The 2026 NAVEX Report noted that the lengthening case closure time may be related to the growing integration of AI tools into the case management process, which it notes might add some procedural steps that extend timeframes (which is counterintuitive!). This Debevoise alert shares some other ways that AI is impacting whistleblowing beyond the case management process:

– Regulators continue to prioritize AI-related conduct.

– At the same time, accelerating AI adoption—particularly agentic AI—combined with growing public skepticism is increasing the likelihood of internal complaints and external reporting.

– AI whistleblower risks have sharply increased since 2024. Enterprise AI tool development and deployment have accelerated exponentially since 2024.In particular, agentic AI—artificial intelligence systems that can complete tasks with little to no supervision—has exploded in development and usage over the past year, and poses multiple new compliance and operational risks. For example, agentic AI tools may undertake tasks beyond the scope of authorization; access data or systems beyond the scope of authorization; reinforce biased or erroneous outcomes; generate strategies to meet goals that developers did not program and cannot easily follow; and behave unpredictably when facing novel situations. Malicious agents may also exploit trust mechanisms to trick agentic AI into granting unauthorized privileges, leading to inadvertent but potentially catastrophic exposure of systems and data.

It concludes with some suggestions for updating your whistleblower policies and procedures to address these evolving risks:

– Substantiating AI Capability Claims: Assess substantiation, documentation, and review controls for AI-related disclosures (including marketing, fundraising, and investor materials) to mitigate “AI-washing” risk.

– Accelerating Internal Response Timelines: Consider whether internal investigation and escalation timelines appropriately account for the incentives created by DOJ’s program and related self-reporting considerations.

– Training: Train managers involved in AI on relevant whistleblower protections and escalation procedures to mitigate whistleblower risks.

– Employee or Contractor Agreements: Review all confidentiality agreements, including severance agreements, releases, codes of conduct, ethics manuals, training materials, and investor materials, for compliance with the Rule 21F-17 requirement not to impede individuals from contacting the SEC to report a possible securities law violation.

– Addressing Complaints Promptly: Avoid delays in responding to whistleblowers where practicable so as not to increase the likelihood that whistleblowers will become frustrated and escalate their complaints externally.

– Taking Concerns Seriously: Take all whistleblower complaints seriously, including ones that are vague or inflammatory. Even one legitimate concern in an otherwise baseless complaint that is not properly investigated can trigger investigative and enforcement risk.

– Protecting Whistleblower Anonymity: If the whistleblower is anonymous, take reasonable measures to protect that anonymity throughout an investigation. If the identity of the whistleblower is known to investigators, it is best practice not to share this identity with others in order to limit the risk of retaliation or investigative taint.

– Providing Context for Decisions: Whistleblowers may have valid concerns but lack the broader context for the priorities and competing considerations of their companies. When addressing a whistleblower’s concerns, consider providing them with the additional context, when appropriate, on the costs, risks, and business impacts of alternative proposed courses of action, and why those may not be achievable.

– Consulting Counsel: Consider involving counsel when faced with complaints regarding alleged violations of law, including those related to AI, especially if any adverse action (including cutting off access to company systems and denying access to company facilities) is being considered against an employee or independent contractor who has raised the concern. Involving outside counsel may also help strengthen privilege claims over the investigation and provide a level of independence.

– Expert Investigation Team: Ensure that the investigation team has the necessary AI expertise to evaluate the whistleblower’s allegations or has access to consultants who can assist in that evaluation.

– Meredith Ervine