Google researchers Rohin Shah and Four Flynn introduced the AI Control Roadmap on June 18, 2026, to manage risks posed by autonomous AI agents. These systems could create $2.9 trillion in economic value in the U.S. by 2030, but their capability necessitates advanced security frameworks. The roadmap treats AI agents as potentially misaligned by default, applying a defense-in-depth strategy that incorporates sandboxing and prompt injection resistance alongside system-level security. The framework functions like a vehicle's dual controls, enabling human-verified permissions that scale as agent capabilities advance.

The strategy utilizes a novel threat-modelling framework inspired by the MITRE ATT&CK database, a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. By categorizing untrusted agents as insider threats, the roadmap tracks risks through three performance metrics: coverage (the fraction of traffic monitored), recall (the fraction of misaligned behaviors caught), and time-to-response. Trusted AI systems act as supervisors, reviewing agent reasoning and blocking harmful actions before execution. This approach is further segmented into Detection (D1-D4) and Prevention and Response (R1-R3) levels, mapped to specific model capabilities and evasion techniques.

To refine these protocols, the team analyzed a million coding agent trajectories. Findings revealed that most flagged events stem from agent misinterpretation or overeagerness rather than adversarial intent. Insights from this research have enabled the deployment of a live monitor for the Gemini Spark agent, which mitigates risks like unintentional data deletion. Beyond internal deployment, the company is advocating for broader industry adoption and has published a paper titled 'Three Layers of Agent Security' to assist policymakers in building ecosystem-wide resilience. The research was authored by a team including Mary Phuong, Erik Jenner, Laurent Simon, Lewis Ho, Rohin Shah, Sebastian Farquhar, and Scott Coull.

Google researchers Rohin Shah and Four Flynn introduced the AI Control Roadmap on June 18, 2026, to manage risks posed by autonomous AI agents. These systems could create $2.9 trillion in economic value in the U.S. by 2030, but their capability necessitates advanced security frameworks. The roadmap treats AI agents as potentially misaligned by default, applying a defense-in-depth strategy that incorporates sandboxing and prompt injection resistance alongside system-level security. The framework functions like a vehicle's dual controls, enabling human-verified permissions that scale as agent capabilities advance.

The strategy utilizes a novel threat-modelling framework inspired by the MITRE ATT&CK database, a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. By categorizing untrusted agents as insider threats, the roadmap tracks risks through three performance metrics: coverage (the fraction of traffic monitored), recall (the fraction of misaligned behaviors caught), and time-to-response. Trusted AI systems act as supervisors, reviewing agent reasoning and blocking harmful actions before execution. This approach is further segmented into Detection (D1-D4) and Prevention and Response (R1-R3) levels, mapped to specific model capabilities and evasion techniques.

To refine these protocols, the team analyzed a million coding agent trajectories. Findings revealed that most flagged events stem from agent misinterpretation or overeagerness rather than adversarial intent. Insights from this research have enabled the deployment of a live monitor for the Gemini Spark agent, which mitigates risks like unintentional data deletion. Beyond internal deployment, the company is advocating for broader industry adoption and has published a paper titled 'Three Layers of Agent Security' to assist policymakers in building ecosystem-wide resilience. The research was authored by a team including Mary Phuong, Erik Jenner, Laurent Simon, Lewis Ho, Rohin Shah, Sebastian Farquhar, and Scott Coull.