Three Lines of Defence against Risks from AI

Why it matters for NETEVO

Schuett's contribution maps the Institute of Internal Auditors' canonical Three Lines of Defence model — operational management at the front line, risk management and compliance in the middle, internal audit at the back — onto AI-specific risk. It is the citation that translates established prudential-governance vocabulary into AI terms, closing a gap the prior audit literature approached from a different direction.

Vocabulary fit with directors and prudential regulators. Three Lines of Defence is the language APRA, listed-company boards, and risk-and-compliance functions already speak. Schuett's paper lets an engineered AI governance posture be presented to a board in that vocabulary — your AI governance has three lines of defence operationalised against ISO/IEC 42001 Annex A controls — rather than asking the board to learn a parallel AI-specific frame.

Conceptual bridge for executable-edge controls. APRA's CPS 230 Operational Risk Management architecture is explicitly Three-Lines-of-Defence-shaped: operational risk management at the front line, risk management oversight in the middle, internal audit assurance at the back. Schuett's paper is the citation that connects that regulator-readable architecture to the executable-edge-controls implementation argument NETEVO advances under Law-to-Code Methodology, and it is load-bearing for both the forthcoming AI-Washing Audit whitepaper and the forthcoming CPS 230 executable-edge-controls insight.

Pairs naturally with ISO/IEC 38507. Where ISO/IEC 38507 names what the governing body must do, Schuett names how those obligations cascade down into the operational management layers below. Together they bridge the catalogue's apex — board accountability — to its base — operational evidence.