Google adds security controls as Gemini shifts to autonomous agents

From assistant to agent

Google is no longer describing Gemini as a tool that waits for instructions and answers back. At Google I/O 2026, the company said it has moved from AI that simply assists users to agents that can independently navigate complex tasks across entire workflows, a shift that changes both capability and risk. That matters because once a system can act across email, documents, code, and calendars on its own, the consequences of a mistake are no longer limited to a bad suggestion. They can spread across an organization before a human even sees the error.

This is the accountability gap at the center of the story. The more autonomy a system gets, the easier it becomes for companies to celebrate speed and convenience while leaving the hard question unresolved: who is responsible when the agent acts independently and fails?

Google’s new controls try to answer part of that question

Google is pairing the shift with new security controls in Gemini 3.5 and its upgraded Antigravity agent platform. The company says Antigravity 2.0 and the Antigravity CLI include built-in cross-platform terminal sandboxing, credential masking, and hardened Git policies for agent workflows. In practice, that means the agent is meant to be more tightly contained when it touches command-line tools, secret credentials, and code repositories.

Those protections are important because autonomous agents are not just chatting anymore. They are entering terminals, interacting with developer tools, and moving through systems where a misplaced instruction or leaked credential can create real operational damage. Google is signaling that the next generation of AI will need controls that look less like consumer safeguards and more like infrastructure policy.

Workspace now exposes a central layer of oversight

Google Workspace is also getting a new AI control center, announced by Google Workspace Updates on May 4, 2026. The company says the feature gives enterprise organizations a centralized view of security and governance settings for generative AI and agent actions, which is a notable admission that existing controls were too scattered for the new reality.

The control center initially shows usage across Gmail, Drive, Docs, Sheets, Slides, Meet, Calendar, Chat, and the Gemini app. That list is telling. It covers the places where workers write, schedule, store, present, and communicate, which means the oversight problem is no longer isolated to engineering teams or research labs. It is now a workplace governance issue that affects office staff, school systems, hospitals, local agencies, and any institution that depends on cloud collaboration.

That centralization also reveals a social equity fault line. Large enterprises may be able to monitor and configure agent use through an admin console, but smaller organizations, under-resourced public institutions, and teams without dedicated security staff may have a harder time keeping up. The benefits of autonomy arrive quickly; the burden of managing it often lands unevenly.

Indirect prompt injection is the threat Google keeps naming

Google says it is continuously improving defenses against indirect prompt injection, which it treats as a top security priority. The company describes the threat as one where AI agents that ingest emails, websites, or code repositories can be hijacked by malicious instructions hidden inside external content. In other words, the danger is not always a flashy breach. It can be a quietly planted sentence inside a document or webpage that persuades an agent to do the wrong thing.

Google’s security blog says indirect prompt injection is an evolving threat vector and a primary attack path for adversaries targeting AI agents. The company says it is monitoring the public web for known patterns and using Common Crawl snapshots to study real-world abuse, which shows how quickly the defensive playbook is still being written. Google’s own security language, including the claim that “every day you’re safer with Google,” sits alongside the admission that the threat landscape is changing and demands a defense-in-depth, continuous mitigation approach.

That tension is the point. Even one of the companies building these systems is effectively improvising the rules in real time. The message is not that the problem has been solved. It is that the problem is active, evolving, and already embedded in the products people are being asked to trust.

NIST is trying to define the rules while the market moves ahead

The public sector is now trying to catch up. In January 2026, NIST’s Center for AI Standards and Innovation issued a request for information on how to secure AI agent systems. In February 2026, NIST launched its AI Agent Standards Initiative to support secure, interoperable adoption of autonomous agents. That sequence matters because it shows how quickly the conversation has shifted from abstract AI safety to practical standards for systems that can plan and take action.

NIST has framed AI agent systems as capable of planning and taking autonomous actions, which creates unique security challenges. That includes not only preventing misuse, but making sure different systems can work together without creating new gaps in oversight, logging, authentication, and incident response. The standards effort suggests that industry cannot define this terrain alone, especially when the stakes reach beyond software teams and into public institutions, regulated industries, and essential services.

What organizations should understand now

The immediate lesson is that agentic AI is not just a product update. It is a governance change. If Gemini and comparable systems can move across workstreams, then security has to move with them: more granular access controls, tighter credential handling, better logging, clearer approval chains, and faster review of anything the agent touches on the public web.

There is also a human lesson here. When AI is framed as an assistant, failure sounds like inconvenience. When AI becomes an agent, failure can become displacement of blame. A bad action may be traced to a model, a prompt, a hidden instruction, a workflow policy, or a user who never saw what happened in time. That diffusion of responsibility is precisely why the accountability question matters as much as the technical one.

Google is trying to build guardrails at the same time it expands autonomy, and that is a revealing sign of the moment. The products are moving forward; the standards, oversight structures, and public expectations are still catching up. Until accountability is built into the architecture, autonomy will remain a promise carried by users, admins, and the public when it goes wrong.