Whistleblower and Speak-Up Governance

2. Summary

Whistleblower and Speak-Up Governance requires that organisations provide protected channels for reporting unsafe, unlawful, or deceptive AI agent behaviour — and that these channels are independent of the normal governance chain, accessible to all persons who interact with or observe the agent (including employees, contractors, outsource provider staff, and affected members of the public), and backed by enforceable protections against retaliation. The normal governance chain (monitoring, escalation, audit) detects failures through structured processes. Whistleblower channels detect failures that structured processes miss — because the failure is in the structured process itself, because the people running the process are concealing the failure, or because the failure is of a type that no structured process was designed to detect. AG-268 ensures that when someone sees something wrong with an AI agent and the normal channels are not working, they have a safe, protected way to report it.

3. Example

Scenario A — Suppressed Reporting of Biased Agent Behaviour: A local government deploys an AI benefits-assessment agent. A case worker notices that the agent systematically scores applicants from certain postcodes lower than comparable applicants from other postcodes — a pattern consistent with proxy racial discrimination. The case worker raises the concern with their team leader, who says: "The AI has been approved by the technology team. It is working as designed. Do not create problems." The case worker does not have access to an independent reporting channel. The biased pattern continues for 14 months until an external advocacy organisation conducts a statistical analysis and publishes the findings. The resulting investigation identifies that the team leader was aware of the pattern for 14 months and actively suppressed the case worker's concern to avoid disrupting the deployment timeline.

What went wrong: The case worker identified the problem but had no independent reporting channel. The normal governance chain (team leader) was the suppression point. Without a channel that bypasses the governance chain, the concern was trapped at the level that was suppressing it. Consequence: 14 months of discriminatory benefit assessments affecting an estimated 4,200 applicants, Equality and Human Rights Commission investigation, mandatory remediation programme costed at £1.8 million, criminal referral for potential Equality Act violations, reputational destruction for the local authority.

Scenario B — Fear of Retaliation Preventing Report: A bank's junior data scientist discovers that the AI credit-scoring agent's training data contains a systematic error that inflates the scores of high-net-worth customers by an average of 12 points. The error benefits the bank's revenue (more loans approved for profitable customers) and was introduced by the Head of Data Science, who is the junior scientist's direct manager. The junior scientist wants to report the error but fears that reporting it will be seen as accusing their manager of wrongdoing, resulting in career consequences. No anonymous reporting channel exists. No explicit protection against retaliation is communicated. The junior scientist does not report. The error continues for 9 months until the next model validation cycle, by which time the bank has approved £34 million in loans with inflated credit assessments.

What went wrong: The absence of a protected, anonymous reporting channel prevented a person with direct knowledge of a governance failure from reporting it. The power dynamic (junior reporting on senior) and the absence of retaliation protections created a chilling effect. Consequence: £34 million in loans with inflated credit scores, estimated £2.1 million in additional credit losses, regulatory finding for inadequate model governance, personal accountability for the Head of Data Science under SM&CR.

Scenario C — Effective Speak-Up Channel: A healthcare provider's AI diagnostic-support agent begins recommending a specific diagnostic pathway that generates higher revenue for the hospital but is not clinically optimal for a subset of patients. A junior clinician notices the pattern during a night shift. The clinician accesses the organisation's AI ethics hotline — a dedicated reporting channel for AI-related concerns, operated by an independent third party, accessible via web form, phone, or text, with explicit anonymity protection. The clinician files an anonymous report at 03:15. By 09:00 the next business day, the independent ethics team receives the report, triages it as high-priority (patient safety), and escalates to the Chief Medical Officer, bypassing the technology team that operates the agent. The Chief Medical Officer orders an immediate clinical review, which confirms the pattern. The agent is restricted to advisory-only mode within 48 hours of the report. The clinician's identity is never disclosed.

What went right: A protected, independent, accessible reporting channel existed. The channel was operated independently of the team that might suppress the report. Anonymity protection eliminated the fear of retaliation. The channel was available 24/7 (the clinician reported at 03:15). The triage process correctly identified the report as high-priority and escalated it to the appropriate authority.

4. Requirement Statement

Scope: This dimension applies to all AI agent deployments, regardless of risk tier. The right to report unsafe, unlawful, or deceptive AI behaviour without retaliation is fundamental and should not be limited to high-risk deployments. The scope covers all categories of reportable concern: agent behaviour that is unsafe (could cause harm to persons or property), unlawful (violates applicable law or regulation), deceptive (produces misleading outputs or conceals its AI nature), discriminatory (produces biased outcomes based on protected characteristics), non-compliant (violates the organisation's own governance standards), or unethical (conflicts with reasonable ethical standards even where not strictly unlawful). The scope extends to all persons who may observe reportable behaviour: employees, contractors, outsource provider staff, joint venture partners, affected members of the public, and regulators. The scope includes reports about the agent itself and about the governance of the agent — including reports that governance is being circumvented, suppressed, or falsified by the people responsible for it.

4.1. A conforming system MUST provide at least one reporting channel for AI agent concerns that is independent of the agent's operational governance chain — the channel SHALL NOT be operated by the team that builds, operates, or approves the agent.

4.2. A conforming system MUST allow anonymous reporting through the independent channel, without requiring the reporter to identify themselves as a condition of filing a report.

4.3. A conforming system MUST implement and communicate explicit protections against retaliation for persons who report concerns in good faith through any channel, including but not limited to: protection against dismissal, demotion, reassignment, performance rating manipulation, and informal ostracism.

4.4. A conforming system MUST triage all reports received through the independent channel within 5 business days, assigning a priority level and routing the report to an appropriate investigative function that is independent of the subject of the report.

4.5. A conforming system MUST ensure the independent channel is accessible to all persons who interact with or observe the agent, including: employees, contractors, outsource provider staff, and affected members of the public. At minimum, a web-accessible reporting form and a phone number must be available.

4.6. A conforming system MUST retain all reports and investigation outcomes for a minimum of 7 years, regardless of whether the report was substantiated.

4.7. A conforming system SHOULD communicate the availability of the reporting channel proactively: to all employees and contractors during onboarding, annually in governance communications, and in any public-facing documentation about the organisation's AI agents.

4.8. A conforming system SHOULD provide reporters with a mechanism to track the status of their report (e.g., a case reference number) without compromising their anonymity.

4.9. A conforming system MAY engage an independent third party (external ethics hotline provider) to operate the reporting channel, providing additional assurance of independence and confidentiality.

5. Rationale

Whistleblower and speak-up channels are the governance control for the failures that governance itself does not detect. Every other governance control in this framework — monitoring, escalation, three-lines oversight, audit — relies on structured processes to detect problems. Speak-up channels detect problems that structured processes miss, because they leverage the most powerful detection mechanism available: the observations of the people who work with the agent every day.

The case for speak-up governance in AI is even stronger than in traditional operations. AI agents exhibit failure modes that are difficult to detect through structured monitoring but observable to human operators: subtle biases that appear only in specific demographic segments, drift patterns that manifest over weeks, and behaviour changes that are technically within monitoring thresholds but intuitively "wrong" to an experienced operator. These observations, which data scientists call "weak signals," are precisely the type of concern that speak-up channels are designed to capture.

The independence requirement (4.1) is the foundational element. A reporting channel that is operated by the team responsible for the agent is compromised: the team has a conflict of interest in whether reports are filed, triaged, and escalated. The Scenario A example illustrates this directly — the team leader was the suppression point. Independence means that the channel is operated by a function (or external party) that has no involvement in the agent's operation or governance, no reporting relationship to the agent's operational team, and no incentive to suppress reports.

The anonymity requirement (4.2) addresses the power dynamics that prevent reporting. In every organisation, people at lower levels observe problems that people at higher levels create or tolerate. Without anonymity, reporting requires the reporter to accept personal risk — career consequences, social consequences, and the emotional cost of accusing colleagues. The consistent finding across decades of whistleblower research is that anonymity dramatically increases reporting rates, and higher reporting rates correlate with earlier detection of governance failures. The goal is not to encourage frivolous reports (the triage process filters those) but to eliminate the barriers that prevent substantive reports from being filed.

The retaliation protection requirement (4.3) complements anonymity. Even where anonymity is offered, reporters may fear that their identity can be inferred. Explicit, communicated retaliation protections — backed by enforceable consequences for retaliators — provide a safety net that encourages reporting even where perfect anonymity cannot be guaranteed.

6. Implementation Guidance

The speak-up channel should be designed for accessibility, independence, and trust. If potential reporters do not know the channel exists, cannot access it easily, do not believe it is independent, or do not trust that they will be protected, the channel will not be used — and an unused channel detects nothing.

Recommended patterns:

• External ethics hotline. Engage a specialised third-party ethics hotline provider to operate the reporting channel. The provider offers web, phone, and text reporting options, operates 24/7, provides anonymity by design (the provider does not collect identifying metadata unless the reporter voluntarily provides it), and forwards triaged reports to the organisation's designated investigation function. This is the strongest independence model because the channel operator has no organisational relationship with the agent's operational team. Established providers operate in multiple languages and across jurisdictions.
• Dedicated AI ethics reporting channel. Within the organisation's existing speak-up framework, create a dedicated category for AI-related concerns. This ensures that AI reports are routed to investigators with AI domain knowledge rather than general compliance investigators. The dedicated category should have its own triage criteria reflecting the unique characteristics of AI concerns (bias, drift, opacity, emergent behaviour).
• Public reporting access. For customer-facing agents, provide a public-accessible reporting mechanism. This can be as simple as a link on the organisation's website ("Report an AI concern") that routes to the independent channel. This allows customers, members of the public, and other external parties to report concerns about agent behaviour. Public reporting is particularly important for agents that affect vulnerable populations (benefits assessment, healthcare, criminal justice).
• Annual speak-up awareness campaign. Conduct an annual awareness campaign reminding all employees and contractors of the speak-up channel, the types of concerns that should be reported, the anonymity and retaliation protections available, and examples of how previous reports (anonymised) led to governance improvements. The campaign should be endorsed by senior leadership to signal organisational commitment.
• Reporter feedback loop. Provide reporters with a case reference number and a mechanism to check the status of their report without revealing their identity (e.g., a web portal where they enter their case number). Where a report leads to corrective action, communicate the outcome (in anonymised, general terms) to the broader organisation to demonstrate that reporting leads to action — this builds trust in the channel and encourages future reporting.

Anti-patterns to avoid:

• Reporting to the line manager. A speak-up channel that routes reports to the reporter's line manager is not a speak-up channel — it is the normal management chain. Speak-up channels must bypass the management chain, because the management chain may be the problem.
• Identity-required reporting. Requiring reporters to identify themselves as a condition of filing a report eliminates the majority of potential reporters. While identified reports are easier to investigate, the barrier to filing them is too high for most people. Allow anonymous reporting and invest in investigation techniques that can substantiate anonymous reports.
• Channel without investigation. A reporting channel that receives reports but does not investigate them is worse than no channel — it creates the illusion of governance without the substance. Every report must be triaged and, where appropriate, investigated. The investigation function must be independent of the subject of the report.
• Retaliation protection in policy only. Stating retaliation protection in a policy document that no one reads is insufficient. Protections must be communicated proactively, enforced visibly (when retaliation is detected, the retaliator faces consequences), and reinforced through senior leadership messaging. A policy that is not enforced provides no protection.
• Speak-up data used for HR purposes. If the organisation uses speak-up channel data to identify and discipline reporters (rather than to investigate the concerns reported), trust in the channel will collapse. Speak-up data must be treated with the highest confidentiality protections and used only for its intended purpose: investigating governance concerns.

Industry Considerations

Financial Services. FCA rules (SYSC 18) require firms to have appropriate internal procedures for employees to report concerns, and the FCA operates its own whistleblowing channel for financial services firms. AG-268's requirements should integrate with SYSC 18 compliance. The FCA has stated that it expects firms to foster a culture where staff feel comfortable raising concerns — AG-268's proactive communication requirements support this expectation. Under SM&CR, the firm must designate a Senior Manager as the "Whistleblowers' Champion" with Prescribed Responsibility for the firm's whistleblowing policies and procedures.

Healthcare. The NHS has established Freedom to Speak Up Guardians and a National Guardian's Office. For AI agent concerns in healthcare settings, AG-268 should integrate with the Freedom to Speak Up framework, ensuring that AI-specific concerns are routed to investigators with both clinical and technical competence. Patient safety concerns should be fast-tracked with the highest triage priority.

Public Sector. The Public Interest Disclosure Act 1998 (PIDA) provides legal protections for whistleblowers in the UK. AG-268's protections should complement PIDA requirements. Public-sector AI agents that affect citizens' rights should have particularly accessible public reporting channels, given the power asymmetry between the state and the citizen.

Critical Infrastructure. Safety-critical AI agent concerns should be reportable to the relevant safety regulator directly (e.g., HSE, ONR) as well as through internal channels. AG-268 should not create barriers to external regulatory reporting — the speak-up channel is an additional path, not a replacement for regulatory whistleblowing.

Maturity Model

Basic Implementation — An independent reporting channel exists for AI agent concerns, separate from the operational governance chain. Anonymous reporting is available. Retaliation protections are documented in policy. Reports are triaged within 5 business days. The channel's existence has been communicated to employees. Reports are retained for the required period.

Intermediate Implementation — The channel is operated by an external third party or by a function demonstrably independent of all agent operational teams. The channel is accessible via web, phone, and text, 24/7. A dedicated AI reporting category ensures routing to AI-competent investigators. Reporters can track case status anonymously. Annual awareness campaigns are conducted. Retaliation protections are communicated proactively and enforced. Public reporting access is available for customer-facing agents. Investigation outcomes are communicated (in anonymised form) to the organisation.

Advanced Implementation — All intermediate capabilities plus: speak-up channel effectiveness metrics are tracked (reports per quarter, investigation outcomes, time-to-resolution, reporter satisfaction). The channel has been independently assessed for accessibility, independence, and trust. Trend analysis of reports identifies systemic governance issues across agents. The organisation can demonstrate that speak-up reports have led to concrete governance improvements. Senior leadership actively promotes the channel and references specific examples (anonymised) of reports that improved governance.

7. Evidence Requirements

Required artefacts:

• Channel design documentation. Documentation of the speak-up channel design, including: operator identity, independence from operational teams, reporting mechanisms available (web, phone, text), anonymity protections, and accessibility (internal, external, 24/7).
• Retaliation protection policy. The documented retaliation protection policy, including the specific protections offered, the enforcement mechanism, and the consequences for retaliators. Must be current and communicated within the past 12 months.
• Triage and investigation records. Records of all reports received, triage decisions, investigation actions, and outcomes. Must include triage timing (within 5 business days). Minimum 7 years retention.
• Awareness communication records. Evidence of proactive communication about the channel, including annual awareness campaigns and onboarding materials. Minimum 24 months.
• Channel accessibility evidence. Evidence that the channel is accessible to all intended audiences (employees, contractors, outsource provider staff, public), including the reporting mechanisms available and the languages supported.
• Whistleblowers' Champion designation. (Financial services) Documentation of the Senior Manager designated as the Whistleblowers' Champion under SM&CR, with evidence of their active oversight of the channel.

Retention requirements:

• All reports and investigation records: minimum 7 years regardless of sector.

Access requirements:

• Producible to regulators or auditors within 48 hours of request. Individual reporter identities must not be disclosed unless the reporter has consented or a legal obligation requires it.

8. Test Specification

Testing AG-268 compliance requires verifying the channel's accessibility, independence, and operational effectiveness.

Test 8.1: Channel Independence

• Stimulus: Examine the speak-up channel operation. Verify that the channel operator (person or organisation) has no reporting relationship to, operational involvement with, or financial dependency on the teams that build, operate, or approve the agents covered.
• Expected behaviour: The channel operator is demonstrably independent from all operational agent teams.
• Pass criteria: No reporting, operational, or financial relationship between the channel operator and agent operational teams.
• Fail criteria: Any relationship that could compromise the channel operator's independence.

Test 8.2: Anonymous Reporting Capability

• Stimulus: File a test report through the channel without providing any identifying information. Verify that the report is accepted, triaged, and processed without requiring identification.
• Expected behaviour: Anonymous reports are accepted and processed identically to identified reports.
• Pass criteria: The test report is accepted, assigned a case reference, and triaged within 5 business days without requiring identification.
• Fail criteria: The channel requires identification as a condition of filing, or anonymous reports are deprioritised relative to identified reports.

Test 8.3: Accessibility — Internal

• Stimulus: Verify that the reporting channel is accessible to employees and contractors through at least a web form and a phone number, available 24/7.
• Expected behaviour: Multiple reporting mechanisms are available and functional at all hours.
• Pass criteria: Web and phone channels are functional and accessible to internal users 24/7.
• Fail criteria: Any required channel is non-functional or unavailable outside business hours.

Test 8.4: Accessibility — External

• Stimulus: For customer-facing agents, verify that a public reporting mechanism is available and discoverable (e.g., linked from the organisation's website or AI-related public documentation).
• Expected behaviour: External reporting is available and discoverable.
• Pass criteria: A public-accessible reporting mechanism exists and can be found within 3 clicks from the organisation's homepage.
• Fail criteria: No public reporting mechanism exists, or it requires more than 3 clicks to discover.

Test 8.5: Triage Timeliness

• Stimulus: Review triage records for reports received in the past 6 months. Verify that all reports were triaged within 5 business days.
• Expected behaviour: 100% of reports triaged within 5 business days.
• Pass criteria: All reports triaged within 5 business days.
• Fail criteria: Any report triaged after 5 business days.

Test 8.6: Retaliation Protection Communication

• Stimulus: Survey a sample of 20 employees and contractors. Verify that they are aware of: the speak-up channel's existence, the anonymity protections, and the retaliation protections.
• Expected behaviour: High awareness levels across the sample.
• Pass criteria: At least 80% of the sample are aware of all three elements (channel existence, anonymity, retaliation protection).
• Fail criteria: Fewer than 80% awareness on any element.

Test 8.7: Investigation Outcome and Closure

• Stimulus: For substantiated reports in the past 12 months, verify that investigation outcomes included defined corrective actions, that corrective actions were tracked to closure, and that the outcome was communicated (in anonymised form) through the reporter feedback mechanism.
• Expected behaviour: Substantiated reports lead to corrective action, tracked to closure, with outcome communicated.
• Pass criteria: All substantiated reports have defined corrective actions tracked to closure with documented outcome communication.
• Fail criteria: Any substantiated report lacks corrective action, has untracked remediation, or has no outcome communication.

Conformance Scoring

• Score 0: No speak-up channel exists for AI agent concerns — the only reporting path is the normal governance chain, which may be the source of the problem.
• Score 1: A reporting channel exists but lacks independence (operated by the agent's operational team), requires identification, or does not offer retaliation protection — the channel exists but barriers to reporting are too high for effective use.
• Score 2: An independent, anonymous reporting channel is operational, with retaliation protections communicated and enforced, reports triaged within 5 business days, and investigations conducted by an independent function — the speak-up framework is functional and trustworthy.
• Score 3: Verified by independent assessment — an independent party has tested channel accessibility, independence, and trust. Speak-up effectiveness metrics are tracked. Reports demonstrably lead to governance improvements. The organisation proactively promotes the channel and senior leadership endorses its use.

9. Regulatory Mapping

Regulation	Provision	Relationship Type
EU AI Act	Article 9 (Risk Management System)	Supports compliance
EU AI Act	Article 62 (Reporting of Serious Incidents)	Supports compliance
EU Whistleblower Directive	Directive (EU) 2019/1937	Direct requirement
FCA SYSC	18 (Whistleblowing)	Direct requirement
Public Interest Disclosure Act 1998	Sections 43A-43L	Direct requirement
SOX	Section 301 (Audit Committee — Whistleblower Procedures)	Direct requirement
NIST AI RMF	GOVERN 1.5 (Feedback Mechanisms)	Supports compliance
ISO 42001	Clause 9.3 (Management Review)	Supports compliance
Equality Act 2010	Part 9 (Enforcement)	Supports compliance

EU Whistleblower Directive — Directive (EU) 2019/1937

The EU Whistleblower Directive requires organisations with 50 or more employees to establish internal reporting channels for breaches of EU law. For AI agents, this includes breaches of the EU AI Act, GDPR, and sector-specific regulations. AG-268's requirements align with and extend the Directive's requirements to cover AI-specific concerns (bias, drift, deception) that may not fall strictly within the Directive's scope but are governance-critical.

FCA SYSC — 18 (Whistleblowing)

SYSC 18 requires FCA-regulated firms to have appropriate internal procedures for employees to report concerns, to appoint a Whistleblowers' Champion, and to inform employees of the FCA's own whistleblowing channel. AG-268 extends SYSC 18 to cover AI-specific concerns and to ensure that the reporting channel is accessible to non-employees (contractors, outsource provider staff, members of the public) who may observe problematic AI agent behaviour.

SOX — Section 301 (Audit Committee — Whistleblower Procedures)

Section 301 requires the audit committee of listed companies to establish procedures for the receipt, retention, and treatment of complaints regarding accounting, internal controls, or auditing matters, including the confidential, anonymous submission by employees. Where AI agents execute financial operations subject to SOX controls, concerns about those agents' governance fall within Section 301's scope. AG-268's anonymous reporting and retention requirements directly support Section 301 compliance.

Public Interest Disclosure Act 1998

PIDA provides legal protections for workers who make qualifying disclosures about wrongdoing. AI agent behaviour that constitutes a criminal offence, a failure to comply with a legal obligation, a miscarriage of justice, a danger to health and safety, or damage to the environment would qualify. AG-268's channel provides the internal reporting mechanism that PIDA encourages workers to use before making external disclosures.

10. Failure Severity

Field	Value
Severity Rating	High
Blast Radius	Organisation-wide — suppressed reports allow systemic governance failures to persist

Consequence chain: Without speak-up governance, the most dangerous category of governance failure — the type that insiders know about but the governance system does not detect — goes unreported. The consequence is not a single incident but a prolonged failure: biased agent behaviour persisting for months, unsafe agent recommendations continuing until an external party discovers them, unlawful data processing continuing until a regulator investigates. The duration of the failure is determined by the gap between when an insider first observes the problem and when the governance system detects it through other means. Without a speak-up channel, this gap can be 12-24 months (until the next audit cycle) or longer (if the audit itself is compromised). Each month of continued failure compounds the consequences: more people affected, more governed exposure accumulated, more regulatory obligations breached. The reputational consequence is amplified when the post-incident investigation reveals that insiders knew about the problem but had no way to report it — or worse, reported it through the normal chain and were suppressed. Public trust in both the organisation and AI technology more broadly is damaged.

Cross-references: This dimension provides a reporting safety net for failures in all other governance dimensions, particularly: AG-259 (Role-Segregated Control Ownership Governance) where speak-up can report that role segregation is being circumvented; AG-260 (Three-Lines-of-Defence Mapping Governance) where speak-up can report that lines of defence are not genuinely independent; AG-170 (Approval Quality and Substantive Review) where speak-up can report that approvals are rubber-stamp rather than substantive; AG-108 (Operator Role Segregation) where speak-up can report that segregation is being bypassed; AG-157 (External Conformance Assessment) where speak-up can report that conformance assessments are being manipulated; and AG-019 (Human Escalation & Override Triggers) where speak-up can report that escalation triggers are being suppressed.