TheAICommand Brief

One Project Space, One Financial Year

TheAICommand BriefJuly 2026Audience: generalPublished 4 July 2026

The new financial year started. Your prompts did not.

Most teams treat ChatGPT like a vending machine. Ask a question, take the answer, walk away. Next week they open a blank window, re-explain who they are, re-paste the same context, and get a slightly different answer. That is not leverage. That is a treadmill, and it quietly caps how good the output can ever be.

A project space changes the shape of the relationship. Instead of a thousand disconnected chats, you get one workspace that knows your team, holds your reference documents, remembers what you decided, and stays on task for a full twelve months. July is the moment to build it. The Australian financial year has just reset, every team is writing a new plan anyway, so build the plan inside the tool that will help you deliver it.

This edition does two things. First, it reviews an extraordinary June for AI, because the month's events change how you should think about relying on these tools. Then it gives three teams a full playbook: health, safety and wellbeing (HSW), workers compensation (WC), and governance, risk and compliance (GRC). Each gets its own strategy build, KPI monitor and everyday prompts, grounded in the regulation that governs it.

June 2026 in review

June was the month a government reached into a model's off switch. Anthropic launched two frontier models, Claude Fable 5 and Claude Mythos 5, on 9 June. Within three days the United States switched them off. On 12 June, citing national security and export-control powers, the US government directed Anthropic to suspend all access to both models for any foreign national anywhere in the world, including Anthropic's own foreign-national staff. Reporting attributes the directive to the Commerce Department, coordinated by Secretary Howard Lutnick, who is named on the conditions for lifting it. The reported trigger was a jailbreak that could unlock the advanced cyber capabilities in the Mythos architecture, turning a consumer product into something closer to an offensive cyber tool. Anthropic argued the vulnerability was narrow rather than universal, took both models offline globally rather than run a partial block, and spent nearly three weeks locked out of its own release. Commerce lifted the controls on 30 June, and Fable 5 returned to the Claude platform on 1 July.

The lesson for anyone building AI into regulated work is uncomfortable and clear. Model availability is now a supply-chain risk, not a given. A tool your team depends on can disappear for reasons that have nothing to do with you, at three days' notice, and stay gone for weeks. That is an argument for building your workflow so the underlying model can be swapped without the whole thing collapsing.

The suspension did not slow the release calendar. Anthropic made Claude Sonnet 5 its new default in Claude Code and on Claude.ai on 30 June, scoring 63.2 per cent on SWE-Bench Pro at introductory pricing of two and ten dollars per million tokens, reverting to three and fifteen from September. Capable models keep getting cheaper as fast as they get better. OpenAI previewed a GPT-5.6 family, codenamed Sol, Terra and Luna, on 26 June, but gated it behind a US-government access list of roughly twenty organisations rather than a public launch. Google's Gemini 3.5 Pro, expected in June, reportedly slipped into a July general-availability window. And China kept pace: Z.ai open-sourced GLM-5.2 under an MIT licence on 16 June, and Meituan unveiled LongCat-2.0, a 1.6 trillion parameter agentic coding model it says was trained entirely on Chinese chips, on 30 June, with open weights to follow. Four labs, two continents, one month.

The more useful shift was in how people use these models. Late in June, CNBC reported enterprise users moving away from "tokenmaxxing," the habit of throwing maximum reasoning and context at every task, towards efficiency: smaller, faster, cheaper calls that are good enough for the job. That matters for the teams reading this. The point of a project space is not to run the largest model on every question. It is to give a capable model the right context once, so it can do useful work at a sensible cost, every time.

The enterprise battle also moved from chatbots to agents. Microsoft used its Build conference on 2 June to plant a flag: it launched its first family of in-house MAI models, including the MAI-Code-1 coding model, and pushed a stack to make Windows an agent-native runtime, including Microsoft Execution Containers for sandboxed agents and Microsoft IQ, whose Work IQ APIs became generally available on 16 June, a context layer that grounds agents in enterprise knowledge across GitHub Copilot, Foundry and Copilot Studio. Google is pushing the same way with Antigravity, a desktop tool that orchestrates several agents in parallel. The theme is consistent. The contest is no longer who has the smartest chatbot. It is who owns the layer that connects a model to your actual work, which is exactly what a project space is at team scale.

Australian regulators kept tightening. The OAIC's consultation on automated-decision transparency closed on 15 June, with guidance expected by September. From 10 December 2026, entities covered by the Privacy Act must spell out in their privacy policies the kinds of personal information used in substantially automated decisions, the nature of decisions made solely or significantly by a computer, and where those decisions could significantly affect a person. That sits on top of APRA's 30 April letter to industry, which told regulated entities to build formal AI governance, keep an inventory of every AI tool and use case, and keep a human accountable for high-risk decisions, and ASIC's 8 May call for stronger cyber resilience as frontier models raise the cyber-risk bar.

Put the month together and a pattern emerges. Models are more capable, cheaper, and less predictable to rely on. The action has moved to the layer that connects a model to your work. And regulators want a human who can explain what the AI did and why. Every one of those pressures points the same way for an HSW, WC or GRC team.

Three June pressures, one answer: models grew more capable, cheaper and less predictable, the contest moved to the layer connecting model to work, and regulators want a human in the record, all pointing to one governed project space.
Figure 1. Three pressures from June 2026 converge on one answer: a governed project space. Sources: Anthropic; CNBC; APRA; OAIC; ASIC.
  1. Keep a fallback. Note which of your workflows would break if your main model vanished for three weeks, and have a second provider or model configured before you need it.
  2. Right-size the model. Do not default to the biggest model for every task. Match the model to the job and watch the cost, which is where a well-briefed project space earns its keep.
  3. Keep the human in the record. With the OAIC transparency rules landing on 10 December, start documenting who reviewed each AI-assisted decision now, not in November.
Practical takeaway. Treat model access as a supply chain. For every AI workflow you build this year, write down the fallback: which second model or provider you would switch to, and what would need to change in your prompts to do it. June proved that is not paranoia.

What a project space actually is

Definition. Project space. A persistent ChatGPT workspace with three layers: standing instructions, uploaded reference files, and a project-scoped memory. Every chat inside it shares that context, and nothing leaks out to your other chats.

Three layers do the work.

  1. Instructions. The standing brief. Project instructions hold several thousand characters, enough room for a full description of who the team is, how you want outputs formatted, and what the model must never do. Written once, applied to every chat in the project.
  2. Files. The reference set. On a paid plan you attach a working library. OpenAI's help documentation lists 5 files per project on Free, 25 on Plus and up to 40 on Pro, with higher limits and larger storage on Business and Enterprise. Fill it with your strategy, KPI definitions, policies and de-identified data extracts.
  3. Memory. The running record. Project memory keeps context to that project only. What you agreed last month is still there this month, and it does not bleed into unrelated chats, which is exactly what you want for long-running or sensitive work.
The anatomy of a project space: three stacked layers labelled Instructions, Files and Memory feeding a single continuous workspace.
Figure 2. The three layers of a project space: standing instructions, a curated file library, and project-scoped memory.

The difference is continuity. Picture a case manager who opens a blank chat every Monday, re-types the team's context, pastes the same policy, and hopes the model remembers how the last plan was structured. Now picture the same person opening a project that already knows the team, holds the policy, and formats every output the agreed way. Same model, very different leverage. The blank window is a tax you pay in re-explanation, and a project space removes it.

Insight. The point of a project space is not smarter answers to single questions. It is continuity. The model stops starting from zero every time, which is the single biggest hidden tax on everyday AI use.

On ChatGPT Business, Enterprise and Edu you can share a project with the team, so the instructions and files are common property rather than trapped in one person's account. Administrators control who can share and what memory is retained, and on those plans project content is not used to train models by default. For a team running a financial year, shared beats solo: one source of truth, one agreed format, and no single point of failure when someone is on leave.

Practical takeaway. Before you build anything, decide the project will be shared, not personal. Put it on a Business or Enterprise workspace so the files, instructions and memory belong to the team and survive any one person leaving.

The build every team follows

Same spine, different content. Five steps, and the whole thing takes about thirty minutes the first time.

  1. Name it for the year. "HSW Command Centre FY2026-27". A dated name signals scope and makes archiving clean next July, when you spin up the FY2027-28 project and keep this one as a read-only record.
  2. Write the standing instructions. The highest-leverage twenty minutes you will spend all year. This is where you set the team's identity, the output formats, and the hard rules. Template below.
  3. Upload the reference set. Strategy, KPI definitions, policies, de-identified data. Keep it curated. A tight, current set beats a dumping ground, because every extra file dilutes the model's attention and raises the odds it cites something out of date.
  4. Set the operating rhythm. Decide the cadence the project runs on and tell the model what each review looks like, so it produces the same shape of output every week and month.
  5. Run recurring workflows. Strategy build at the start of the year, KPI monitoring on cadence, everyday work on demand. The prompts for each are below.
The five-step project space build shown as a left-to-right path: name it, write the standing instructions, upload the reference set, set the operating rhythm, run recurring workflows.
Figure 3. The five-step build every team follows to stand up a project space in about thirty minutes.

Prompt: universal standing-instructions template (paste into project instructions)

Prompt
ROLE
You are the operating assistant for the [TEAM NAME] at [ORGANISATION TYPE]
for the Australian financial year 2026-27. You help us build our FY strategy,
monitor our KPIs, and complete recurring work.

HOW YOU WORK
- Use Australian English. No em dashes.
- Be concise and direct. Lead with the answer.
- When I upload or paste a document, cite the file or section you drew from.
- Treat any [PLACEHOLDER] as final. Never ask me to add real names,
  claim numbers, or personal identifiers.
- State your assumptions. If you are not sure, say so and tell me how to verify.
- End every substantive output with one line: "What I need from you next:".

OUTPUT FORMATS
- Strategy: objective, measure, target, owner, milestones.
- KPI review: a table, then three "so what" bullets, then the single next action.
- Summaries: structured headings, not walls of prose.

NEVER
- Never present a draft as a final decision, determination, or approved position.
- Never invent data, figures, quotes, or citations. Leave a gap and flag it.
Practical takeaway. Spend real time on the standing instructions. Ninety per cent of the quality difference between a good project space and a mediocre one is written into that one block before you ask a single question.

One rhythm, one dashboard

A project space is only as useful as the cadence you run it on. Set three loops and let the project drive them, so the plan you wrote in July is still steering decisions in March.

  1. Weekly, ten minutes. Update the leading indicators, flag anything drifting off track, decide the one action for the week. This is the loop that stops small problems becoming board problems.
  2. Monthly, thirty minutes. A full KPI review with RAG status, driver analysis, and a leadership summary you can paste straight into a pack.
  3. Quarterly, half a day. Check strategy against objectives, reset targets that no longer fit, and capture the lessons so next quarter starts smarter.
One operating rhythm on a single timeline: a weekly ten-minute loop, a monthly thirty-minute review, and a quarterly half-day reset.
Figure 4. Three cadence loops keep the plan steering decisions all year: weekly, monthly and quarterly.

Have the model maintain a single KPI dashboard it updates each cycle. You paste the numbers, it returns the same structured view every time, so the trend is comparable month to month rather than a fresh guess each period. Consistency of format is what turns a pile of updates into a line you can actually read.

Prompt: KPI dashboard update (run every cycle)

Prompt
Here are this [week / month]'s figures (de-identified):
[paste your numbers]

Update our KPI dashboard. For every KPI show, in one table:
- KPI name
- Current value
- Target
- RAG status (Red / Amber / Green against target)
- Trend vs last period (up / down / flat)
- One-line driver

Then give me:
1. Three things going well.
2. Three watch items.
3. The single most important action for next period, with an owner.

Keep the whole thing to one screen. Do not change any figure I gave you.
If a number is missing, list it as "not provided" rather than estimating.
Practical takeaway. Put the monthly review in your calendar as a recurring thirty-minute hold today. The rhythm is the product. A project space with no cadence is just a tidier chat window.

Turn the dashboard into an offline tool

For teams that cannot put KPI data into a cloud chat at all, there is a neat move. Ask the model to write you a single self-contained HTML file. It opens in any browser, stores its data only in that browser, and sends nothing anywhere. You get a styled dashboard you can keep on a managed drive, hand to a colleague, and open with no internet connection. When you want a change, you paste the file back into the project and ask for the edit, and the model rewrites it. This is where it beats a spreadsheet: it is a shareable, self-contained artefact anyone can open, with the look and logic you want, that the model can regenerate in seconds.

Prompt: build an offline single-file HTML KPI tool

Prompt
Build me a single-file HTML dashboard I can save and open offline in any browser.

Requirements:
- One file only. No internet calls, no fonts or libraries loaded from the web,
  no analytics, no data sent anywhere.
- Let me add KPIs manually, each with: name, current value, target, notes.
- Store all data in the browser only (localStorage) so it persists on this
  device between sessions.
- Show each KPI as a card with a Red / Amber / Green status against its target
  and a small trend indicator based on the last few entries.
- Include an "Add entry" form, an "Export to CSV" button, and a "Print" button
  that formats cleanly to PDF.
- Style it dark and professional: background #0F1629, cards #1E2D4E,
  accent [#FBBF24 for HSW use #86EFAC / WC #F59E0B / GRC #38BDF8], text #F1F5F9.
- Add a visible line at the bottom: "Data stays in this browser. Not a system of record."

Give me the complete HTML in one code block I can copy and save as dashboard.html.
Caution. An offline HTML file keeps data on the device, but it is not a system of record and has no access controls beyond the device itself. Treat it as a working tool, not a register. Keep the authoritative data where your governance requires, and never let the browser file become the only copy of anything that matters.
Practical takeaway. Use the HTML tool to prototype a dashboard in an afternoon, then decide what deserves to graduate into your real system of record. It is a sketchpad, not the filing cabinet.

Playbook 1: Health, Safety and Wellbeing

HSW carries the primary duty of care under the model Work Health and Safety Act, and since the psychosocial amendments to the model WHS Regulations, an explicit duty to identify and control psychosocial hazards. A credible FY plan balances the two and measures both leading and lagging indicators, not just injury counts after the harm has happened. Lagging numbers tell you where you have already failed. Leading numbers tell you whether you are about to.

A worked example. Say last year's data shows a cluster of hazard reports tied to high job demands in one team, and a psychosocial survey flagging low control. A good project space reads both files, proposes an objective ("reduce exposure to high job demands in [TEAM]"), sets a leading indicator (job redesign actions completed) and a lagging one (psychosocial hazard reports from that team), and leaves the targets for you to sign off. It does not invent the numbers. It structures the work.

What the strategy covers. Objectives across physical safety, psychosocial risk, worker consultation, and team capability. Each objective needs a measurable target, at least one leading and one lagging indicator, an owner, and quarterly milestones.

Indicator typeExample indicators
LeadingInspections completed, hazards closed within SLA, training completion, consultation sessions held, psychosocial control actions completed
LaggingLTIFR, TRIFR, notifiable incidents, claims arising from safety events

Files to upload.

  • FY safety strategy or plan, last year plus any current draft
  • WHS policy and consultation arrangements
  • Risk register, de-identified
  • Incident and hazard data, aggregated and de-identified
  • Psychosocial survey summary, aggregated
  • Corrective action tracker and the codes of practice you rely on

Prompt: HSW standing instructions

Prompt
ROLE
You are the operating assistant for our Health, Safety and Wellbeing team for
FY2026-27. You help us build and run our safety strategy, monitor leading and
lagging indicators, and support everyday HSW work.

CONTEXT
- We operate under the primary duty of care in the model Work Health and Safety
  Act, including the duty to manage psychosocial hazards.
- We use ISO 45003 as our reference for psychosocial risk.
- We value leading indicators (prevention) as much as lagging ones (harm).

HOW YOU WORK
- Australian English. No em dashes. Concise and direct.
- Cite the uploaded file or section you drew from.
- Balance physical and psychosocial risk in every plan.
- State assumptions. Flag thin data instead of inventing a target.
- End with "What I need from you next:".

NEVER
- Never present a draft assessment or plan as an approved control or a safety
  decision. A competent person signs off.
- Never invent incident data. Use only what I upload or paste.

Prompt: HSW build the FY2026-27 strategy

Prompt
Draft our FY2026-27 HSW strategy on a page, grounded in the uploaded risk
register and last year's incident and hazard trends.

Structure:
- 4 to 5 objectives spanning physical safety, psychosocial risk, consultation,
  and capability.
- For each objective: a measurable target, at least one leading indicator and
  one lagging indicator, an owner, and quarterly milestones.
- Align the psychosocial objectives to ISO 45003 control themes and reference
  the WHS primary duty where relevant.

Use only our uploaded data. Where the data is too thin to set a credible target,
say so and suggest what we would need to measure first.

Prompt: HSW monthly safety dashboard

Prompt
Here is this month's HSW data (de-identified):
[paste leading and lagging figures]

Update our safety dashboard in one table: indicator, current, target, RAG,
trend vs last month, one-line driver. Split leading indicators (inspections,
hazards closed in SLA, training completion, consultation, psychosocial control
actions) from lagging (LTIFR, TRIFR, notifiable incidents, claims from safety
events).

Then: three wins, three watch items, and the one action for next month. Finish
with a three-sentence summary I can paste into a leadership pack.

Prompt: HSW psychosocial risk assessment template

Prompt
Build a psychosocial risk assessment template for [TEAM OR AREA] using the
ISO 45003 hazard categories (for example job demands, control, support, role
clarity, relationships, and change).

For each category include: prompt questions to guide the assessment, a 5 by 5
likelihood-by-consequence rating, and space for existing controls, additional
controls, owner, and review date.

Do not fill in our ratings or invent findings. Leave every judgment field blank
for a competent person to complete.
Practical takeaway. Anchor every HSW objective to at least one leading indicator you can move this quarter. If an objective only has lagging measures, you are grading the past, not managing the risk.

Playbook 2: Workers Compensation

Caution. This section is educational, not legal advice. Every example uses de-identified placeholders. Real claimant information does not belong in a general chat tool. Decisions on liability and entitlements remain with a delegate, and outputs from the model are drafts for a human to verify and decide.

WC teams under the Safety, Rehabilitation and Compensation Act 1988 (SRC Act) carry obligations to support recovery and return to work. Sections 36 and 37 frame rehabilitation assessments and rehabilitation programs, and section 40 covers the provision of suitable employment. A durable return, not just a return, is the outcome that matters, because a claimant who goes back and then falls out again is a worse result for everyone than a slightly later but stable return. The FY plan should measure the pathway, not only the endpoint.

A worked example. You paste a de-identified portfolio summary showing return-to-work rates holding steady but durable-return rates at six months slipping. A well-briefed project space flags the gap, points to the difference between an initial return and a sustained one, and proposes a leading indicator (rehabilitation assessment turnaround) that plausibly drives it. It does not decide anything. It gives a case manager a sharper question to take into the next review.

What the strategy covers. Objectives across claims management, return to work, and rehabilitation, each tied to a measurable target, an owner, and quarterly milestones.

Indicator typeExample indicators
LeadingEarly contact rate, rehabilitation assessment turnaround, RTW plan in place within target days
LaggingRTW rate, durable-return rate at 3 and 6 months, average time lost, reopened claims

Files to upload.

  • FY claims and RTW strategy, last year plus any current draft
  • Aggregate, de-identified portfolio data (claim counts, durations, RTW status)
  • RTW and rehabilitation procedures
  • Rehabilitation provider panel
  • Your KPI definitions and a plain-English SRC Act quick reference

Prompt: WC standing instructions

Prompt
ROLE
You are the operating assistant for our workers compensation team for FY2026-27,
operating under the Safety, Rehabilitation and Compensation Act 1988 (SRC Act)
and the Comcare scheme. You help us build our claims and return-to-work strategy,
monitor portfolio KPIs, and draft everyday work products for human review.

DE-IDENTIFICATION (NON-NEGOTIABLE)
- I will only ever paste de-identified information using placeholders such as
  [CLAIMANT_NAME], [CLAIM_NUMBER], [DATE_OF_BIRTH], [CONDITION], [EMPLOYER_AREA].
- Treat every placeholder as final. Never ask me to add real personal information.

HOW YOU WORK
- Australian English. No em dashes. Concise and direct.
- Focus on durable return to work, not just any return.
- Cite the SRC Act section when it is directly relevant, but do not present the
  law as settled advice. Flag anything that needs a delegate's determination.
- End with "What I need from you next:".

NEVER
- Never draft or present anything as a liability determination or a final
  decision. Everything is a draft for a human case manager or delegate.
- Never invent claim facts, figures, or medical detail.

Prompt: WC build the FY2026-27 strategy

Prompt
Draft our FY2026-27 workers compensation strategy using only the aggregate,
de-identified portfolio data in the uploaded files.

Objectives across three areas: claims management, return to work, rehabilitation.
- For return to work, set durable-return targets (for example, still at work at
  3 and 6 months) and reference rehabilitation assessments and programs under
  sections 36 and 37 of the SRC Act, and suitable employment under section 40,
  where relevant.
- Set leading indicators (early contact rate, rehabilitation assessment
  turnaround, RTW plan in place within target days) and lagging indicators
  (RTW rate, durable-return rate, average time lost, reopened claims).
- For each objective: measure, target, owner, quarterly milestones.

Flag any target where our data is too thin to set credibly.

Prompt: WC monthly portfolio dashboard

Prompt
Here is this month's de-identified portfolio summary:
[paste aggregate figures]

Update our claims KPI dashboard in one table: KPI, current, target, RAG, trend
vs last month, one-line driver. Cover early contact, rehab assessment turnaround,
RTW rate, durable-return rate at 3 and 6 months, average time lost, and reopened
claims.

Then: three things trending well, three watch items, and the single action most
likely to improve durable return next month. Keep it to one screen.

Prompt: WC de-identified statement summary (draft for human review)

Prompt
Summarise the key facts from this de-identified statement for a human case
manager to verify. This is a working summary, not a determination.

[paste de-identified statement using placeholders]

Structure:
- Chronology of events
- Injury or condition claimed
- Stated connection to work
- Treatment to date
- Current capacity and restrictions
- Open questions and missing evidence

Use the placeholders exactly as given. Do not infer facts that are not in the
statement. End with the two or three pieces of evidence a case manager should
seek next.
Practical takeaway. Measure durable return, not just return. Set the six-month sustained-return rate as a headline KPI this year, because it is the number that actually reflects recovery.

Playbook 3: Governance, Risk and Compliance

Definition. CPS 230. APRA's operational risk management standard, in force since 1 July 2025. It requires regulated entities to identify their critical operations, set tolerance levels for disruption, and manage service-provider risk. The service-provider transition applied from the earlier of the next contract renewal or 1 July 2026, so the window has now closed.

GRC teams entering FY2026-27 are operating under a fully live CPS 230, the Financial Accountability Regime's accountability obligations, and a board that wants risk kept inside appetite. APRA's 30 April 2026 letter to industry raised the bar again, telling regulated entities to build formal AI governance, keep an inventory of every AI tool and use case, and keep a human accountable for high-risk decisions. A strong FY plan connects regulatory change, operational risk and assurance, and maps every objective back to the risk appetite statement.

A worked example. You upload the obligations register and this month's issues tracker. The project space produces a board one-pager: obligations coverage against plan, controls tested versus scheduled, open issues by rating and ageing, and any tolerance breaches on critical operations, each line citing the register row it came from. It then drafts three decisions to seek from the board. A human owner checks every figure and signs off. The model did the assembly. The accountable person still owns the call.

What the strategy covers. Objectives across regulatory change, operational risk (CPS 230 critical operations, tolerances and service providers), assurance and controls testing, and issue management.

Indicator typeExample indicators
LeadingObligations mapped, controls tested on schedule, issues closed on time, service-provider assessments complete
LaggingBreaches, overdue actions, audit findings, tolerance breaches on critical operations

Files to upload.

  • FY GRC or compliance plan, last year plus any current draft
  • Risk appetite statement
  • Obligations register, de-identified
  • CPS 230 critical operations list and tolerance levels
  • Incident and breach log, de-identified, plus the issues and actions tracker
  • Board reporting calendar and regulatory change tracker

Prompt: GRC standing instructions

Prompt
ROLE
You are the operating assistant for our Governance, Risk and Compliance team at
an APRA-regulated entity for FY2026-27. You help us build our GRC plan, monitor
risk and compliance KPIs, and prepare board-ready summaries.

CONTEXT
- We operate under APRA CPS 230 (operational risk management, in force since
  1 July 2025), the Financial Accountability Regime, and our board's risk
  appetite statement.
- Every objective should connect to the risk appetite statement.

HOW YOU WORK
- Australian English. No em dashes. Concise and direct.
- Cite the primary source (the standard, the obligation, the uploaded register
  row) rather than paraphrasing loosely.
- When a figure or position is uncertain, say so. Do not present inference as fact.
- End with "What I need from you next:".

NEVER
- Never present a draft as an approved board position, a formal breach
  assessment, or legal advice. A human owner signs off.
- Never invent breach numbers, findings, or citations.

Prompt: GRC build the FY2026-27 plan

Prompt
Draft our FY2026-27 GRC plan, mapping every objective to our uploaded risk
appetite statement.

Objectives across: regulatory change, operational risk, assurance and controls
testing, and issue management.
- For operational risk, align to APRA CPS 230: critical operations, tolerance
  levels, and service-provider management. Note that CPS 230's service-provider
  transition window closed on 1 July 2026, so flag any provider arrangements
  still to be brought fully into scope.
- Set leading indicators (obligations mapped, controls tested on schedule,
  issues closed on time, service-provider assessments complete) and lagging
  (breaches, overdue actions, audit findings, tolerance breaches).
- For each objective: measure, target, owner, quarterly milestones.

Use only our uploaded registers. Cite the row or section you draw on.

Prompt: GRC monthly board one-pager

Prompt
Here is this month's de-identified risk and compliance data:
[paste figures from the registers]

Produce a board-ready one-pager:
- A KPI table: obligations coverage, controls tested vs plan, open issues by
  rating and ageing, breaches this period, and any tolerance breaches on
  critical operations. Show current, target, RAG, and trend.
- Top five risks by residual rating and their movement since last month.
- Three decisions or endorsements to seek from the board, each with a one-line
  rationale.

Cite the source rows. Do not invent figures. Flag anything outside appetite.

Prompt: GRC regulatory change triage

Prompt
Here is a regulatory or supervisory update:
[paste the update or key points]

Triage it for us:
- What it is, in three sentences.
- Which of our obligations or critical operations it touches (use the uploaded
  obligations register).
- Likely impact: none, monitor, or act.
- If "act", the two or three first steps and a suggested owner.

Be conservative. If you cannot tell whether it applies to us from what I have
given you, say what you would need to confirm.
Practical takeaway. Map every FY objective to a line in your risk appetite statement. If an objective does not connect to appetite, either it is not a priority or your appetite statement has a gap. Both are worth knowing.

Guardrails that apply to all three

The same discipline protects every team, and none of it slows you down once it is set up. These are also the controls your regulators now expect to see, so building them in is not overhead. It is the evidence you were in control.

  1. De-identify before you paste. Use placeholders such as [CLAIMANTNAME], [CLAIMNUMBER] or [PROVIDER], and aggregate wherever you can. The model does not need the real identifier to do the work, and the OAIC's incoming transparency rules make careless handling of personal information a growing liability.
  2. Human decides. The model drafts strategy, summarises, and monitors. People approve determinations, board reports and safety decisions. APRA's April letter is explicit that a human must stay accountable for high-risk decisions. Never let an output stand as a decision.
  3. Use the enterprise settings. On Business and Enterprise, project data is not used to train models by default, administrators control memory and retention, and shared-project access can be restricted. Configure these before you load anything sensitive, not after.
  4. Mind the connectors. Connectors that pull from SharePoint, a drive or a ticketing system are powerful, but they widen what the project can see. Know what is in scope, who can see the shared project, and whether any of it should be there at all.
  5. Keep an audit trail. Save the prompt, the output, and the name of the reviewer. If a regulator or an auditor asks how a document was produced, you can show the chain, which is exactly the traceability APRA and ASIC are now looking for.
Guardrails that apply to all three teams shown as a single-column checklist: de-identify before you paste, human decides, use the enterprise settings, mind the connectors, keep an audit trail.
Figure 5. Five guardrails that make a project space safe for regulated work, and double as the evidence you govern AI.
Caution. Shared projects mean teammates see the files and the instructions. Keep personal information, credentials and market-sensitive data out of the shared layer. If it should not sit in a group inbox, it should not sit in a shared project.
Practical takeaway. Stand up a one-line audit log from day one: date, prompt used, output produced, reviewer. It costs you nothing per entry and it is the single artefact that turns "we use AI" into "we govern AI".

Your July move

Thirty minutes today. Create the project, paste the standing-instructions template, upload five files, and run the FY strategy prompt once. You will have a first-draft plan and a live workspace before lunch. Then put a recurring thirty-minute monthly review in the calendar and let the rhythm carry it. Next July, you archive this project, spin up FY2027-28, and you have a full year of decisions and dashboards to learn from rather than a folder of one-off chats you will never reopen.

Insight. The teams that get the most out of AI this year will not be the ones with the cleverest one-off prompts. They will be the ones who built a governed place for the work to live, right at the start of the year.

Sources and further reading

  • Model access and June releases: Anthropic, "Statement on the US government directive to suspend access to Fable 5 and Mythos 5" (anthropic.com/news/fable-mythos-access) and "Claude Fable 5 in practice" (return, 1 July); CNBC on the lifting of controls (30 June) and on the shift from "tokenmaxxing" to efficiency (26 June); Anthropic, "Claude Sonnet 5" (30 June, SWE-Bench Pro 63.2 per cent, introductory pricing); OpenAI, GPT-5.6 Sol preview (26 June); Z.ai, GLM-5.2 (16 June, MIT licence); VentureBeat and SiliconANGLE on Meituan LongCat-2.0 (30 June).
  • Enterprise agents: Microsoft, "Build 2026" blog and microsoft.ai (2 June: MAI models including MAI-Code-1, Microsoft Execution Containers, Microsoft IQ with Work IQ APIs GA 16 June); Google I/O 2026 announcements (Antigravity 2.0).
  • ChatGPT project spaces: OpenAI Help Center, "Projects in ChatGPT" (project instructions, per-plan file limits, project memory, shared Projects on Business, Enterprise and Edu); OpenAI, "Enterprise privacy" (business data not used to train models by default). Web-verified July 2026.
  • Work health and safety: Safe Work Australia, model WHS Act and Regulations (psychosocial provisions) and "Managing psychosocial hazards at work: Code of Practice"; ISO 45003:2021.
  • Workers compensation: Safety, Rehabilitation and Compensation Act 1988 (Cth), sections 36, 37 and 40; Comcare rehabilitation and return-to-work guidance. Educational reference only, not legal advice.
  • GRC: APRA, Prudential Standard CPS 230 (in force 1 July 2025; service-provider transition to 1 July 2026); APRA, "Letter to industry on Artificial Intelligence" (30 April 2026); ASIC cyber-resilience letter (8 May 2026, 26-092MR); Financial Accountability Regime Act 2023 (Cth); OAIC automated-decision-making transparency (consultation closed 15 June 2026; Privacy Act amendments commencing 10 December 2026).
← All editions

General information and education only. Not legal, compliance, financial, or professional advice.

TheAICommand. Intelligence, At Your Command.