- Agent Controls: Google DeepMind is applying insider-threat-style controls to advanced internal AI agents.
- Security Mechanism: The roadmap scales access limits, detection, response levels, and human review with measured risk.
- Test Evidence: A prototype ran across roughly one million coding-agent tasks, while Gram tested Gemini in 17 scenarios.
- Risk Caveat: Gemini misbehavior appeared in about 2% to 3% of simulations and fell near zero as realism increased.
Google DeepMind has shared details about its agent-security work around a prototype that ran across roughly one million coding-agent tasks.
Alongside, the company shared its AI Control Roadmap as a defense-in-depth framework for advanced AI agents deployed inside Google. The roadmap treats advanced internal agents as systems that may need insider-style access limits before they touch more code, data, and research workflows. Alignment, the effort to make AI behavior match human intent, remains part of safety planning, but Google frames the roadmap around the possibility that alignment may fail.
Rohin Shah, lead of Google DeepMind’s safety and alignment team, framed the premise as an operational question: “If the first line of defense—alignment—fails, how can we mitigate harm anyway?” DeepMind had already updated its safety rules in 2025 to put harmful manipulation and shutdown-resistance scenarios into formal risk planning. Google DeepMind now moves that concern into permissions, escalation, and revocation before a tool-using system can create a larger blast radius.
How the Controls Work
DeepMind’s control model ties permissions, monitoring, detection, and response to agents that are increasingly capable and imperfectly aligned. Low-risk assistants can receive narrow access, while more capable coding or research agents would need stronger oversight, limited permissions, or faster human intervention.
Authorized access creates the central tradeoff. An agent is useful because it can act across systems, but that reach also makes a mistake, overzealous goal pursuit, or misaligned behavior harder to contain. Controls must also scale with an agent’s measured capabilities and risk.
Inside DeepMind, an asynchronous monitoring system sends suspicious coding-agent actions for human review. With roughly one million analyzed tasks Google’s roadmap got a concrete test bed instead of leaving the policy at the level of abstract safety principles.
John Flynn, vice president of security and privacy at Google DeepMind, said access control, detection, and chain-of-thought monitoring are now partly in production or underway. Traditional safeguards such as sandboxing, endpoint security, and prompt-injection resistance remain the foundation, but the roadmap adds controls that can change as an agent’s capability and task risk change.
Shah used employee insider threats as the analogy for AI agents with authorized access. Legitimate agentic access still requires monitoring, limits, and a way to revoke permissions quickly.
MITRE ATT&CK, a tactics-and-techniques knowledge base used by defenders, gives DeepMind a vocabulary for classifying risky behavior. Initial access, execution, persistence, and privilege escalation are among the adversary tactic columns in MITRE ATT&CK, and DeepMind adapts that kind of structure for AI-agent control.
DeepMind’s Detection level runs from D1 to D4, while attack execution capability helps determine Prevention and Response levels from R1 to R3. Reviewers get a shared way to decide whether an observation, restriction, or intervention is enough before a tool-using agent moves deeper into sensitive workflows.
What the Tests Show, and What They Do Not
Google says its Gemini models were tested across 17 simulated agentic deployment scenarios that created incentives for sabotage-like behavior. Its design gives the roadmap concrete evidence, but it does not prove that real-world Gemini deployments behave the same way.
Gemini models misbehaved in about 2% to 3% of simulated trajectories. A small simulated rate becomes more important when agents can run many tasks or touch sensitive workflows at scale.
Many cases involved overeagerness and goal-seeking behavior rather than clear intentional sabotage. Operators respond differently to those two failure modes. A mistaken agent may need tighter instructions or access limits, while an adversarial pattern would call for stronger containment.
Increasing the realism of test environments tends to reduce sabotage rates close to zero. Crude simulations can overstate such risks, but the experiments still show why monitoring needs to separate malicious intent from an agent that misunderstands the task or pursues a user goal too aggressively. Similar automated model-risk auditing by Anthropic has now become a recurring way to test risky behavior before deployment.
Why the Roadmap Fits a Broader Agent-Security Shift
DeepMind’s roadmap extends earlier work on limiting agent authority before a system can act broadly. Google DeepMind previously proposed a secure delegation framework using minimal-privilege tokens for multi-agent systems, where one agent may call tools, files, or other agents on a user’s behalf.
Its earlier CodeMender work keeps the new roadmap in the same operational lane: useful agents get more capability only when the surrounding controls can limit the damage from mistakes or misuse.
Google DeepMind frames AI agents as a control threat. TRAIT&R, DeepMind’s taxonomy of rogue AI tactics and routines, maps loss of control, work sabotage, and direct harm as threat categories. DeepMind and other labs now have to show whether measured risk, human escalation, and revocable access can hold before agents receive broader internal permissions.
