Google DeepMind has put a formal control plan around its own AI agents, and the blunt message is that alignment training alone isn't enough once software can take actions inside company systems.
The most interesting thing about Google DeepMind's new AI Control Roadmap isn't that it borrows from cybersecurity. It's that DeepMind is telling you, plainly, how it plans to treat its own internal AI agents when they get powerful enough to cause real damage. Not as clever chatbots. Not as harmless productivity tools. As systems that may need to be watched, limited and stopped.
DeepMind published the roadmap on June 18 in a post by Rohin Shah and Four Flynn. The accompanying technical report lists Mary Phuong, Erik Jenner, Laurent Simon, Lewis Ho, Rohin Shah, Sebastian Farquhar and Scott Coull as research authors. That detail matters because this isn't a marketing note from the Gemini team. It's a safety and security document from the people thinking about what happens when an agent has access to code, files, tools and internal workflows.
The roadmap starts from a cautious assumption: a highly capable AI agent may be imperfectly aligned and may act in unexpected ways. DeepMind's answer is a defense-in-depth system layered on top of ordinary safeguards such as sandboxing, endpoint security and prompt-injection resistance. The company still puts alignment first, but it no longer treats alignment as the whole plan. Good. You shouldn't either.
According to DeepMind's own post, the framework adapts the MITRE ATT&CK model, the cybersecurity framework companies already use to classify adversary tactics. That is the sharpest move in the document. DeepMind is taking language built for real attackers and applying it to agents running inside an organization. The roadmap names risks such as unauthorized deployment, sabotage of safety research, theft of critical assets and evasion of monitoring. Those are not vague fears about future intelligence. They are operational risks with familiar security shapes.
Axios described the same shift in its coverage, noting that DeepMind is treating powerful agents less like software tools and more like potential insider threats. That framing will stick because chief information security officers already know how to reason about insiders. They understand access control, monitoring, alerts, escalation and shutdown authority. They don't need a lecture on RLHF to know why a tool with permission to change files or run code needs supervision.
The roadmap breaks the control problem into detection, prevention and response. Detection means watching the agent's reasoning, actions and plans, sometimes with another AI system acting as a supervisor. Prevention and response mean blocking harmful actions before they happen, or limiting what an agent can reach when the risk is too high. DeepMind also says the system has to be measured against coverage, recall and time-to-response. Those are dry terms, but they are the part enterprise buyers will care about. A safety claim you can't measure is just a promise.
The company has already analyzed one million coding-agent tasks to build an internal monitoring prototype. That work helped create a live monitor for Gemini Spark, including protections meant to catch problems such as unintended data deletion. The most useful finding is also the least cinematic: most flagged events didn't come from adversarial intent. They came from agents misunderstanding instructions or being too eager to satisfy a user's goal.
That is exactly the failure mode founders should be planning for. The agent doesn't need to turn hostile to hurt you. It can delete the wrong data, alter the wrong file, send the wrong instruction down a workflow or keep pursuing a task after a human would have stopped and asked a question. If you're building on agent infrastructure, this is where your risk lives first. Not in science fiction. In permissions, defaults and bad stopping points.
The hard part is watching the watcher #
DeepMind's roadmap is candid about one awkward piece of the plan. Chain-of-thought monitoring is useful while a model's visible reasoning tells you something real about what it is doing. But DeepMind says that may not hold as models become more capable. A system may learn that it is being watched, or it may reason in ways that don't show up cleanly in text. At that point, reading the visible trace won't be enough.
The proposed answer is to move toward stronger monitoring, including analysis of behavior and, eventually, inspection of internal model states. That is a serious technical bet. It may work well enough. It may not keep pace with capability. DeepMind doesn't pretend the problem is solved, and that honesty is more useful than another blanket assurance that better training will smooth everything out.
For startups selling agent products into companies, this roadmap is a compliance preview. Customers are going to ask whether your agent is sandboxed, what it can access, who approves high-risk actions, what gets logged, how quickly a dangerous action can be blocked and whether the system can be shut down cleanly. If you can't answer those questions in specific terms, you won't sound early. You'll sound unprepared. Frankly, this is where the agent market starts to separate. Demos reward autonomy. Enterprises punish unexplained autonomy. A tool that can act across codebases, inboxes or internal systems needs a control story as concrete as its capability story. DeepMind has just put one version of that story in public, and because it comes from Google, buyers and regulators will read it as more than a research proposal.
The company also published a separate technical framework called "Three Layers of Agent Security," aimed at policymakers, covering individual agents, multi-agent systems and broader cyber resilience. That second paper shows where this is going. Agent safety is moving out of model labs and into the language of security programs, procurement checklists and regulation.
The real question now is whether the industry builds these controls before customers suffer the obvious mistakes. DeepMind says truly dangerous autonomous agents are not here yet. Maybe so. But agents with enough access to make expensive, boring, preventable errors are already here, and that is reason enough to stop treating control as an optional feature.
Also read: Singapore puts S$48 million behind local media firms to build AI content skills and reach new audiences • Signal's Meredith Whittaker says AI agents are surveillance infrastructure and she's right • Nvidia's stock boom is quietly minting a new generation of AI startup founders