. Not yet. But let’s be clear:
Don’t drop the model until you’ve got a replacement lined up.
AI isn’t here to replace human oversight — but to augment it. The best outcomes will come from organisations that find the sweet spot between automation and accountability. Yes, the bots are fast, but we still need someone asking the tough questions.
🧠 Three Lines of Defence
- The Three Lines of Defence approach is fading, replaced by explainable AI and real-time model governance.
- Internal Audit must evolve or risk becoming a relic.
- Don’t abandon the old model without a plan B.
- AI is a tool, not a get-out-of-governance-free card.
- Keep the Human in the Loop. Always.
So, as we raise a glass (of responsibly sourced Copenhagen coffee) to our old risk framework, remember: the future of assurance isn’t less oversight — it’s smarter, faster, and still very human.
PS, we keep the new Three Lines of AI defence diagram framed at a central place in the office, perhaps right next to the emergency AI kill switch.