Scope note: this checklist governs the program around simulated phishing — authorization, cadence,
training follow-through, and non-retaliation — not the phishing mechanics themselves. Sending infrastructure should run
on separate hosting and an unrelated domain from AEGIS (see prior guidance); the actual campaign send/track/report tooling
is a separate system (e.g. self-hosted GoPhish) that this checklist assumes already exists. A signed Client Authorization
& Scope Agreement is a hard prerequisite for item AUTH-01 below — no campaign should run without it.
PR.AT NIST CSF 2.0 category reference, where applicableCritical prerequisite — do not run a campaign without this