SydClaw is a managed AI workforce platform for Australian professional services firms, built by AI Lab Australia Pty Ltd. It provides an AI employee that handles email automation, calendar management, document generation, invoice processing, safety compliance, and reporting — 800+ automated actions across 22 modules. It connects to Gmail, Microsoft 365, Xero, SafetyCulture, HubSpot, SharePoint, Smartsheet, and 8,000+ apps via Zapier.

How much does SydClaw cost?

SydClaw Pilot pricing is $360 per user per month plus a one-time $5,000 setup fee. The Pilot plan includes up to 5 modules, full AI guardrails, and a 30-day pilot with rollback. Enterprise pricing is custom and includes unlimited modules, SSO/SAML, dedicated infrastructure, and an SLA. Contact sydclaw.com.au/contact for a quote.

Is SydClaw compliant with Australia's Privacy Act 2026?

Yes. SydClaw includes an immutable audit trail of every AI decision — input data, reasoning, output, model version, and timestamp — automatically meeting the December 10, 2026 Privacy Act transparency requirements. Consumers and employees can request explanations of any automated decision. Reports are generated automatically without manual preparation.

Does SydClaw store data in Australia?

Yes. SydClaw uses Australian data residency by default — hosted on Vercel and Supabase infrastructure located in Sydney, NSW. An on-premise option is also available using Docker Compose and local LLM inference via Ollama, where zero data leaves your building. The on-premise option is architected for IRAP PROTECTED assessment for government contracts.

How long does it take to deploy SydClaw?

SydClaw deploys in approximately 10 days. This includes OAuth connection of your existing tools, configuration of policies and guardrails specific to your business, compliance setup for your applicable frameworks (Privacy Act, AFSL, APRA CPS 234), and testing the AI workflows against your real data before go-live.

What integrations does SydClaw support?

SydClaw has native integrations with Gmail, Microsoft 365, Xero (invoicing and accounting), SafetyCulture (safety compliance), HubSpot (CRM), SharePoint and OneDrive (document storage), Smartsheet (spreadsheets), and Vapi (AI voice calls). It also connects to 8,000+ additional applications via Zapier. OAuth tokens are stored with AES-256 encryption.

How does SydClaw protect personal data and PII?

SydClaw uses a zero-knowledge PII tokenisation system before any data is processed by AI models. It automatically detects 17 categories of personal information — including names, email addresses, ABNs, TFNs, phone numbers, and physical addresses — and replaces them with reversible tokens. AI models never process real personal information. All tokens are reversible by authorised users only. Data is encrypted with AES-256 at rest and TLS 1.3 in transit.

Is SydClaw suitable for AFSL-licensed financial services firms?

Yes. SydClaw automatically screens every AI-generated response for 12 categories of unlicensed financial advice language patterns, blocking or flagging responses that could constitute financial advice without proper licensing. It also maintains a Best Interests Duty audit trail that links every AI recommendation to the licensed professional who reviewed and approved it, supporting ASIC compliance requirements.

Does SydClaw support APRA CPS 234 requirements?

Yes. SydClaw supports APRA CPS 234 for banks, insurers, and superannuation funds. It automatically maintains an AI asset register, logs all security-relevant incidents with timestamps, and generates security testing evidence. These controls are maintained continuously rather than assembled at audit time.

What security certifications does SydClaw have?

SydClaw's architecture is aligned to ISO 27001 (certification in progress) and SOC 2 Type II (audit in progress). It uses AES-256 encryption, TLS 1.3 in transit, role-based access control with Row Level Security at the database layer, multi-factor authentication, immutable audit logging, and human-in-the-loop approval workflows for sensitive actions. Enterprise deployments support SSO/SAML.

What is the difference between SydClaw and ChatGPT or Copilot?

SydClaw is a managed AI workforce platform — not a chat assistant. Unlike ChatGPT or Microsoft Copilot, SydClaw autonomously executes business workflows: it connects directly to your email, calendar, invoicing, and document systems and takes action without prompting. It runs on a schedule (morning briefings at 7 AM), responds to triggers (new email arrives), and processes tasks overnight. It also has Australian-specific compliance built in — Privacy Act 2026, AFSL screening, APRA CPS 234 — and all data stays in Australia.

Who is SydClaw built for?

SydClaw is built for Australian professional services firms — including legal, accounting, financial planning, construction project management, consulting, and managed services businesses — typically with 5 to 100 employees. It is particularly valuable for firms subject to Australian regulatory requirements including Privacy Act 2026, AFSL obligations, or APRA CPS 234.

← Back to blog

30 April 2026 · 9 min read

NDIS Practice Standards Audit Prep: From a Four-Week Crisis to a Continuous Operating Cadence

Most NDIS providers treat audit prep as a discrete project four weeks before the audit window. The strengthened Practice Standards and the Quality and Safeguards Commission's increased unannounced visit frequency make that approach unsustainable. Here's the operating cadence that replaces it.

Roman Silantev — Founder, AI Lab Australia

What changed in 2025–26

Three changes have compounded over the last eighteen months to make traditional audit-prep cycles untenable for NDIS providers. The Quality and Safeguards Commission has materially increased the frequency of unannounced visits — a registered provider can no longer assume the next audit will arrive on a known calendar date with weeks of warning. The Practice Standards themselves were sharpened in successive updates, with more prescriptive evidence requirements at the indicator level. And the Privacy Act 2026 ADM transparency obligations activate 10 December 2026, layering an explainability requirement on top of every AI-assisted decision a provider makes about a participant.

The combined effect: a provider that treats audit prep as a four-week sprint before each scheduled audit window is now exposed in two directions. They are unprepared for unannounced visits, which now constitute a meaningful share of the regulator's review activity. And they are unprepared for the post-audit ADM transparency obligation if any of their support delivery touched an AI-assisted workflow.

Why the four-week sprint never actually worked

Even in the prior regulatory environment, the four-week sprint was a controlled crisis. A registered manager would assemble three or four staff, pull the master spreadsheet of evidence requirements, and start reverse-engineering the file: did this participant's care plan have the right consent on the right date, did this incident report capture the witness statement, did this medication administration have the double-check signature. The work would consume the registered manager's attention for the better part of the month. The audit would pass — providers got good at the sprint — but the underlying operational quality didn't necessarily improve, because the sprint was about reconstructing evidence, not about producing it correctly the first time.

Providers who could deliver consistently in business-as-usual mode were still doing the four-week sprint, because they didn't trust their own systems to have captured the evidence in the format an auditor would accept. The sprint was the truth-serum that confirmed the underlying systems were not audit-ready.

What "continuous" actually means

A continuous audit-prep posture means the evidence is mapped to the relevant Practice Standards indicator at the moment the underlying work is done — not retrospectively. When a worker logs a service delivery record, the system tags it against the Outcome 3 indicator on "safe and high-quality service provision" and the Outcome 5 indicator on "effective management of supports" automatically. When a behaviour support practitioner authorises a restrictive practice, the use is captured in the register against the BSP version, the practitioner's NDIS approval, and the Commission lodgement reference. When an incident report is filed, the SIRS classification is screened immediately and the evidence is filed against the Outcome 4 "feedback and complaints" indicator if the incident relates to a participant complaint, or Outcome 3 if it relates to service quality.

This is not a different operating model from the day-to-day work. It is the same work, captured against the regulatory frame as it happens. The difference is the indexing, not the work itself.

The four indicator domains where most providers fail

Across the audits we've worked through with provider clients, four indicator domains account for the majority of findings. First: continuous improvement. Outcome 3 expects evidence that the provider learns from incidents, complaints, and participant feedback, and that the learning produces concrete operational change. Most providers have the incidents logged and the complaints registered, but the learning trail is missing — there is no documented link between what was learned and what was changed.

Second: worker training currency. The Practice Standards expect evidence that each worker is trained on the things relevant to the participants they support — including any participant-specific BSP, any high-risk medication protocol, any communication preference. The training itself usually happens; the documentation that ties a specific worker to a specific participant's specific training requirement is patchy.

Third: participant consent and decision-making. Outcomes 1 and 2 expect evidence that the participant (or their substitute decision-maker) was supported to understand decisions about their supports — including consent to AI-assisted documentation if the provider uses any. Most providers' consent forms predate the AI question entirely.

Fourth: SIRS investigation depth. Reportable incidents trigger an investigation timeline, but the investigation expectation has sharpened — root-cause analysis, contributing factors, learning incorporated into systems. The five-day report and final report formats need more depth than many providers' current incident workflows produce.

What a working continuous-prep system looks like

On a Monday morning at 7am, the registered manager opens their dashboard. The compliance heatmap shows the seven Practice Standards Outcomes with green / amber / red status for each indicator. Three indicators are amber, meaning the evidence count for the rolling 90-day window has dropped below the configured threshold. The registered manager clicks the first amber indicator, sees that the evidence is for participant goal-progress reviews, and notes that two participants are overdue for their quarterly review. The system has already drafted the review prompts for the relevant support coordinators. The registered manager dispatches the prompts.

A worker phones in a service delivery record from the field. The voice memo is transcribed; the AI drafts the SDR with the right NDIS support category, the right unit count, the right price item. The worker reviews on their phone, confirms, and signs. The SDR is filed against the participant's record, indexed against Outcome 3 indicator, and the audit-prep evidence count for that indicator increments by one. The worker gets their afternoon back; the system has its evidence.

A potential reportable incident lands in the email module — a worker has sent a brief note about a fall during a community access shift. The incident module screens against the SIRS categories, flags the matter as a potential priority-1 reportable incident, drafts the Commission notification with the known facts, and notifies the registered manager within minutes. The 24-hour clock is visible on the dashboard. The investigation timeline is initiated. By the end of the day, the notification is lodged with the Commission, the five-day investigation timeline is in motion, and the audit trail is complete.

Cost vs benefit

The honest accounting on continuous prep is that the system costs slightly more to operate day-to-day than the four-week-sprint model — the indexing, the heatmap monitoring, the prompts to support coordinators are all small overhead items that aggregate. The savings come at audit time and at scheduled-review time. A provider on continuous prep can respond to an unannounced visit in two hours instead of two days; the registered manager's quarterly time on audit-related work drops by 75–85%; and the audit findings drop because the evidence was correctly produced the first time.

For a 25-worker provider, the dollar arithmetic typically lands around $40,000–$60,000 per year in registered-manager and senior-support-worker time freed up, plus the harder-to-quantify reputational savings from cleaner audit outcomes. SydClaw's NDIS module pricing is materially less than that; the platform pays for itself within the first audit cycle, and the prep posture shift is the durable benefit.

Disclosure: I am the founder of AI Lab Australia, the company that builds SydClaw. The platform's NDIS module described above is purpose-built for the continuous-prep model. If you'd like a copy of our Practice Standards indicator-mapping reference document — which providers find useful regardless of whether they end up using SydClaw — reach me at info@ailabaustralia.com.

About the author

Roman Silantev — Founder, AI Lab Australia. Roman is the founder of AI Lab Australia Pty Ltd, the company that builds and operates SydClaw. He has spent the last decade building enterprise software for Australian professional services firms, and writes regularly on AI compliance and Privacy Act obligations.

Talk to us about Privacy Act 2026 readiness