top of page

Lines of defense : 2 combinations with AI

(and not confusing the 2)

Just as in football, most organisations have three lines of defense that form their risk management system. A football team's defense protects against a touchdown by the opposing team. Similarly, employees in organization protect the business against a risk event.

The 3 lines of defense model was developed by the FERMA (Federation of European Risk Management Associations) in 2008 and introduced by the Institute for Internal Auditors in 2013.

Since then it has grown significantly and has become a standard for many auditors and risk managers. Different types of risks (credit, market, interest, operational, AML, etc.) regulated in financial services are managed according to this model.

Why not apply it to AI?

1. Apply the 3 lines of defense model to AI governance

What does it mean ?

  • 1st line of business: create, own and manage AI risks

These are responsible for designing, specifying, building, deploying and operating ML models and AI automation. They are also responsible for the data used in the AI model.

  • 2nd line of business: overseeing AI risks

They assess and monitor risks, develop a risk management strategy and check whether the 1st line of defense has developed according to the expected requirements.

Model validation teams are independent teams responsible for assessing the robustness of the AI model and associated data, testing the results and recommending corrective actions.

  • 3rd line of defense: responsible for providing independent assurance to senior management and the board over the effectiveness of the First and Second Line on AI

They oversee the other two lines of defense to ensure compliance with the organization's laws, policies and strategies, as well as the ethical and responsible use of technology. They may be supplemented by specific boards made up of various internal/external managers reporting to the board.

To be effective, these three lines of defense work in synergy with a common goal: to control AI risks end-to-end in the organization and throughout the AI life cycle.


If not already done, enhance your 3 lines of defense model to incorporate AI risks at each stage of the lifecycle and empower risk management around the data and AI ML models ..

2- Strengthen the 3 lines of defense model with AI ML technologies

AI as a new technology has the potential to facilitate and automate certain tasks performed at each stage of the line of defense model.

Here are some examples

  • 1st line of defense: detecting new patterns in customer datasets to get better services tailored to your customer needs, perform sentiment analysis for stocks trends

  • 2nd line of defense: developing automated solutions to improve prediction of credit default risk , detect patterns around suspicious transactions, unsupervised solutions to monitor regulatory stress test scenarios.

As the scope of risk analysis expands into new areas (e.g. cyber risks, climate risks), the use of AI ML technologies is expected to grow.

  • 3rd line of defense: audit activities can be transformed through machine learning, leading to increased productivity and accuracy.

It helps automate manual tasks, analyze the full volume of structured and unstructured data, identify anomalies, make predictions about future risks and events.

With automation, some components of risk management move from the third line to the first and second lines of defense.


Overall automation with AI improves the effectiveness of risk management.

But while implementing other factors such as training, communication, risk culture assessment, company size, infrastructure capabilities (e.g. cloud) and data readiness are taken into account.

In summary

How to effectively implement the 3 lines of defence around AI (way 1) is already a challenge for most organisations.

Introducing AI tools into risk management practices (way2) lead to greater efficiency.

But what about combining the two ways ? It's another step.

Feel free to provide your comments and questions at


Subscribe to Our Newsletter

Thanks for submitting!

bottom of page