Skip to content
IC Inline Code
Book a discovery call

Practitioner runbook · PDF

Implementing digital employees, with the governance attached.

The full runbook we use on enablement engagements — identity model, supervision protocol, audit trail design, contract language, and a twelve-month implementation plan. Aligned to ISO/IEC 42001, NIST AI RMF, APRA CPS 234, and CPS 230.

Buy the runbook · AUD 149

Secure checkout via Stripe · 7-day refund window

Instant PDF download
Editable templates included
12 months of updates
IC Inline Code

Practitioner runbook · 2026 edition

Digital Employees,
with the governance attached

Mathew Sayed

Founder, Inline Code

146

Pages

7

Editable templates

47

Mapped controls

4

Frameworks aligned

What's inside

A reference you can hand to your team on Monday.

Not a marketing book. Not a survey of the field. The actual operational reference document we use during enablement engagements, with the templates, the controls, and the implementation plan included.

  • A reference architecture for digital employee deployments that aligns with ISO/IEC 42001 and APRA prudential expectations.
  • Editable Word templates: acceptable use policy, supervision protocol, risk and impact assessment, supplier requirements addendum, and supervision record.
  • A control framework with 47 specific controls mapped to NIST AI RMF, ISO/IEC 42001 Annex A, APRA CPS 234, and CPS 230.
  • Configuration baselines for the four most common digital employee platforms, with the data scope, audit log, and access pattern set out for each.
  • Worked contract clauses, written for negotiation with vendors, covering audit rights, sub-processor controls, model versioning, and termination.
  • A twelve-month implementation plan with phase gates, decision points, and measurable outcomes for each quarter.
  • Board reporting templates and a one-page risk position summary suitable for inclusion in the operational risk report.

Contents

Twelve chapters, written for operators.

The chapter structure mirrors the implementation sequence — from the case for treating digital employees as identities through to board-level reporting twelve months in.

01

The case for treating digital employees as identities

Why provisioning, supervision, and offboarding belong in IAM, not procurement.

02

A reference architecture

Identity layer, access scope, supervision plane, audit trail, and the platform integration pattern.

03

Pre-deployment governance design

The decisions to make before signing the vendor contract — and the ones you cannot easily revisit afterwards.

04

Identity, scope, and the principle of least privilege

Attribute-based access for agents, role design, and the pragmatic scoping process for SharePoint, M365, CRM, and ticketing.

05

Supervision design

Naming a supervisor, defining the protocol, building the supervision record, and the cadence that actually gets followed.

06

Audit logs you can defend

Distinguishing agent and human action in the log record, retention design, and what regulators look for in reconstruction.

07

Contract language for digital employee deployments

CPS 230 paragraph 53 minimums, audit rights, sub-processor controls, model versioning notice, and the termination position.

08

Risk and impact assessment templates

NIST AI RMF and ISO/IEC 42001 aligned. Worked examples for contact centre, finance, underwriting, and content roles.

09

Acceptable use, supervision protocols, and policy templates

Editable templates, written for mid-market organisations, sized for actual operation.

10

A phased twelve-month implementation plan

Quarter-by-quarter rollout. Pilot, scale, audit, optimise. Pre-built RACI and stakeholder map.

11

Common failure modes

The seven configurations that fail audit, with the remediation path for each.

12

Board-level reporting

What the board needs to see, on what cadence, and how the digital employee program rolls into existing operational risk reporting.

Who it's for

Written for the people who carry the accountability.

The runbook assumes a working security function and a serious deployment. It is not introductory material.

CISOs and Information Risk leaders

Building the control framework for AI agents in production, often with an active board ask and a tight deadline.

Heads of Risk and Compliance

Aligning digital employee deployments to APRA CPS 234, CPS 230, ISO/IEC 42001, and NIST AI RMF without re-inventing the framework.

AI and Automation Program leads

Operating digital employees safely at scale, with the supervision and audit infrastructure to defend the deployment under regulator scrutiny.

Internal audit and assurance

Auditing digital employee deployments against a defensible control set with worked test procedures and evidence requirements.

Mathew Sayed, founder of Inline Code

Mathew Sayed

Author

About the author

Written by a practitioner, not a research analyst.

Mathew Sayed is the founder of Inline Code, a Gold Coast-based AI governance and information risk practice serving Australian financial services and regulated mid-caps. Mathew is a certified offensive and defensive security practitioner with experience across penetration testing, red team operations, defensive architecture, and AI governance program design.

The Digital Employees Runbook is the document Mathew uses on enablement engagements. It is being released as a standalone PDF for organisations that prefer to operate the framework in-house with a reliable reference.

Read the practice bio

FAQ

Common questions.

Who is this runbook for?
Mid-market and enterprise organisations deploying or operating digital employees in regulated environments — particularly Australian financial services, healthcare, and government supply chain entities. The guidance assumes a working information security function and a CISO or equivalent role; it is not an introductory document.

What format is the PDF?
A 146-page PDF with the full content and editable Word documents for the policy and assessment templates. Delivered immediately after purchase via a download link sent to the email you provide at checkout.

How does this relate to your engagement work?
The runbook is the document we use as a reference during AI Automation Enablement engagements. It is being released as a standalone PDF for organisations that prefer to do the work in-house. Buying the runbook does not commit you to anything else; engagement clients receive it as part of their package.

Are updates included?
Minor updates and errata are included for twelve months from purchase, sent to the email at checkout. Material revisions reflecting changes in regulatory guidance are released as a new edition; current owners receive a discount.

Is this Australia-specific?
The control framework is internationally portable — NIST AI RMF and ISO/IEC 42001 are the spine. Australian-specific guidance (APRA CPS 234 and CPS 230, the Privacy Act, ASD essential eight) is called out explicitly so non-Australian readers can substitute their local equivalents without confusion.

Can I expense this through corporate training?
Most organisations expense it as professional development or as a research subscription. A tax invoice including ABN is issued automatically on purchase. If your finance team requires a particular invoice format, contact mathew@inlinecode.com.au and we will arrange it.

Refunds?
Seven-day refund window, no questions, for any reason. Email mathew@inlinecode.com.au within seven days of purchase. After seven days, refunds are at our discretion.

Buy the runbook

A defensible digital employee program, off the shelf.

AUD 149, instant download, editable templates, twelve months of updates, seven-day refund window.

Buy the runbook · AUD 149 Talk to us first