Contents

What's Inside

Chapter One · Facts checked June 2026

What an AI Team Actually Is — Agents, MCP & Your First Hire

Let's start with the reframe the whole book hangs off. In 2026, Claude is no longer a chatbot you ask things — it's a workforce you can hire. A non-technical Australian founder can now stand up a working, supervised assistant that reads their email, watches their cash flow and prepares their books. The metaphor we use throughout is a team you manage: you hire each assistant for a bounded job, give it the right access, train it your way, and you stay the manager who signs off the consequential work.

A chatbot talks; an agent acts

AI isn't a switch you flip — it's a spectrum of autonomy. Prompting is one turn: you ask, it answers, nothing happens in your systems. A workflow is a fixed "if this, then that" sequence — reliable and repeatable, but rigid; it can't adapt when something unexpected happens. An agent is different: you give it a goal, and it decides the steps, running a loop — observe the situation, think about the next step, act with a tool — until it's done or it needs you. More autonomous agents run longer and coordinate sub-agents, but still need oversight for anything consequential. The leap from chatbot to agent is tool use: the ability to call a tool — search the web, read a file, query QuickBooks, draft an email — instead of only producing text. That's the difference between an assistant that talks and one that acts in your real systems. The Chat / Workflow / Agent sorter drills it against eight everyday jobs.

MCP: the connective tissue

What lets Claude reach into your apps is the Model Context Protocol (MCP) — an open standard, introduced by Anthropic in late 2024 and since adopted across the major vendors, that gives AI tools a common way to exchange context and actions. It replaces bespoke, per-app integration code: the "many apps × many tools" problem collapses to "many + many". "USB-C for AI" is the handy shorthand. For a small business this is the unlock — you don't integrate anything; you click "connect", approve it, and ask in plain English. The directory spans hundreds of connectors (Gmail, Google Drive/Calendar, QuickBooks, Canva, Slack, Stripe, Microsoft 365 and more), so don't pin a course or a plan to a fixed number. The crucial habit to build now: every connector tells you what it can do — read only, draft, or act with approval. That single question is the whole safety story, and you can explore it in the connector capability explorer.

Name your first hire

Don't pick the exciting job — pick the boring one you do every week. The best first hire is recurring, bounded, low-stakes to start, and annoying enough that automating it feels like a win: inbox triage, the weekly cash-flow check, chasing overdue invoices, sorting receipts. Reframe that task as a role — the bookkeeper, the marketer, the ops assistant — and set its trust level: read-only, draft-for-me, or act-with-approval. That becomes your AI Team Org Chart, the first of the course's take-home artefacts, and you build it in the org chart builder.

Chapter Two · Facts checked June 2026

The Claude Suite — Cowork, Chrome & Office

This is the heart of the course: the actual workforce. Three Claude surfaces do real work, and knowing which one fits which job is most of the battle.

Cowork: your desktop coworker

Cowork is Anthropic's agentic knowledge-work product inside the Claude desktop app — a "third mode" alongside Chat and Code. You point it at a folder, give a goal in plain English, and it reads, edits and creates files and completes multi-step work, showing its reasoning as it goes. It lets you steer mid-task, run sub-agents, and — crucially — it requires explicit permission before destructive actions like deleting files. It's the clearest example of AI that does the work rather than telling you how: the researcher, the report-writer, the file-organiser, the "do this whole multi-step job for me" generalist. It's included on paid plans, runs from the desktop app (some flows need the app open while a task runs), and supports scheduled tasks. The Cowork run simulator walks a real job and pauses at the permission gate so you can feel the supervision model.

Agents in the browser and Office

Where Cowork works on your files, two more assistants work where you already do. Claude for Chrome (beta, paid plans) is a browser agent in a side panel that can see the active tab and act — navigate, click, fill forms, extract data, run multi-step workflows. Claude for Microsoft 365 puts Claude inside Excel, PowerPoint and Word (generally available), with Outlook in beta — reading whole workbooks with cell-level citations, building on-brand slides, doing tracked-changes edits, drafting before send. Both are powerful precisely because they act inside your logged-in session — and that's exactly why they need care. They're exposed to prompt injection: hidden instructions in a web page or document can try to hijack the agent. Anthropic restricts some high-risk site categories by default and explicitly advises against unsupervised use for financial transactions, passwords or sensitive data. Treat any page or document an agent reads as potentially trying to give it secret instructions — the Spot-the-Risk game trains the judgement.

Chapter Three

Hiring & Training — Connectors & Skills

If a connector hires a worker, a Skill writes its job description so it performs the same way every time. The two are complementary, and together they turn a generalist into a trained specialist.

Connectors hire; Skills train

Connectors plug Claude into a specific app — QuickBooks, Gmail, Canva, Stripe. Directory connectors are broadly available across plans; custom connectors (your own MCP server) need a paid plan. Anthropic has also been rolling out small-business-oriented Cowork bundles with prebuilt workflows across tools like QuickBooks, PayPal, HubSpot, Canva, DocuSign, Google Workspace, Microsoft 365, Square and Stripe — verify the current name and contents at launch, because this moves. A Skill is a folder containing a SKILL.md file (plus optional scripts, templates and resources) that teaches Claude to do a task your way — your steps, your house voice, your must-checks. Skills load on demand ("progressive disclosure"), and the same Skill runs across Claude.ai, Claude Code and the API. The relationship is the thing to remember: MCP provides the tools; Skills provide the repeatable method for using them.

One safety rule for Skills

Because a Skill can include scripts, a malicious one could run code or exfiltrate data. So treat installing a Skill like giving a new contractor system access: only use Skills from trusted sources, and audit third-party Skills before you use them. And bake the checkpoints in — a good Skill encodes not just how to do the job, but where a human must stop and sign off. You'll draft your own Skill in the Skill Builder, which generates a real SKILL.md and saves the draft to finish later.

Chapter Four · Facts checked June 2026

Your First Safe Hire — Reads Before Writes

Here is the rule that governs the whole build, borrowed from Rupert's QuickBooks course and made the spine of this one: automate the reads, supervise the writes. AI prepares and checks; a human reviews and lodges. You build the team in stages of trust, and the first stage is entirely read-only.

Start read-only

The safest possible first hire connects one directory connector — Gmail, Google Drive or Google Calendar — and runs either a scheduled brief (a weekly read-only digest of cash position, overdue invoices and the week ahead) or email triage with drafts (Claude searches and drafts replies; you send). It's a genuine "wow" with zero write-risk, and the tool itself enforces the discipline — the Gmail connector drafts but won't send on your behalf. You build trust by watching the drafts for a week before the assistant ever acts. Configure one in the read-only assistant configurator.

Add a domain connector — read-only insight

Next, connect a domain tool for insight, not action. The QuickBooks connector can read reports — P&L, balance sheet, cash flow, aged receivables, sales — and create or send invoices and payment links, but it does not reconcile, categorise the bank feed, lodge a BAS or run payroll. So "summarise my overdue receivables" or "what's my cash position vs last month" is the bookkeeper assistant's safe first shift; "reconcile last month" and "pay this and lodge the BAS" are firmly out of scope. The connector is a brilliant analyst and a terrible signatory — and "the AI did it" is not a defence to the ATO. Try it in Ask Your Books.

Finish one Skill

Now complete the Skill you drafted in Chapter Three into a working .skill — two strong starters for an SME are a weekly cash-flow brief and an on-brand newsletter draft. Bake the human checkpoints into the Skill itself, so the induction manual says where the junior must stop and ask. The Skill finisher runs a readiness check and lets you finalise it as a take-home artefact.

Chapter Five · Facts checked June 2026

Delegating Real Work — Cowork & Supervised Acting

With a read-only assistant trusted, you advance the dial — but never faster than the trust you've earned.

Hand Cowork a multi-step job

On a sandbox folder, give Cowork a genuine multi-step job — organise a folder, or draft a report from several source files. Managing it is managing a person, and there are three moves: steer it mid-task, grant permissions on purpose (the folder and tools it needs, and nothing more), and review the finished deliverable before it's used. A clear brief — a single goal, a bounded scope, a definition of "done", and approval gates on anything destructive — is the difference between a finished deliverable and a mess. Build one in the delegation brief builder.

Supervised "acting" — the bookkeeper on a sandbox

Only now do we let an agent act. Claude for Chrome can drive a sandbox QuickBooks for the UI-only jobs the connector can't do — bank reconciliation, categorising "for review" transactions, pay-run preparation — explicitly framed as supervised, human-lodges. An agent can safely prepare draft pay-run summaries, reconcile draft figures against source reports, produce exception lists, assemble a BAS working paper and pull super and PAYG totals. It must never, unattended, lodge with the ATO, approve or release payroll, move money, or make final compliance decisions. On the Australian context — conceptual, and to re-verify with the ATO — the Super Guarantee reached 12% on 1 July 2025, Payday Super starts 1 July 2026 (super paid each payday, received by the fund within a short window), the Small Business Superannuation Clearing House is closing, and finalising a pay run lodges the STP pay event. Walk the line in the "Where's the Human?" classifier.

Claude or a platform?

It isn't Claude versus Zapier, Make or n8n — it's a stack. Reach for Claude when work is conversational, judgement-heavy, document/knowledge work, or one-off-but-complex. Reach for an automation platform when work is triggered, repetitive, high-volume, deterministic and runs unattended on a schedule or event. They combine — a platform can bridge a tool Claude can't reach, and call Claude as the "brain" inside a workflow — and the decision rule is practical, not ideological: use the simplest stack that runs reliably under supervision. And remember the maintenance reality: agents and automations are not set-and-forget; model updates, API changes and version bumps can break an integration, sometimes silently, so every automation needs an owner and upkeep. Compare them in the tool comparison and decision sorter.

Chapter Six · Re-verify with the OAIC & current legislation

Trust, Compliance & the Australian Context

A sceptical Australian business audience needs the compliance story told as clearly as the capability story. This is what makes the team safe — and defensible — for a real business handling real customer data.

Data sovereignty and the four questions

Data sovereignty isn't just where data sits — it's which laws apply, what the tool stores, and whether information moves to third parties through connectors. The accurate, conservative position to teach: Anthropic's first-party regional controls are limited, so in-region deployment is mainly available via partner platforms — Amazon Bedrock (including a Sydney region), Google Vertex AI, or Microsoft Foundry — and by default traffic may be processed in several countries and stored in the US. Zero Data Retention applies only to eligible API features, not generally to Claude Free, Pro, Max or most Team/Enterprise product interfaces. Before enabling any connector or uploading client material, ask four questions: What data is being sent? Where is it processed or stored? Who else receives it? What approvals, contracts and policy disclosures are required? Run them in the Four-Question Check.

The Privacy Act and APP 8

The Privacy Act reforms brought higher penalties, a statutory tort for serious invasions of privacy (in force from 10 June 2025), stronger APP 11 security expectations, and automated-decision-making transparency obligations taking effect from late 2026. The one to internalise is APP 8: before disclosing personal information to an overseas recipient, you must take reasonable steps to ensure they don't breach the APPs — and you remain accountable for their handling. Because processing personal information through an overseas-hosted AI tool can be a "disclosure", you stay responsible for your customers' data even after it leaves your laptop. Practise in a sandbox, use least-privilege access, disclose overseas handling where required, and prefer in-region deployment for sensitive data.

Guardrails and your governance brief

Name the failure modes plainly — it builds trust. Prompt injection is the leading security threat for browser/agent tools, and compound failure means even good per-step reliability degrades across long tasks; most failures are architectural, not model bugs. The fix is bounded tasks, clear approval checkpoints, simple recovery paths, and a human in the loop for anything consequential. Australia's Voluntary AI Safety Standard (ten guardrails) and the National AI Centre's "essential practices" are the references. Turn all of this into two take-home artefacts — a connector & permissions map and a one-page governance brief — in the governance brief builder. That one page is what turns "I used AI" into "here's how we govern AI".

Chapter Seven

Your 30-Day Hiring Plan

The course ends with a plan, not a memory. Hire one assistant a week, read-only first, and in a month you have a small, supervised team rather than a pile of half-finished experiments.

The staged sequence

Apply it to your own business. Week 1 — the read-only assistant (a brief, or triage with drafts), reviewed daily. Week 2 — a domain connector for insight, and one finished Skill. Week 3 — a real Cowork job on a sandbox folder. Week 4 — only if you're ready — one supervised "acting" task, with the human-lodges rule and, for finance, a registered agent in the loop. Throughout, the four privacy questions and your governance one-pager. The 30-day plan builder pulls in the roles from your org chart, lets you assign each to a week, and captures a Week 1 commitment with a date.

Thresholds that change the recommendation

On plans: start on Pro; move to Max only when you repeatedly hit limits; choose Team or Enterprise when five or more people need it or you need admin, SSO and governance controls. On build-vs-buy: push high-volume, unattended work to Zapier/Make/n8n, and keep judgement work in Claude. On regulated tasks: never cross from "prepare/check" to "lodge/pay/send" without a human — and, for tax, BAS or super, a registered agent. On data sensitivity: if you're handling significant personal or financial client data, prefer in-region deployment and disclose overseas processing.

Chapter Eight · Bonus case study

Case Study — A Small Business AI Team in Action

To close, three assistants doing real jobs end to end on a small Australian business — each showing the same line: the agent prepares, a human signs off the consequential step.

The bookkeeper

A month-end run, supervised. The connector pulls the P&L, aged receivables and cash flow; Claude for Chrome drives a sandbox QuickBooks to reconcile and categorise; a draft pay run and an exceptions list come back. Two moments belong to a human: an ambiguous receipt that needs a judgement call with tax consequences, and the lodgement of the STP pay event. The agent prepares the books beautifully; it doesn't get to sign them. Read it in the bookkeeper walkthrough.

The marketer

A content pipeline: Cowork synthesises the week's updates into a structured draft, a brand-voice Skill rewrites it in your house style, a connector produces on-brand visuals, and the only human stop is publish — exactly where it should be. Drafting on-brand at speed, with a person still hitting send. See the marketer walkthrough.

The ops assistant

The quiet backbone: a 7am read-only brief (cash position, overdue invoices, the week ahead), email triage with drafts ready for review, and calendar scheduling that waits for your approval before booking or sending. Proactive, but the consequential actions still pause for you. Walk a morning in the ops assistant walkthrough, which also assembles your whole team onto the org chart and closes the course.