KYE Whistleblower & Speak-Up Authority Pack™ — defensible AI-assisted intake, triage & case-handling.
Speak-up programmes now use AI to intake, classify, and triage reports — and regulators demand reporter confidentiality, anti-retaliation, and statutory clocks be defensible when challenged. KYE Protocol™ governs the authority and evidence of AI-assisted whistleblower / speak-up handling and proves it: who and what may access a report and a reporter’s identity and under what need-to-know, who authorised closing or escalating a case, whether a retaliation-risk assessment was recorded before any adverse action on a reporter, with confidentiality and retaliation-risk evidence captured, and a signed, replay-provable Evidence Pack™ per consequential action — with a contestability record so any disposition can be reconstructed and challenged. KYE Protocol™ governs whether the AI-assisted handling may proceed and proves it is defensible — it does not investigate the substance, judge the allegation, decide whether wrongdoing occurred, or replace the ethics, legal, or compliance officer.
AI now triages the reports — and the access, the disposition, and the adverse action are the moments accountability concentrates.
Generative intake assistants, automated classifiers, and AI triage tools are routing and dispositioning whistleblower reports, and touching the people who filed them. The high-value problem is not the report’s substance — it is the action boundary and its defensibility. Four facts converge:
- The consequential moment is the access, the disposition, and the adverse action — not the draft classification. A model’s draft triage is inert; an access that reveals a reporter’s identity, a case closed or escalated, or a termination of someone who blew the whistle is consequential. When the handling is challenged — a confidentiality-breach complaint, a retaliation claim — the regulator demands to see who authorised it and how it was made.
- Confidentiality is non-negotiable. The EU Whistleblower Directive Art. 16 and GDPR data-minimisation require a reporter’s identity to be disclosed only to authorised staff on a need-to-know basis. KYE Protocol™ refuses any access to a report’s identity without a recorded need-to-know named-authority decision.
- Anti-retaliation carries a burden of proof. Under SOX §806, Dodd-Frank, and UK PIDA the employer must show an adverse action was not retaliatory. KYE Protocol™ refuses any adverse action that touches a reporter unless a retaliation-risk assessment is recorded as evidence first.
- This is a governance wedge, not an investigation engine. KYE Protocol™ does not compete with the speak-up platform, the case-management system, or the AI triage tool. It governs the action boundary they feed — the need-to-know authority + confidentiality evidence + retaliation-risk record + Evidence Pack™ + contestability layer the AI speak-up ecosystem currently lacks.
Survives a confidentiality-breach complaint, a retaliation claim, or a regulator inquiry — need-to-know-recorded, retaliation-risk-evidenced, and derivable from public keys alone.
- Access is authority-bound and confidential, by construction. Every access that reveals a reporter’s identity maps to a recorded need-to-know named-authority decision — the agent, the report, the access, and the named case-handler or ethics officer under whose authority and need-to-know it proceeds. An access without a recorded need-to-know is refused at the action-admissibility gate.
- Adverse actions carry a retaliation-risk record. Before any termination, demotion, discipline, or reassignment that touches a known reporter, a retaliation-risk assessment is recorded as evidence — protected-disclosure status, proximity to the disclosure, the stated non-retaliatory basis, and the named assessing authority — so the SOX §806 / Dodd-Frank / PIDA burden-of-proof record exists at the moment the action is taken.
- Case dispositions are authority-bound. Every close, dismiss, escalate, refer, or substantiate maps to a recorded named-authority decision, so the acknowledgement / feedback-clock and reasonable-follow-up obligations of the EU Whistleblower Directive Art. 9 / 11 are met under a named, accountable handler.
- Replay-provable Evidence Pack™. Every consequential action emits a signed Evidence Pack™ binding the authority, the need-to-know basis, the confidentiality and retaliation-risk evidence, and the rule results — reconstructable and valid at T=0, derivable from published keys alone, retained under WORM — the defensibility artefact a regulator or the reporter can verify offline.
- Contestable when challenged. Every determination carries a contestability record so a confidentiality complaint, a retaliation claim, or a GDPR data-subject access can reconstruct it exactly as made and contest it through a recorded route. Bound to the EU Whistleblower Directive, SOX §806, Dodd-Frank §922, UK PIDA, and the GDPR whistleblowing slice — each with a 90-day attestation cadence.
Every consequential speak-up determination — authority-bound and evidenced at the action boundary.
One coherent spine governs three specializations — intake-triage, case-handling, and anti-retaliation — with no parallel packs. Each AI-assisted determination that moves toward a consequential action flows through the same five rules, on the canonical KYE Protocol™ envelopes.
- 1 — Determination proposed. An AI intake / triage system proposes an access to a reporter’s identity, a case disposition, or an adverse action that touches a reporter.
- 2 — Authority + need-to-know check. The Action Admissibility™ Gate verifies the named-authority and need-to-know under which the access or disposition proceeds, under the §25 Edge Governance Safety Floor. No authority, or no recorded retaliation-risk assessment before an adverse action = no action.
- 3 — Confidentiality + retaliation-risk recorded. The confidentiality-handling evidence (the data-minimisation basis, the accessing principal, the access purpose) and, for an adverse action, the retaliation-risk assessment are captured before it proceeds.
- 4 — Evidence Pack™ + contestability sealed. The runtime emits kye.purpose.request.v1 + kye.purpose.admissibility.v1 + kye.evidence.decision_map.v1 + kye.evidence.pack.v1 + kye.replay.context_seal.v1 in lockstep, binding the authority, the confidentiality and retaliation-risk evidence, and a contestability record into a signed, replay-provable, WORM-retained Evidence Pack™ — reconstructable for a regulator, a court, or the reporter when the handling is challenged.
Bound to the whistleblowing, anti-retaliation, and data-protection perimeter.
The pack binds the canonical KYE™ artefact set to the whistleblower & speak-up perimeter. Every claim resolves to a control row on the bound framework — the five regimes are consumed by the rule pack, never re-mapped (§70 honest scope: KYE™ maps only the authority / evidence / defensibility slices, and cedes the investigation substance / allegation merits / disciplinary outcome / legal merits to the ethics, legal, and compliance officer).
| Framework | Control area | Pack coverage |
|---|---|---|
| EU Whistleblower Directive (Directive (EU) 2019/1937) | Confidentiality & need-to-know access, named-authority on the disposition (acknowledgement / feedback clocks), contestability | partial |
| SOX §806 (18 U.S.C. §1514A) | Retaliation-risk assessment evidence before an adverse action, burden-of-proof reconstruction | partial |
| Dodd-Frank §922 + SEC Rule 21F | Confidentiality & anti-impediment evidence for a whistleblower’s identity, handling reconstruction | partial |
| UK PIDA (Public Interest Disclosure Act 1998) | Named-authority on the protected-disclosure handling & detriment-risk record; detriment / dismissal claim reconstruction | partial |
| GDPR (Whistleblowing slice) | Need-to-know & data-minimisation evidence for special-category report data; data-subject contestability | partial |
Honest scope. KYE Protocol™ governs the authority, need-to-know, confidentiality, retaliation-risk, evidence, and contestability of the AI-assisted handling at the action boundary — whether the handling may proceed and how it came into existence, so it is defensible when challenged. It does not investigate the substance, judge the allegation, decide whether wrongdoing occurred, render the ethics opinion, or replace the ethics, legal, or compliance officer. Partial coverage means the bound surface satisfies the authority / evidence / defensibility slice of the control area when paired with the programme’s own judgment. KYE™ complements the speak-up platform, the case-management system, and the ethics function — it does not compete with them (§0).
Qualified speak-up / ethics-tech partners — apply through the Foundry.
The KYE Whistleblower & Speak-Up Authority Pack™ is a §68 sector product productised through the KYE Sector Pack Foundry™ Build tier, with Starter, Enterprise, and Regulated commercial tiers; commercial distribution is value-based, qualification-gated, and disclosed under NDA to qualified applicants.