Three Lines of Defense

FlowRidge

COMPEL Glossary / three-lines-of-defense

The three lines of defense is a widely adopted risk governance model that distributes risk management responsibilities across three organizational levels: the first line (operational management and AI teams) owns and manages risks directly in their daily work; the second line (risk management and compliance functions) provides oversight, policies, and guidance; and the third line (internal audit) provides independent assurance that the first and second lines are functioning effectively.

What this means in practice

For organizations governing AI, the three lines model prevents both the concentration of risk management in a single function and the diffusion of accountability where nobody owns risk. In COMPEL, the three lines of defense model is integrated into the governance architecture designed during Module 3.4, Article 8 on audit and assurance for enterprise AI, ensuring clear accountability for AI risk management across the organization.

Why it matters

The three lines of defense model distributes AI risk management across operational teams, risk oversight functions, and independent audit, preventing both dangerous concentration and fatal diffusion of accountability. Without this structure, organizations either overload a single function with all risk responsibility or let accountability slip through organizational gaps. The model creates layered assurance that AI risks are managed, overseen, and independently verified.

How COMPEL uses it

The three lines model is integrated into the governance architecture designed during Module 3.4, Article 8 on audit and assurance for enterprise AI. During the Model stage, roles are assigned across all three lines. The Produce stage operationalizes first-line risk management, the Governance pillar establishes second-line oversight, and the Evaluate stage coordinates third-line independent assurance and audit activities.

Related Terms

Other glossary terms mentioned in this entry's definition and context.

Cite this article

Author:: FlowRidge Team
Publisher:: FlowRidge
First Published:: 2026
Work:: COMPEL AI Transformation Body of Knowledge

Academic (APA)

FlowRidge Team. (2026). Three Lines of Defense — COMPEL Glossary. COMPEL AI Transformation Body of Knowledge. FlowRidge. Retrieved from https://www.compelframework.org/articles/glossary/three-lines-of-defense/

BibTeX

@misc{compel-glossary/three-lines-of-defense-2026,
  author = {{FlowRidge Team}},
  title = {Three Lines of Defense — COMPEL Glossary},
  howpublished = {COMPEL AI Transformation Body of Knowledge},
  publisher = {FlowRidge},
  year = {2026},
  url = {https://www.compelframework.org/articles/glossary/three-lines-of-defense/},
  note = {Governed by the COMPEL Framework License Agreement}
}

Plain text

FlowRidge Team. Three Lines of Defense — COMPEL Glossary. COMPEL AI Transformation Body of Knowledge. FlowRidge, 2026. https://www.compelframework.org/articles/glossary/three-lines-of-defense/

This content is part of the COMPEL AI Transformation Body of Knowledge, governed by the COMPEL Framework License Agreement. See /license/ for terms.