Strengthening Internal Reporting Channels for AI Whistleblowers

By  Rocío Riesco

Whistleblowing channels are a well-established element of corporate governance, helping organizations detect misconduct early and limit legal and reputational harm. This function is especially important in the AI context. AI systems evolve faster than the governance frameworks meant to oversee them, allowing harms to scale before they are fully understood. Internal employees are often best positioned to spot issues like biased outputs, unsafe deployments, or gaps between stated "responsible AI" commitments and actual practice. However, raising AI-related concerns can be difficult, as it may be perceived as obstructing innovation. Despite this pressure, research indicates that moral motivations are a primary driver of whistleblowing, with empirical studies showing that the vast majority of whistleblowers report for apparently moral reasons. The key challenge is not employees' willingness to report AI-related risks but whether organizations are prepared to receive, protect, and act on those reports. 

This article is written by Rocío Riesco. She is an Argentine lawyer and ethics and compliance specialist based in Washington, D.C. Rocio has over a decade of experience across public, private, and multilateral sectors, with a focus on prevention, investigations, and institutional integrity. Her interests include responsible AI, whistleblower protection, and governance challenges related to emerging technologies.

 —------------------------------------------------------------------------------------------------------------

Strengthening Internal Reporting Channels for AI Whistleblowers

Internal Reporting as an Early-Detection System for AI Risks

Whistleblowing channels have long been an intrinsic part of corporate governance programs. They enable organizations to detect misconduct early, correct course before harm escalates, and protect organizations from serious legal and reputational consequences. In the context of artificial intelligence, this logic becomes even more critical.

AI systems evolve fast. Most of the time, they evolve faster than the governance frameworks designed to oversee them. Decision-making is now embedded in models, automated pipelines, and complex technical architectures. This velocity creates a structural risk: harms can scale before they are fully understood. Internal employees are often the first to notice when something is off. Employees may observe biased outputs, unsafe deployments, or a gap between what the organization claims about “responsible AI” and what the AI system is actually doing. Often, employees also have the hands-on technical and domain expertise to spot subtle risks that may not surface in formal assessments. In summary, they can detect these risks before they escalate into regulatory violations, human rights impacts, or significant reputational damage.

Yet speaking up about misconduct is never easy, and this holds true for AI-related concerns. In many organizations, raising concerns about AI can feel like "slowing down innovation," or risk being framed as resistance to a strategic priority. The pressure to stay silent is real.

Interestingly, empirical research suggests that when people do come forward, moral motivations tend to play a central role. A recent study by Beri and Baker (2026) assembled a dataset of 30 historical whistleblowing cases spanning 15 industries to identify patterns relevant to designing AI-specific whistleblowing programs. Its findings offer a useful baseline: at least 87% of whistleblowers reported for apparently moral reasons. This aligns with broader literature — a large-scale study using data from over 42,000 U.S. federal employees found that moral concerns consistently predicted whistleblowing decisions above and beyond other organizational and situational factors (Dungan, Young & Waytz, 2019).

The question, then, is not whether people are willing to report AI-related risks, but whether organizations are ready to listen, protect, and act.

The Regulatory Landscape: Converging Signals

The case for internal AI reporting channels is no longer just a matter of good governance. It is increasingly a legal issue. Regulators in multiple jurisdictions are starting to set concrete expectations for how organizations detect, receive, and act on AI-related concerns.

In the European Union (EU), the picture is taking shape through the interaction of two complementary frameworks. The EU AI Act is the world's first comprehensive risk-based regulation of AI, imposing enforceable compliance obligations, extensive documentation requirements, and accountability mechanisms across the AI lifecycle. Separately, the EU Whistleblower Protection Directive (2019/1937) establishes minimum standards for the protection of people who report violations of EU law. As of August 2, 2026, Article 87 of the EU AI Act explicitly invokes the Directive, extending its protections to reports of any suspected AI Act violations. This means that, in many EU jurisdictions, organizations already required to maintain internal reporting channels under national whistleblowing laws (typically private-sector entities with 50 or more employees) should ensure those channels can effectively receive and handle reports related to suspected EU AI Act violations.

In the United States, no equivalent federal framework concerning AI whistleblowing exists, but the legislative landscape is moving. At the state level, California's Transparency in Frontier AI Act (SB 53), which took effect in January 2026, is the first frontier-AI law in the U.S. that includes whistleblower protections for employees who raise AI safety concerns. It mandates that developers of large frontier models establish anonymous internal reporting processes and prohibits retaliation against employees who disclose concerns in good faith.

At the federal level, the U.S. Department of Justice Criminal Division's September 2024 update to its Evaluation of Corporate Compliance Programs explicitly addressed AI-related risks, signaling an expectation that compliance programs, including reporting mechanisms, should be fit for purpose in an AI-enabled environment.

Together, these regulatory signals point in the same direction: organizations deploying or developing AI must be prepared to receive, assess, and manage AI-related concerns through internal channels, and to do so competently.

Is Your Organization Ready? Building a Credible Internal Whistleblowing Channel

AI whistleblowing is no longer hypothetical. The question is whether organizations will be ready when the first report arrives. Building a credible channel requires attention to several interconnected areas.

The starting point is governance and culture. Many codes of ethics address fraud, harassment, or conflicts of interest, but remain silent on AI. Explicitly defining which forms of AI misuse may constitute misconduct sends a clear message that responsible use of AI is an imperative. To create a responsible AI culture, the message must be reinforced by tone at the top, by active and wide communication to all employees, and by a targeted outreach to teams that work closely with AI. Transparency and accountability are also crucial: organizations should communicate outcomes and lessons learned from substantiated cases, while respecting confidentiality, to demonstrate that the organization takes these issues seriously and is committed to act.

Equally important is operational readiness. AI whistleblowing cases often raise novel questions related to technical uncertainty or risks that cannot be fully understood. Organizations must have a clear internal protocol for handling AI-related reports that defines how allegations are assessed. Because these allegations may require specialized input, the protocol should establish parameters for when investigators may consult subject matter experts and the safeguards needed to protect the confidentiality of the investigation. Best practices for handling AI-related reports will ultimately be shaped by real-life cases, and this is new territory for most organizations. In the meantime, and precisely because most organizations have no prior cases to draw from, ensuring appropriate training for those responsible for receiving and assessing these reports is the foundation on which a credible system must be built.

Protection against retaliation, as in every whistleblowing channel, must be robust and genuinely enforced. Employees should feel secure to report reasonable suspicion of AI-related misconduct, even when there is technical complexity and uncertainty, given the evolving nature of these technologies. This should be complemented by anonymous and confidential reporting options, which are also essential for building trust in the reporting system.

Finally, well-designed internal channels serve a critical early-warning function. Organizations that can detect and address AI-related concerns early are better positioned to manage them in a controlled, proactive way, rather than having issues surface first through external channels, media, or regulatory scrutiny. This is ultimately the governance argument for investing seriously in these systems: internal reporting, when it works, is one of the most cost-effective risk management tools an organization has.

Conclusion: AI Whistleblowers and the Future of Psychological Safety

As AI becomes embedded in core business decisions, organizations will face new and evolving risks. In that scenario, psychological safety cannot exist without making room for AI whistleblowers.

Organizations that genuinely want responsible AI cannot rely solely on frameworks, audits, or principles. They must empower the people closest to the technology to raise concerns without fear, stigma, or retaliation.

The real test of AI maturity is not whether innovation moves fast. It is whether organizations are ready to hear uncomfortable truths along the way.

References:

Beri, E. & Baker, M. (2026). Insights for an AI Whistleblower Office from 30 Case Studies. arXiv:2603.01245.

Dungan, J., Young, L. & Waytz, A. (2019). The power of moral concerns in predicting whistleblowing decisions. Journal of Experimental Social Psychology, 85, 103876.

EU AI Act, Regulation (EU) 2024/1689, Article 87.

EU Whistleblower Protection Directive, Directive (EU) 2019/1937.

California Transparency in Frontier AI Act, SB 53 (2025).

U.S. Department of Justice, Criminal Division. Evaluation of Corporate Compliance Programs (updated September 2024).

_____________________________________________________________

Collaborate with us!

As always, we appreciate you taking the time to read our blog post.

If you have news relevant to our global WAI community or expertise in AI and law, we invite you to contribute to the WAI Legal Insights Blog in 2016! To explore this opportunity, please contact WAI editors Silvia A. Carretta - WAI Chief Legal Officer (via LinkedIn or silvia@womeninai.co) or Dina Blikshteyn  (dina@womeninai.co).

Silvia A. Carretta and Dina Blikshteyn

- Editors