Building a digital twin of yourself is a little like rebuilding the engine on a car you still need to drive to work every day. You don’t get to stop. Clients still call. Boards still meet. The twin gets built between flights, between sessions, between cups of coffee that have gone cold three times.
Over the last several weeks, my Mark Thomas and Escoute digital twin crossed the halfway mark this week. The ChatGPT-to-Claude migration is behind me. Master prompt instructions are written and tested. Voice consistency across LinkedIn, Facebook, and Instagram is dialed in. The advisory hub at markthomasonline.com is relaunched and the twin is starting to draft, respond, and reason in a way that genuinely sounds like me and not a sanitized version of me.
The next several weeks are about completion. Finishing the Escoute twin’s depth in governance and risk frameworks. Tightening my twin’s voice in client-facing scenarios. Stress-testing against real workflows: workshop content, board prep, blog drafts, podcast outlines, comment responses. By the time I land in Las Vegas for the ISACA North America Conference next week, I want my twin to be operating at near-production quality.
Along the way, I have learned things the hard way. Below are ten lessons I would hand to any executive, consultant, or organization serious about building a digital twin. They are weighted toward governance because, as it turns out, governance is the part everyone underestimates and the part that determines whether the twin is an asset or a liability.
- Define what the twin isforbefore you define what it is. A twin built without a clear purpose becomes an expensive autocomplete. Mine exists to extend my advisory reach, scale content, and preserve voice. Yours might exist to capture institutional knowledge, accelerate onboarding, or replicate a key function. Different purpose, different governance. Skip this step and everything downstream gets fuzzy.
- Treat the twin as a system, not a feature.The moment you build one, you have created a new asset that needs ownership, oversight, change control, and a retirement plan. Most organizations skip straight to “what can it do?” without asking “who governs it?” That gap is where reputational risk lives.
- Identify what is load-bearing versus what is decorative.Some of what the twin produces is operational. It goes out the door with your name on it. Some of it is scaffolding: internal drafts, brainstorms, scratch work. The governance applied to each tier should not be the same. Know which is which before you ship.
- Voice is intellectual property. Protect it like one.The twin learns your voice from your work. That voice is one of the most valuable things you own. Document it. Version it. Decide who can train on it, modify it, or speak in it. If you would not hand a junior associate your signature stamp, do not hand a model your voice without controls.
- Build a clear escalation path for what the twin cannot do.The twin should know what is out of bounds and so should anyone using it. Regulatory commentary. Client-specific advice. Anything legally consequential. The escalation path from “twin handles it” to “human handles it” needs to be explicit, documented, and tested. Otherwise, the model decides for you.
- Keep humans in the loop where the stakes are real.Twin-generated content, especially anything client-facing or board-facing, gets a human review until proven otherwise. This is not a confidence problem. It is a governance principle. The model gets faster. Judgment does not get cheaper.
- Version everything.Prompts, training material, sample outputs, refusal patterns. If you cannot tell what the twin sounded like six months ago versus today, you cannot tell when something drifted. You also cannot defend a decision the twin influenced. Versioning is not optional once the twin is doing real work.
- Audit the twin like you would audit a vendor.Periodically test it against scenarios you have already lived through. Does it sound like you? Does it know the boundaries? Does it refuse what it should refuse? An unaudited twin will quietly hallucinate authority you never gave it. Treat it like a third party with privileged access because it is one.
- Plan for the twin outliving the platform.The model you build on today will not be the model you run on in three years. Your prompts, your voice library, your governance documentation must be portable. Migration is inevitable. Lock-in is a choice. I migrated mid-build for a reason.
- Decide now what happens to the twin when you are not around.Succession is the question almost nobody asks. Does the twin retire with you? Transfer to your firm? Get archived? Get destroyed? An individual twin without a succession plan is a digital ghost waiting to be misused. An enterprise twin without one is an orphaned asset waiting to fail an audit.
What Keeps Me Up at Night
The tips above are the tactical side. The strategic side is harder, and it is what I find myself thinking about at three in the morning more often than I would like.
Drift. Every interaction nudges the twin a little. Without disciplined versioning and review, the voice you trained six months ago is not the voice speaking today. By the time you notice, the trail is cold.
Attribution. When the twin writes something that goes sideways, who owns it? Me? My firm? The platform? The contract language and governance posture for this is still being written across the industry — often badly.
Imitation. A well-trained twin of a public figure becomes a tempting target for replication. Voice, cadence, opinions — all reproducible. The defenses are weaker than the offenses right now, and that gap is widening.
Standards. There is no settled framework for governing personal or organizational digital twins. Most existing AI governance guidance treats them as a footnote. The frameworks will catch up — but the people building twins now are building them in a regulatory gray zone.
Trust. The hardest one. A digital twin only works if the people on the other end believe what comes through it. Trust takes years to build and one bad output to break. Every governance decision, in the end, is a trust decision.
The Bottom Line
Building a digital twin is not a technology project. It is a governance project wearing a technology costume. The model is the easy part. The frameworks, the controls, the voice protection, the succession planning — that is the work.
If your organization is exploring digital twins for a key executive, a critical function, or an entire advisory practice, the right time to think about governance is before the build, not after the launch. The ones who get this right will move faster and sleep better. The ones who skip it will end up explaining things to a regulator, a board, or a journalist they did not plan to meet.
The opportunities, as I have said before, are virtually endless. So are the ways to get this wrong. I’d rather get it right. Did my digital twin write this blog? Yes. But I didn’t post this until I reviewed an edited this post. Keep any eye out for more posts on my journey and how you can learn from my mistakes!
Mark Thomas is an independent advisor specializing in IT governance, AI risk, and digital trust. He works with boards, regulators, and ISACA members across multiple countries. Learn more at markthomasonline.com.