Is this legal advice?

No. It is educational information to help you understand your options. Whistleblower law is complex and fact-specific, so speak to a qualified employment lawyer or a whistleblowing charity before you act, especially before external or public disclosure.

Should I report internally first?

Usually yes, where it is safe to do so. Internal reporting often keeps your legal protection strongest and creates a record. But if internal channels are compromised or the risk is severe and ongoing, a regulator may be the right first step.

How do I report anonymously?

Use channels designed for it — secure organisational tip lines, a regulator's confidential reporting route, or tools like SecureDrop for journalists. Research and contact them from personal devices and accounts, not employer-monitored systems.

What evidence should I preserve?

Document the specific concern, who is affected, and any internal response. Keep relevant logs, eval results, or public claims that could be edited later — but do not remove originals or copy personal data beyond what is strictly necessary.

Are AI-specific whistleblower protections emerging?

Yes. The EU AI Act includes reporting channels, and regulators increasingly treat AI safety, bias, and deceptive-claims concerns as reportable. Existing whistleblower laws like the UK's PIDA already cover many AI-related disclosures.

AI Whistleblower Protection Guide

AI whistleblower protection guide

If you’ve seen something at an AI company that crosses a line — a suppressed safety eval, a privacy breach, biased outputs shipped anyway, or deceptive claims to investors — speaking up is daunting and the rules are confusing. This guide explains the protections that apply where you are, how to preserve evidence, and which channels keep you safest, so you can make an informed decision rather than a fearful one.

How it works

You select your jurisdiction (UK, EU, US, or other) and the type of concern. The tool surfaces the relevant laws and the protections they give — for example the UK’s PIDA, the EU Whistleblower Directive and AI Act reporting channels, or US sector statutes — and explains how those protections work in practice. It then provides concern-specific steps for documenting and routing the issue, general guidance on internal-versus-external and anonymous reporting, and a list of regulators matched to the concern (data-protection authorities, financial regulators, safety bodies).

Tips and notes

Protect yourself first. Research and contact advisers from personal devices and accounts, never employer-monitored systems.
Internal first, usually. It typically keeps protection strongest and builds a record — unless internal channels are compromised or harm is severe.
Preserve, don’t exfiltrate. Keep evidence of the concern, but don’t remove originals or copy personal data beyond what’s strictly necessary.
Get advice before going external. A whistleblowing charity or employment lawyer can be the difference between protected and unprotected disclosure. This guide is educational, not legal advice.