Three Lines of Defence against Risks from AI the prudential bridge to APRA CPS 230

Why it matters for NETEVO

Schuett's contribution maps the Institute of Internal Auditors' canonical Three Lines of Defence model — operational management at the front line, risk management and compliance in the middle, internal audit at the back — onto AI-specific risk. It translates established prudential-governance vocabulary into AI terms, closing a gap the prior audit literature — Raji 2020 (SMACTR) and Mökander 2024 (three-layered audit) — approached from a different direction, and it forms the conceptual bridge between those audit models and APRA CPS 230's governance, control and assurance architecture.

The established vocabulary of prudential governance. Three Lines of Defence is the language APRA, listed-company boards, and risk-and-compliance functions already speak. An AI governance posture expressed in Schuett's terms — three lines of defence operationalised against ISO/IEC 42001 Annex A controls, for example — sits within a frame those functions already use, rather than requiring a parallel AI-specific one.

Conceptual bridge for executable-edge controls. APRA's CPS 230 Operational Risk Management architecture is explicitly Three-Lines-of-Defence-shaped: operational risk management at the front line, risk management oversight in the middle, internal audit assurance at the back. Schuett's paper connects that regulator-readable architecture to the executable-edge-controls implementation argument NETEVO advances under Law-to-Code Methodology.

Pairs naturally with ISO/IEC 38507. Where ISO/IEC 38507 names what the governing body must do, Schuett names how those obligations cascade down into the operational management layers below. Together they span the chain from board accountability at the apex to operational evidence at the base.