A classic model for risk management and control is something called “The Three Lines of Defense (3ODL).” The three lines are as follows: Line 1: Risk Owners - Front-line staff and operational management Line 2: Risk Oversight - Risk management and compliance functions Line 3: Risk Assurance - Internal audit, However, with the advent of modern sociotechnical systems like Agile, Cloud Native, and Event-Driven architectures these legacy lines (3ODL) are at best blurred and at worst completely broken. With the modern patterns and practices of DevOps and DevSecOps it’s not clear who the front-line owners are anymore. Risk management and organizational compliance teams struggle to adapt to new cloud-native models such as ephemeral containers, microservices, and event-driven architecture like serverless. Most organizations’ internal audit processes today are highly toil-based and have low efficacy. This is something I have called in previous presentations “Security and Compliance Theater.” In this presentation, we are going to look at a couple of case studies that include the good, the bad, and the ugly when it comes to 3ODL.