Browser makers are moving toward tools that can do more than display web pages. A new wave of agentic features is being designed to take actions for users, including booking tickets or shopping for different items.
Google has now described how it plans to handle the security side of those capabilities in Chrome. The company previewed agentic capabilities on Chrome in September and said the features will roll out in the coming months.
Why Chrome’s Agentic Features Need Guardrails
Agentic browsing changes the security problem because the browser is no longer only helping a user find information. It may also be helping carry out a task. That can create practical risks if an agent clicks, types, navigates or shares information in ways that do not match what the user intended.
The source article points to two broad categories of harm: loss of data and loss of money. Those risks matter because agentic features can operate across websites, page elements and account-based services. A helpful agent therefore needs boundaries around what it can read, where it can act and when the user must step in.
Google’s approach is built around multiple checks rather than a single safety layer. The company described observer models, user consent, origin restrictions, URL investigation and prompt-injection defenses as parts of the system.
How Google Uses Models to Check the Agent
One core safeguard is a User Alignment Critic built using Gemini. Google said this critic examines the action items created by a planner model for a particular task. If the critic decides that the planned actions do not serve the user’s goal, it asks the planner model to rethink the strategy.
This is meant to create a review step between planning and action. The agent may create a sequence of steps, but another model checks whether those steps still align with the original user request.
Google also said the critic model only sees metadata of the proposed action. It does not see the actual web content. That distinction matters because the review model is being used to inspect the plan without receiving the full contents of the page.
Origin Limits Aim to Reduce Data Leaks
Google is also using Agent Origin Sets to limit what the agent can access. These sets separate origins into read-only origins and read-writeable origins.
A read-only origin is data that Gemini is permitted to consume content from. Google gave the example of a shopping site, where listings may be relevant to the user’s task but banner ads are not. The company also said the agent is only allowed to click or type on certain iframes of a page.
In practice, this means the agent is not treated as having equal access to every part of a website. Some page content can be read, some can be acted on, and some can be kept outside the agent’s available context.
“This delineation enforces that only data from a limited set of origins is available to the agent, and this data can only be passed on to the writable origins. This bounds the threat vector of cross-origin data leaks. This also gives the browser the ability to enforce some of that separation, such as by not even sending to the model data that is outside the readable set,” the company said in a blog post.
That design points to a larger theme in Chrome’s agentic security plan: the browser itself can enforce limits instead of relying only on the model to behave correctly.
Consent Still Matters for Sensitive Actions
Google said it is also handing control back to users for sensitive tasks. If an agent tries to navigate to a sensitive site containing information such as banking or medical data, it asks the user first.
For sites that require sign-in, Chrome will ask the user for permission to use the password manager. Google said the agent’s model does not have exposure to password data.
The company also said users will be asked before actions such as making a purchase or sending a message. Those examples show where Google sees a clear need for human approval: moments when the action could have financial, personal or communication consequences.
Prompt Injection Is Part of the Threat Model
Google also said it has a prompt-injection classifier to prevent unwanted actions. Prompt injection is a concern for agentic browsing because an agent may encounter instructions embedded in web content while trying to complete a task.
The company said it is testing agentic capabilities against attacks created by researchers. That testing sits alongside the other controls: critic models, Agent Origin Sets, URL checks and user consent.
Google is not the only company focusing on this issue. The source article notes that AI browser makers are paying attention to security, and that earlier this month Perplexity released a new open source content detection model to prevent prompt injection attacks against agents.
The direction is clear from the facts Google shared: agentic browsers are being built with more than convenience in mind. If Chrome is going to act for users, Google is trying to define where the model can read, where it can write, when another model should challenge the plan and when the user must approve the next step.