Google has unveiled its comprehensive security strategy for the upcoming agentic features in Chrome, designed to allow the browser to perform tasks like shopping or booking tickets autonomously. As AI-driven browsing gains traction, these capabilities introduce significant security risks, including potential data exposure and financial loss. The company plans to roll out these features in the coming months, utilizing a multi-layered defense system to protect user integrity.
The “User Alignment Critic”
To ensure AI agents act in the user’s best interest, Google has implemented a “User Alignment Critic” powered by Gemini. This model acts as a supervisor, scrutinizing the strategies proposed by the planner model before any action is executed. If the critic determines a task does not align with the user’s stated goal, it forces the planner to recalibrate. Notably, this oversight process relies solely on action metadata, ensuring the critic model does not access the actual content of the web pages being navigated.
Restricting Data Access with Agent Origin Sets
Google is deploying “Agent Origin Sets” to prevent AI agents from interacting with untrustworthy or disallowed sites. By restricting the model to specific “read-only” and “read-writeable” origins, the browser limits the threat vector for cross-origin data leaks. For example, during a shopping task, the agent is permitted to read product listings but is barred from interacting with banner ads. Furthermore, the browser can prevent sensitive data from being sent to the model entirely if it falls outside the designated readable set.
Advanced Navigation and Human-in-the-Loop Controls
Security is further bolstered by an observer model that monitors page navigation, blocking attempts to access harmful URLs generated by other models. Beyond automated safeguards, Google is prioritizing human oversight for high-stakes actions:
- Sensitive Sites: Navigation to banking or medical portals triggers an immediate user confirmation prompt.
- Credential Security: Chrome will request explicit permission before accessing the password manager; the agent itself never gains direct access to stored password data.
- Transaction Approval: Users must manually authorize purchases and message transmissions.
Industry-Wide Focus on AI Safety
Google is also integrating a prompt-injection classifier to neutralize malicious commands and is conducting rigorous testing against adversarial attacks developed by researchers. This focus on browser security is becoming an industry standard, with competitors like Perplexity recently releasing open-source content detection models specifically aimed at preventing prompt injection attacks against AI agents.