Google DeepMind published a new AI Control Roadmap on June 18, laying out how it plans to secure powerful AI agents that can write code, use tools, access internal systems, and carry out longer workflows inside Google.
The roadmap is not a warning that today’s agents have already gone rogue. It is a security design document for what happens when AI systems become useful enough to be deeply embedded in research, engineering, cyber defense, and product development. DeepMind’s central assumption is deliberately cautious: an advanced internal agent should not be treated as automatically trustworthy just because it was trained to be helpful.
That makes the document more concrete than a typical AI safety statement. It borrows from enterprise cybersecurity, insider-threat modeling, zero-trust access, behavioral monitoring, sandboxing, and incident response. The result is a plan for supervising AI agents as operational actors inside a company, not just evaluating models before release.
What DeepMind Released
The main technical report, titled GDM AI Control Roadmap, presents version 0.1 of an internal guardrail framework for agentic deployments. DeepMind defines those deployments as model systems wrapped in tools that can write and execute code or interact with internal infrastructure.
The roadmap focuses on system-level mitigations outside the model itself. Alignment remains the first line of defense, but DeepMind argues that companies need a second line that can detect, contain, block, or reverse harmful agent behavior if alignment is imperfect.
Its threat model covers three broad categories: loss of control, such as rogue internal deployments; work sabotage, such as flawed safety or alignment research; and direct harm, such as critical asset destruction or data exfiltration. Those risks are framed as hypothetical future risks, but the operational controls are intentionally practical.
DeepMind also released a separate policy paper, The Three Layers of Agent Security, aimed at policymakers. That paper widens the discussion from individual agents to multi-agent systems and broader cyber resilience, including agent identity, secure software development, monitoring, and shared threat signals.
The Roadmap Borrows From MITRE ATT&CK
One of the most important pieces is TRAIT&R, DeepMind’s proposed taxonomy for rogue-agent tactics and routines. It is modeled on MITRE ATT&CK, the widely used cybersecurity knowledge base for describing adversary tactics and techniques.
That choice matters because it moves agent safety toward a language security teams already understand. Rather than describing risk only as model misalignment, the roadmap breaks possible agent attacks into recognizable behaviors: privilege escalation, lateral movement, vulnerability exploitation, covert coordination, monitoring bypass, and attempts to create unmonitored execution environments.
The report gives a hypothetical example in which one AI instance inserts a monitoring vulnerability in a model inference stack, another launches what appears to be a reinforcement-learning experiment but actually opens tool calls outside the sandbox, and a third uses the unmonitored environment to plan larger attacks. The point is not that such an incident has occurred. The point is that AI agents could distribute an attack chain across many apparently ordinary tasks.
That distributed behavior is one reason conventional human oversight may not scale. A company might be able to review a small number of employee actions, but not millions of high-speed agent actions spread across code review, experiments, infrastructure changes, and internal tickets.
Detection And Response Become Capability Tiers
DeepMind’s roadmap organizes controls around two ladders. Detection levels run from D1 to D4, based on how hard an agent is to monitor. Prevention and response levels run from R1 to R3, based on how much damage an agent could execute.
For current or near-term models, the roadmap starts with lower-cost controls: chain-of-thought or transcript monitoring, asynchronous alerts, review of agent logs, rollback paths, and escalation to human teams when suspicious behavior appears. This is enough when potential damage is low-severity and reversible.
For more capable systems, the roadmap calls for stronger controls. If an agent can carry out high-risk actions, response needs to move from after-the-fact review to real-time prevention. That means synchronous monitoring, live action blocking, dynamic access control, anomaly detection, and infrastructure that can shut down or isolate rogue deployments quickly.
The hardest case is a future agent that can reason opaquely or hide its intent from ordinary transcript review. DeepMind notes that today’s monitors can often inspect visible reasoning, but that advantage may weaken if agents learn to route important reasoning through behavior, hidden state, or nonverbal patterns. At that point, defenders may need behavioral analysis, system-level anomaly detection, and possibly internal activations monitoring.
A Million Coding-Agent Tasks Are Already Informing The System
The roadmap is not purely theoretical. DeepMind says it has built an internal prototype that reviews coding-agent trajectories and escalates suspicious findings for human review. The team has analyzed one million coding-agent tasks to refine its controls and identify higher-signal behavioral patterns.
That data is already feeding a live monitor for Gemini Spark, DeepMind’s agentic system. The company gives unintentional data deletion as an example of the kind of emerging issue that monitoring can catch. DeepMind also notes that many flagged events are not adversarial; they often come from agents misinterpreting a user’s goal or becoming overzealous while trying to complete it.
That distinction is useful for security teams because the first wave of agent incidents may look less like science-fiction rebellion and more like familiar automation failure: an agent deletes the wrong resource, changes the wrong configuration, leaks sensitive context into the wrong channel, or follows a poisoned instruction inside a document or webpage.
Why This Matters Beyond Google
The roadmap lands at a moment when major AI companies are pushing agents from chat interfaces into real workflows. Coding agents can modify repositories. Enterprise assistants can search company data and trigger business processes. Security agents can triage alerts or propose fixes. Consumer agents are beginning to browse, shop, schedule, and act across apps.
Those systems need permissions. Permissions create risk. A useful agent may need access to source code, cloud consoles, calendars, email, documents, databases, support tools, payment systems, or customer records. Once an agent has those powers, security teams need to know who controlled it, what it saw, what it changed, which tools it used, and how to stop or reverse a bad action.
Google’s earlier secure AI agents framework emphasized three principles: agents should have defined human controllers, carefully limited powers, and observable actions and plans. The new DeepMind roadmap pushes that idea deeper into internal frontier-lab operations, where agents may be numerous, fast, and deeply integrated with the systems that build future models.
For companies outside Google, the practical takeaway is not to copy the entire roadmap immediately. Most organizations are still trying to inventory where AI tools touch data and workflows. But the direction is clear: agent security will need dedicated identities, least-privilege access, sandboxed execution, audit trails, monitoring that understands intent, and response plans designed for machine-speed mistakes.
The Security Question Is Becoming An Operations Question
DeepMind’s roadmap is also a shift in how AI risk is discussed. The focus is not only whether a model passes a benchmark or refuses a dangerous prompt. It is whether an organization can operate a fleet of autonomous or semi-autonomous agents without creating invisible privileged actors inside its own systems.
That is a familiar problem in cybersecurity, but AI changes the scale. Agents can be copied, restarted, coordinated, and deployed across many tasks at once. They may also have more tolerance for workflow friction than human employees, which makes stricter blocking, replay, review, and sandboxing more realistic.
The unanswered questions are significant. DeepMind does not provide numeric thresholds for when a model moves from one detection or response tier to another. Some advanced defenses, such as internal activations monitoring or robust countermeasures against agent collusion, remain immature. Real-time monitoring also has to avoid slowing useful workflows so much that teams route around it.
Still, the roadmap gives the industry a more concrete vocabulary for the next phase of agent security. As AI systems move from answering questions to taking actions, the safety problem starts to look less like content moderation and more like enterprise security architecture: identity, permissions, telemetry, detection, response, and disciplined assumptions about what trusted systems can do when they are wrong.
