Hi Bob,
I wanted to wait a while and see if any other community users would respond to your thread with their own suggestions, local practices, and workarounds first.
Ideally, in the future more entities in AtoM would be given a publication status, so that users can control the public visibility of records. Also, ideally, I'd like to see Visible Elements support for authority records added, so that users can choose to keep some fields for internal use only. Both of these require significant development, so we'll likely need community support, either as code contributions or development sponsorship, to be able to add them to an upcoming release.
In the meantime, I just wanted to mention one possible workaround, though it requires some technical proficiency to set up.
It's possible to use two different AtoM sites together with a replication script between them, so one can act as an internal edit site, and the other as a read-only public-facing front end. Not only can this add greater security and the ability to optimize the public-facing site for high traffic (such as using aggressive caching tools like Varnish), it can also be used as a way to potentially provide publication control for entities that don't currently have a publication status in AtoM.
Essentially, the replication script is executed manually, and when it is run, it copies over the database and search index from the internal site to the public one. This allows for updates to the public site with no downtime. It also means you can strategically choose when to run the replication script.
You could, for example, create a number of new authority records internally, and wait until they are reviewed and approved before running your replication script again. It doesn't give you granular control over individual fields, and it's an all or nothing approach (there's not currently a way with our replication script to exclude some entities for example - though you could develop your own), but as a workaround it offers some benefits that are not currently supported via the user interface.
We have some slides here that include further information and links:
Hopefully others might chime in with their own strategies for managing authority record metadata.
Cheers,