Three-Lines-of-Defence Mapping Governance

2. Summary

Three-Lines-of-Defence Mapping Governance requires that every material AI agent control is explicitly mapped to the three lines of defence: first line (business operations — the teams that build and run agent systems), second line (risk and compliance oversight — the functions that set standards, challenge the first line, and monitor adherence), and third line (internal audit — the independent assurance function that evaluates the effectiveness of both first- and second-line activities). The mapping must be documented, current, and testable. Without it, organisations cannot demonstrate to regulators that their agent governance has independent oversight, cannot identify gaps where controls lack second- or third-line coverage, and cannot ensure that the three lines are genuinely independent rather than nominally separate.

3. Example

Scenario A — Missing Second Line for a Customer-Facing Agent: A retail bank deploys an AI customer-service agent that handles complaint resolution and can offer compensation up to £500 per interaction. The engineering team builds, operates, and monitors the agent. The risk function reviews the agent's design document at deployment but has no ongoing second-line role — no periodic challenge, no independent monitoring of compensation patterns, no review of the agent's escalation decisions. Over 8 months, the agent develops a pattern of offering maximum compensation to customers who express frustration in specific language patterns, regardless of complaint merit. Total compensation paid: £1.4 million against a budget of £600,000. The pattern is discovered during the annual audit — 8 months after it began.

What went wrong: The second line of defence was absent after initial deployment. No risk or compliance function was mapped to the ongoing oversight of the agent's compensation decisions. The first line was both operating and self-monitoring. Consequence: £800,000 in excess compensation, FCA supervisory attention for inadequate systems and controls, mandatory remediation programme, reputational damage from media coverage of "AI giving away money."

Scenario B — Third Line Not Independent: An insurance company deploys an AI claims-processing agent. The internal audit function is asked to provide third-line assurance over the agent's controls. However, a member of the internal audit team previously helped design the agent's fraud-detection rules and was only reassigned to audit 2 months before the review. The auditor reviews their own prior work, finds it satisfactory, and provides a clean opinion. An external regulator subsequently identifies that the fraud-detection rules contain a systematic gap that the auditor's familiarity with their own design prevented them from seeing. The gap had allowed £3.2 million in fraudulent claims over 14 months.

What went wrong: The third-line function was not independent — the auditor had a prior involvement conflict. The three-lines mapping existed on paper, but the individuals assigned to the third line did not have the independence that the framework requires. Consequence: £3.2 million in fraudulent claim payouts, regulatory enforcement action for inadequate governance, mandatory external audit engagement, personal accountability investigation for the audit function head.

Scenario C — Complete Three-Lines Coverage Works: A payment processor deploys an AI transaction-monitoring agent. The first line (operations) runs the agent and monitors its real-time performance. The second line (risk and compliance) independently reviews a sample of the agent's decisions monthly, challenges the first line's performance metrics, and maintains independent thresholds for what constitutes acceptable false-positive and false-negative rates. The third line (internal audit) conducts a semi-annual review of both the first line's operations and the second line's oversight effectiveness. During the second-line monthly review, the compliance function identifies that the agent's false-negative rate for transactions above £50,000 has increased from 0.3% to 1.8% over 3 months — a trend the first line's metrics did not flag because they measured overall false-negative rate (which remained stable at 0.4%). The second line triggers remediation before the trend becomes a regulatory finding.

What went right: Each line was mapped, staffed, and operating independently. The second line applied different analytical perspectives than the first line, catching a segment-specific trend that aggregate metrics missed. The third line's prior review had verified that the second line's review methodology was sound.

4. Requirement Statement

Scope: This dimension applies to all AI agent deployments operating in regulated environments or processing material transactions (financial value exceeding £10,000 per day in aggregate, personal data of more than 1,000 data subjects, or safety-critical operations). The scope covers every governance control that constrains agent behaviour — mandate enforcement, monitoring rules, escalation thresholds, approval workflows, access controls, and audit programmes. For each such control, the organisation must identify which function operates as the first line, which function provides second-line challenge and oversight, and which function provides third-line independent assurance. The scope extends to automated controls: a control that runs without human intervention still requires second-line challenge of its design and configuration, and third-line assurance of its effectiveness. Organisations without a formal internal audit function must either establish one, engage an external provider, or document why third-line coverage is not applicable — with regulatory approval where required.

4.1. A conforming system MUST maintain a documented mapping of every material agent control to named functions or individuals for each of the three lines of defence.

4.2. A conforming system MUST ensure that the second-line function for each control is organisationally independent from the first-line function — the second line SHALL NOT report to the same management chain as the first line below the executive level.

4.3. A conforming system MUST ensure that the third-line function for each control is independent from both the first and second lines — the third line SHALL NOT have had operational or oversight involvement in the control within the preceding 24 months.

4.4. A conforming system MUST require the second-line function to perform documented challenge activities for each mapped control at least quarterly, producing written evidence of the challenge and its outcome.

4.5. A conforming system MUST require the third-line function to perform an independent assurance review of each mapped control at least annually, with findings reported to the board or a board-delegated governance committee.

4.6. A conforming system MUST identify and remediate any material control that lacks coverage in any of the three lines within 30 business days of identifying the gap.

4.7. A conforming system SHOULD maintain the three-lines mapping in a machine-readable format that can be queried to identify coverage gaps, stale reviews, and independence conflicts.

4.8. A conforming system SHOULD integrate the three-lines mapping with the role register from AG-259, ensuring that role assignments align with line-of-defence designations.

4.9. A conforming system MAY implement automated coverage analysis that flags controls approaching the quarterly challenge deadline or the annual assurance review deadline.

5. Rationale

The three lines of defence is the dominant governance model in financial services and increasingly in other regulated sectors. Its power comes from layered independence: the people who run a process are not the same people who challenge it, and neither group is the same as the people who provide independent assurance. When implemented properly, each line catches different types of failure: the first line catches operational errors through proximity; the second line catches systemic issues through independent challenge; the third line catches governance failures through independent assurance.

For AI agent governance, the three-lines model is essential because AI systems exhibit failure modes that each line is uniquely positioned to detect. The first line, with its operational proximity, detects performance degradation, latency issues, and obvious errors. The second line, with its independent perspective and different metrics, detects systematic biases, drift patterns, and threshold adequacy issues that the first line's familiarity with the system may cause it to normalise. The third line, with its governance-level perspective, detects structural gaps: controls that exist on paper but not in practice, independence that is nominal but not real, and oversight activities that are performed but not effective.

Without a formal three-lines mapping, organisations typically default to a two-lines model at best — operations and audit — with no structured second-line challenge function. This is the most common gap in AI agent governance. The second line's role — setting independent standards, performing ongoing challenge, and maintaining independent monitoring — is where most governance failures are caught before they become incidents. Removing or weakening the second line creates a gap where operational drift goes unchallenged until the annual audit, by which time consequences may have accumulated for months.

AG-260 makes the three-lines mapping explicit, testable, and enforceable. It transforms the three lines from a conceptual framework into a concrete governance control with evidence requirements and test specifications.

6. Implementation Guidance

The three-lines-of-defence model requires careful implementation to ensure that the lines are genuinely independent rather than nominally separate. The most common failure is "three lines on paper, one line in practice" — where the mapping exists in a governance document but the day-to-day reality is that a single team performs all three functions.

Recommended patterns:

• Control-level mapping matrix. Create a matrix with one row per material agent control and columns for first-line owner, first-line activities, second-line owner, second-line challenge activities, second-line challenge frequency, third-line owner, third-line review scope, and third-line review date. Store this in a structured format (database or structured file) rather than a prose document. Review the matrix quarterly for completeness and accuracy.
• Second-line challenge calendar. Establish a rolling calendar of second-line challenge activities, with each material control scheduled for quarterly review. The challenge should include: review of first-line performance metrics, independent testing of a sample of control decisions, comparison of first-line monitoring results against second-line independent monitoring, and documented conclusions with any required remediation actions. The challenge is not a passive review — it requires the second line to actively test, question, and verify.
• Third-line risk-based audit plan. The internal audit function should maintain a risk-based audit plan that covers all material agent controls over a rolling cycle (typically 12-36 months). Higher-risk controls should be audited more frequently. The audit scope should include both the effectiveness of the first-line control and the effectiveness of the second-line challenge activity. Audit findings should be tracked to closure with defined deadlines.
• Independence verification. At least annually, verify that the three lines are genuinely independent: check reporting lines, review personnel histories for prior-involvement conflicts, and confirm that no incentive structures create conflicts of interest (e.g., second-line compensation tied to first-line performance). Document the verification and retain it as evidence.

Anti-patterns to avoid:

• Second line as advisory only. If the second line provides advice but has no authority to require remediation, it is not functioning as a second line of defence. The second line must have authority to escalate findings and require corrective action, independent of first-line agreement.
• Third line outsourced without oversight. Outsourcing the internal audit function to an external firm is common and acceptable, but the organisation must retain governance over the audit scope, findings, and remediation tracking. An outsourced audit that the organisation cannot direct, understand, or act upon does not satisfy the third-line requirement.
• Mapping at the system level rather than the control level. Mapping "the AI agent platform" to three lines of defence is insufficient. Each material control must be individually mapped, because different controls may have different first-line, second-line, and third-line owners. A mandate-enforcement control and a monitoring control may be operated by different teams and require different second-line challenge expertise.
• Treating compliance reporting as second-line challenge. Regular compliance reports (e.g., monthly KRI dashboards) are a necessary component of second-line activity but are not sufficient. Second-line challenge requires active testing, questioning, and independent verification — not just passive receipt of first-line reports.
• Audit fatigue leading to superficial reviews. When the audit plan covers too many controls with insufficient resources, the quality of third-line reviews degrades. It is better to conduct thorough reviews of fewer controls per cycle than superficial reviews of all controls. Prioritise by risk.

Industry Considerations

Financial Services. The three-lines-of-defence model is mandated by the Basel Committee on Banking Supervision and expected by the FCA, PRA, and ECB. For AI agent controls, the three-lines mapping should integrate with the firm's existing three-lines framework rather than creating a parallel structure. The second-line function for AI agents typically sits within the model risk management or operational risk function. The third-line function is internal audit with AI/technology audit capability. The PRA's SS1/23 on model risk management explicitly references the three lines of defence for AI and machine learning models.

Healthcare. Clinical governance frameworks typically implement a two-lines model (clinical operations and clinical governance), with external regulatory inspection serving as a quasi-third line. For AI agent governance, organisations should establish formal three-lines coverage, with the clinical governance function providing second-line challenge and an internal or external audit function providing third-line assurance. CQC inspections do not substitute for third-line assurance because they are periodic and externally scheduled.

Critical Infrastructure. Safety-critical deployments should implement four lines of defence, adding an external independent safety assessor as a fourth line beyond internal audit. This aligns with IEC 61508 requirements for independent safety assessment. The three-lines mapping should explicitly identify which controls require fourth-line coverage.

Maturity Model

Basic Implementation — The organisation has documented three-lines-of-defence mappings for material agent controls. The first and second lines are identified and active. The third line has conducted at least one review. The mapping may be maintained in a spreadsheet or governance document rather than a structured database. Second-line challenge activities may not cover all controls quarterly. Independence has been asserted but not independently verified.

Intermediate Implementation — The three-lines mapping is maintained in a machine-readable format integrated with the AG-259 role register. Second-line challenge activities are performed quarterly for all material controls, with documented outcomes. Third-line reviews follow a risk-based audit plan and cover all material controls within a 24-month cycle. Independence is verified annually through reporting-line review and conflict-of-interest checks. Coverage gaps are identified and remediated within 30 business days.

Advanced Implementation — All intermediate capabilities plus: automated coverage analysis flags controls approaching review deadlines. The three-lines mapping is dynamically updated when personnel or organisational changes occur. Second-line challenge activities include independent testing (not just review of first-line outputs). Third-line reviews explicitly assess second-line effectiveness, not just first-line control operation. The organisation can demonstrate to regulators that every material agent control has continuous, independent, multi-layered oversight. External conformance assessment (AG-157) validates the three-lines framework itself.

7. Evidence Requirements

Required artefacts:

• Three-lines-of-defence mapping register. Structured register mapping each material agent control to first-line, second-line, and third-line functions with named individuals, activity descriptions, and review frequencies. Must be current within 30 days.
• Second-line challenge reports. Quarterly challenge reports for each material control, documenting the challenge activities performed, findings, conclusions, and any required remediation actions. Minimum 12 months of history.
• Third-line assurance reports. Annual (or more frequent) internal audit reports covering material agent controls, including scope, methodology, findings, risk ratings, and remediation tracking. Minimum 24 months of history.
• Independence verification evidence. Annual assessment of three-lines independence, including reporting-line analysis, conflict-of-interest declarations, and personnel history reviews.
• Coverage gap remediation records. Documentation of any identified gaps in three-lines coverage and the remediation actions taken, including timeline and outcome.

Retention requirements:

• Three-lines mapping and challenge/assurance reports: minimum 7 years for regulated financial services; minimum 5 years for other regulated sectors; minimum 3 years otherwise.

Access requirements:

• Producible to regulators or auditors within 48 hours of request. Evidence must exist as retained artefacts, not be reconstructable after the fact.

8. Test Specification

Testing AG-260 compliance requires verifying the completeness of the mapping, the independence of the lines, and the effectiveness of challenge and assurance activities.

Test 8.1: Mapping Completeness

• Stimulus: Retrieve the three-lines mapping register. Cross-reference against the organisation's inventory of material agent controls.
• Expected behaviour: Every material agent control has first-line, second-line, and third-line coverage identified with named functions and individuals.
• Pass criteria: 100% of material controls are mapped to all three lines with named coverage.
• Fail criteria: Any material control lacks coverage in any line.

Test 8.2: Second-Line Independence

• Stimulus: For each second-line function identified in the mapping, verify that it does not report to the same management chain as the corresponding first-line function below the executive level.
• Expected behaviour: Reporting-line analysis confirms organisational independence.
• Pass criteria: All second-line functions are organisationally independent from their corresponding first-line functions.
• Fail criteria: Any second-line function reports to the same management chain as its first-line function below executive level.

Test 8.3: Third-Line Independence

• Stimulus: For each third-line function identified in the mapping, verify that no member of the third-line team had operational or oversight involvement in the control within the preceding 24 months.
• Expected behaviour: Personnel history review confirms no prior-involvement conflicts.
• Pass criteria: All third-line personnel are free of prior-involvement conflicts for the controls they review.
• Fail criteria: Any third-line personnel reviewed a control they were involved in within the preceding 24 months.

Test 8.4: Second-Line Challenge Timeliness

• Stimulus: For a sample of 25% of material controls (minimum 5), verify that second-line challenge activities were performed within the most recent quarter.
• Expected behaviour: Challenge reports exist with dates within the current or most recent complete quarter.
• Pass criteria: All sampled controls have current quarterly challenge evidence.
• Fail criteria: Any sampled control lacks challenge evidence within the required timeframe.

Test 8.5: Third-Line Review Coverage

• Stimulus: Verify that the third-line audit plan covers all material agent controls within a rolling 24-month period, and that reviews scheduled within the past 12 months have been completed.
• Expected behaviour: The audit plan is comprehensive and on schedule.
• Pass criteria: All material controls are in the audit plan, and all scheduled reviews have been completed.
• Fail criteria: Any material control is missing from the audit plan, or scheduled reviews are overdue.

Test 8.6: Coverage Gap Remediation Timeliness

• Stimulus: Identify any controls that were flagged as lacking three-lines coverage in the past 12 months. Verify that remediation was completed within 30 business days.
• Expected behaviour: All coverage gaps were remediated within the required timeframe.
• Pass criteria: 100% of identified gaps were remediated within 30 business days.
• Fail criteria: Any gap remained unresolved beyond 30 business days.

Test 8.7: Mapping Currency

• Stimulus: Compare the three-lines mapping against current organisational charts and personnel records. Verify that all named individuals are still in their roles and that the mapping reflects any organisational changes within the past 30 days.
• Expected behaviour: The mapping is current and accurate.
• Pass criteria: All named individuals are in the roles shown in the mapping, and recent organisational changes are reflected.
• Fail criteria: The mapping contains stale personnel assignments or does not reflect recent changes.

Conformance Scoring

• Score 0: No three-lines-of-defence mapping exists — agent controls are governed by a single operational function without independent oversight.
• Score 1: Three-lines mapping is documented but incomplete or stale — some controls are mapped, but coverage gaps exist and second-line challenge activities are sporadic.
• Score 2: All material controls are mapped to all three lines, second-line challenge is quarterly, third-line assurance is annual, and independence is verified — the framework is operational and current.
• Score 3: Verified by independent assessment — an external party (AG-157) has validated the three-lines framework, confirmed independence, and tested the effectiveness of challenge and assurance activities. Automated coverage analysis is operational.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 9 (Risk Management System)	Supports compliance
EU AI Act	Article 17 (Quality Management System)	Direct requirement
Basel Committee	Principles for the Sound Management of Operational Risk (Principle 4)	Direct requirement
FCA SYSC	4.1.1R (General Organisational Requirements)	Direct requirement
PRA SS1/23	Model Risk Management — Governance	Direct requirement
NIST AI RMF	GOVERN 1.2, GOVERN 2.1	Supports compliance
ISO 42001	Clause 5.3 (Organizational Roles, Responsibilities and Authorities)	Supports compliance
DORA	Article 5 (Governance and Organisation)	Supports compliance
IIA Standards	Standard 2100 (Nature of Work)	Supports compliance

Basel Committee — Principle 4 (Three Lines of Defence)

The Basel Committee's Principles for the Sound Management of Operational Risk explicitly establishes the three-lines-of-defence model as the expected governance structure for operational risk management in banking. Where AI agents create operational risk, their governance controls fall within the scope of this principle. AG-260 implements the mapping framework that allows organisations to demonstrate compliance with Principle 4 for AI agent operations.

PRA SS1/23 — Model Risk Management

The PRA's Supervisory Statement on model risk management explicitly references the three lines of defence in the context of AI and machine learning models. SS1/23 requires that model risk management frameworks include independent validation (second line) and independent audit (third line). For AI agents that incorporate models, AG-260 ensures that the three-lines coverage extends from the model to the governance controls that constrain the agent's use of the model.

FCA SYSC — 4.1.1R (General Organisational Requirements)

SYSC 4.1.1R requires firms to have robust governance arrangements, including a clear organisational structure with well-defined, transparent, and consistent lines of responsibility. The three-lines mapping provides the structure through which firms can demonstrate that AI agent governance has defined lines of responsibility with appropriate independence.

10. Failure Severity

Field	Value
Severity Rating	High
Blast Radius	Organisation-wide — compromises the independence and effectiveness of the entire governance framework

Consequence chain: Without three-lines mapping, governance controls for AI agents operate without independent challenge or assurance. The first line monitors itself, identifies its own issues, and assesses its own effectiveness. Systematic biases, gradual drift, and structural gaps go undetected because no independent perspective exists to identify them. The regulatory consequence is severe: every major financial regulator expects the three-lines-of-defence model, and its absence for AI agent governance is treated as a systemic governance failure. The practical consequence is that governance failures accumulate undetected until they manifest as incidents — by which time the consequences have compounded over the detection gap period. The detection gap is typically 6-18 months when only the first line is active, compared to 1-3 months when an active second line is performing quarterly challenge.

Cross-references: This dimension builds upon AG-259 (Role-Segregated Control Ownership Governance) which establishes the role segregation that makes the three lines meaningful; AG-159 (Agent Accountability and Named Ownership) which ensures each agent has a named owner sitting in the first line; AG-108 (Operator Role Segregation) which enforces the operational separation that underpins first-line and second-line independence; AG-157 (External Conformance Assessment) which provides an additional layer of assurance beyond the three internal lines; and AG-170 (Approval Quality and Substantive Review) which ensures that second-line challenge and third-line assurance activities are substantive rather than perfunctory.