The current authentication model in AG assumes that the session is controlled by an operator who is present for the 
entire meeting and is responsible for all
content and for the physical security of the room - their personal certificate is
used in a proxy to authenticate the connection. (though some venues may support anonymous certificates)

In practice, this is often not the case. Meetings may be user-run, with a technician
present only to start the equipment, or one operator may hand over to another
without changing certificates, while keyboards may be shared among participants in one physical room.  So a certificate 
owner may quite plausibly deny having posted some particular content, and may certainly deny having said
something.

In order to avoid watering down the level of trust placed in the certificate system, it may be useful to introduce a 
level of trust between "anonymous" and "personal" - a "site" or "group"  level that says that an organization or group
as a whole is responsible for certain content - implying, perhaps, that
certain physical security requirements (badge, keycard)  have been met in
order to gain access, but that a particular person cannot be identified.

Another feature that may be required in some settings is a procedure to log
people in an out of a meeting (as in e.g. UK crime drama on PBS TV "Det. Frost
left the room at 1:15pm"), thus preserving some record of who had access to
certain content.