The IIA's Three Lines Model (2020)
The IIA's Three Lines Model (2020)
The IIA's Three Lines Model (2020) — 38% covered.
6 requirements · 0 enforced · 3 designed · 3 advisory · 0 deferred.
Source: The Institute of Internal Auditors — The IIA's Three Lines Model (2020 update of the Three Lines of Defence). KYE Protocol maps each of the six principles to the authority, evidence and assurance primitives that make AI-agent actions governable across the first line (operational management), second line (risk and compliance), and third line (internal audit). KYE supplies the runtime authority + evidence layer the model assumes; it does not replace any line's people or mandate. · License: IIA — model text is copyrighted; KYE registry paraphrases each principle's intent and cites the principle number for mapping purposes only.
By category
| Category | Reqs | Enforced | Designed | Advisory | Deferred | Coverage |
|---|---|---|---|---|---|---|
| Governance | 2 | 0 | 1 | 1 | 0 | 38% |
| Roles | 2 | 0 | 1 | 1 | 0 | 38% |
| Assurance and value | 2 | 0 | 1 | 1 | 0 | 38% |
Every requirement → the KYE™ artefact that enforces it
| ID | Title | Status | KYE™ enforcement |
|---|---|---|---|
three-lines.principle-1 |
Principle 1 — Governance: accountability, assurance and structures | designed | constitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/36-GOVERNEDUI.md |
three-lines.principle-2 |
Principle 2 — Governing body roles: oversight with integrity and transparency | advisory | constitution_refs: constitution/13-RESILIENCE-LOOP.mdaudit_events: kye.evidence.pack.v1 |
three-lines.principle-3 |
Principle 3 — First and second line roles: operational authority and risk/compliance | advisory | constitution_refs: constitution/12-PURPOSE-PERMISSION.mdaudit_events: kye.evidence.decision_map.v1 |
three-lines.principle-4 |
Principle 4 — Third line role: independent and objective assurance | designed | constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
three-lines.principle-5 |
Principle 5 — Third line independence: verifiable without dependence on the first/second line | advisory | constitution_refs: constitution/13-RESILIENCE-LOOP.mdaudit_events: kye.replay.proof.v1 |
three-lines.principle-6 |
Principle 6 — Creating and protecting value: aligned, coordinated assurance | designed | constitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/12-PURPOSE-PERMISSION.md |