Which of the following best describes the 'Three Lines of Defense' model as applied to DevOps governance?