
Risk managers say AI models force a shift in the three lines of defence, with first-line teams taking on continuous monitoring duties.
The traditional three lines of defence governance model is buckling under the weight of artificial intelligence, according to risk managers at several large banks. The first line – the business units that own the models – needs to take on more formal responsibility for continuous testing and monitoring, they said.
Financial risk models have long relied on a second-line validation team that builds a challenger model and, in some cases, runs part of the testing. That division of labour works when a model is a static code base updated quarterly or annually. AI models are neither static nor easily challenged by a separate team.
Machine learning models retrain themselves on new data. The logic shifts. A validation team that sees the model once a quarter cannot audit a system that has already changed. The first line, which deploys the model day to day, is the only group in a position to catch drift or bias in real time, the risk chiefs argued.
One head of model risk at a European bank said the current framework "was designed for a world where models were built once and validated once. AI inverts that. The validation has to be continuous, and the first line is the only group that can deliver it."
A second-line team at a U.S. bank has started piloting automated challenger models that run daily against the live AI models, flagging divergences without waiting for a quarterly validation cycle. That approach requires the first line to cede some control over deployment pipelines, a point of friction in early tests.
The push for a restructured governance model comes as regulators in the U.S. and Europe step up their scrutiny of AI in credit underwriting, fraud detection, and trading. The Federal Reserve and the European Central Bank have both issued guidance requiring banks to show they can explain and monitor AI-driven decisions, not just validate them at inception.
A second risk manager at a U.S. regional bank said the hardest part is not the technology but the allocation of headcount. "The first line does not have the modelling talent it needs to run continuous monitoring. The second line has the talent not the operational access. Someone is going to have to move bodies, or the regulators will force the issue."
The debate mirrors an earlier fight over model risk management after the 2008 crisis, when banks were forced to move validation out of the front office and into independent second-line units. The AI models, some risk chiefs said, may force a partial reversal – returning testing responsibility to the first line, with new governance guardrails.
No bank has formally changed its three-lines structure for AI yet. Several said they expect to propose changes to their boards within the next two quarters.
Prepared with AlphaScala research tooling and grounded in primary market data: live prices, fundamentals, SEC filings, hedge-fund holdings, and insider activity. Each story is checked against AlphaScala publishing rules before release. Educational coverage, not personalized advice.