Google Deepmind is approaching advanced AI agents with a simple assumption: even a useful agent should not automatically be trusted with broad access. Its new AI Control Roadmap sets out a framework for giving AI systems permissions only after their behavior has been checked.
The result is a security model built around caution. Instead of relying on alignment to solve every problem, Deepmind plans for agents that may misunderstand instructions, act too aggressively, or go off script.
A roadmap built around controlled trust
The AI Control Roadmap describes how Google limits access for its most advanced internal AI systems. Deepmind presents the approach as something that could also guide the wider industry as AI agents become more capable.
The core idea is not to assume that an agent shares the goals of its operators. Deepmind compares the setup to a driving instructor using dual controls. The student is allowed to drive, but the instructor is still ready to intervene.
For AI agents, that means access is earned in stages. A system does not receive broad permissions simply because it is powerful or useful. It receives permissions based on behavior that has been verified.
This is important because agent systems can take actions, not just produce text. If an agent is operating inside a coding environment, workflow, or internal system, the difference between a helpful action and a harmful one can depend on context. Deepmind’s framework is designed to watch that behavior and limit damage before it spreads.
Treating agents like insider threats
Deepmind models its internal AI agents in a way that resembles employees who already have access to the office but may act against the company’s interests. That does not mean every flagged agent is malicious. It means the security model starts from the possibility of misuse or failure.
The roadmap builds on the MITRE ATT&CK framework, a cybersecurity tool used to break possible attacks into tactics and techniques. Applying that style of thinking to AI agents gives Deepmind a structured way to track risks, look for suspicious patterns, and test defenses.
Several pieces work together in the framework:
- A threat model designed specifically for AI systems.
- A detection system in which trusted AI systems serve as "supervisors" for active agents.
- A prevention system that can block harmful actions before they happen.
- Measurements for how much traffic is monitored, how much misconduct is detected, and how quickly the system responds.
This structure turns AI agent safety into an operational security problem. It is not only about asking whether a model is aligned in general. It is also about monitoring what the model is doing in specific situations and deciding when intervention is needed.
The problem of agents that learn to evade oversight
Deepmind also warns that monitoring has limits. It works only as long as the monitored models do not learn how to work around it.
The roadmap ties safeguards to measurable milestones in AI capabilities. Deepmind highlights two areas that matter most: evasion and potential damage.
Evasion is the risk that models may learn to hide what they are doing. Deepmind currently monitors a model’s visible chain of thought, but that method could weaken if models develop "oversight awareness" or "opaque reasoning." In those cases, behavioral analysis and inspections of the model’s internals would need to become part of the defense.
The second issue is the scale of harm an action could cause. Some actions are low-risk and reversible, so logs can be reviewed afterward. Other actions, including major cyberattacks, require real-time prevention because waiting until after the fact would be too late.
To organize this, the roadmap uses four detection levels, D1 through D4, and three response levels, R1 through R3. The basic principle is that stronger capabilities require stronger safeguards.
What one million coding tasks showed
Deepmind tested these ideas with an internal prototype of an async monitoring system for coding agents. The system was run across one million tasks, giving the team real-world data on how agent behavior can go wrong.
The findings were not mainly about deliberate harm. Most flagged issues came from misinterpretation or overzealousness by agents trying too hard to satisfy a user’s goal. That distinction matters because a security system for AI agents has to handle more than hostile behavior.
An agent may delete data accidentally. It may pursue the wrong interpretation of a request. It may take a step that seems locally useful but creates risk in the broader environment. Deepmind says its system can identify behavior-based patterns beyond simple keyword filtering and already runs as a live monitor for the Gemini Spark agent.
That points to a practical lesson: agent security cannot depend only on detecting obviously dangerous instructions. It also has to recognize when a well-intended agent is moving too far, too fast, or in the wrong direction.
Why Deepmind says standards cannot wait
Deepmind has also published a separate paper for policymakers called "Three Layers of Agent Security." It breaks down security measures for individual agents, multi-agent systems, and the broader ecosystem, with areas ranging from cyber defense to societal resilience.
In a post on X, Deepmind warned that there is a "narrow window" to establish security protocols before multi-agent systems scale globally. The company argues that AI labs, governments, and researchers should treat layered agent security as a shared priority.
The roadmap’s message is direct: advanced AI agents should be useful, but usefulness is not the same as trust. Permissions, monitoring, and prevention need to grow with capability. For Deepmind, the safer path is to assume that powerful agents may fail in serious ways and to build controls before those failures become harder to contain.