Google’s Chrome security team announced Monday that it has new security features for its agentic browser AI. Google Gemini, which has been onboard Chrome with free and paid versions since September, now has a watchdog to make sure it doesn’t go off the rails while completing tasks for you online. That watchdog, of course, is also AI.
“We’re introducing a user alignment critic where the agent’s actions are vetted by a separate model that is isolated from untrusted content,” Google security team member Nathan Parker wrote in a statement. “We’re also extending Chrome’s origin-isolation capabilities to constrain what origins the agent can interact with, to just those that are relevant to the task.”
Parker went on to list several additional security measures, including threat detection and user confirmation. What caught our attention is that Google is using an AI model to protect another AI model—and, by extension, protect the user.
The problem with having an AI agent do tasks for you on your browser is that it could, if manipulated, do things that you didn’t intend. If bad actors can influence the AI agent, it could send your data to them without your knowledge. Parker noted that it could even lead an AI to start a financial transaction.
Credit: Google
This sort of attack is known as indirect prompt injection. Like other malware, it can sit in wait within various online content, and you probably won’t know when you encounter it. The User Alignment Critic AI protects you by watching Gemini’s actions and stopping any that don’t align when your goals.
Because the goal is to avoid exposing the User Alignment Critic to what Parker dubs “unfiltered untrustworthy content,” it ends up with less context about the proposed task before deciding whether to allow it. The Critic sees only metadata. Still, that should be enough for the AI to determine whether the agent is taking safe actions.
By keeping this model separate, Google makes the monitoring AI hard to attack. Even so, the other steps, like user confirmation, add extra protection for you. One of these layers is known as spotlighting. The browser’s primary AI model prioritizes your (or the browser’s) instructions over any it receives from other sites, making it harder for malicious instructions to influence the AI. And when it’s time to pay, you should see a prompt.
Is Gemini‘s new security system perfect? Probably not—and Google isn’t betting on it. The company is offering up to $20,000 to users who discover and report vulnerabilities to help improve the AI’s security.