Google is strengthening Chrome’s agentic capabilities with layered security protections to guard against indirect prompt injections and related data risks, while planning to add a second Gemini-based model to address emerging security concerns.

A new security architecture for Gemini-powered web agents in Chrome enables task execution across sites for users, with an emphasis on user safety and control.

An observer model reviews URLs to block navigation to harmful AI-generated links and includes a prompt-injection classifier to prevent malicious instructions.

The observer mechanism monitors page navigation by evaluating URLs, helping to stop harmful model-driven navigations before they occur.

Automated red-teaming and synthetic attacks are used to probe high-risk vectors, including user-generated content, to preempt real-world exploits.

Transparency is provided via a work log detailing every step, with users able to stop the agent at any time.

The AI model cannot access saved passwords directly, and purchases or message sending require explicit user approval.

The approach fits a broader dual-LLM pattern (CaMeL) where one model moderates another, reflecting related academic and industry work.

The Alignment Critic evaluates planned actions using only metadata to veto unsafe or misaligned actions before execution, protecting the decision process from manipulation.

TechCrunch staff are cited, with contact information provided for further inquiries.

Agentic browsing enables an AI agent to autonomously perform multi-step tasks across websites, including reading content, clicking, filling forms, and taking actions for the user.

User control and safety are central, requiring explicit user confirmation for high-stakes actions and restricting the agent’s data access to only necessary origins.

Agent Origin Sets restrict the agent to relevant, origin-scoped data with read-only and read-write classifications to prevent cross-origin data leaks and arbitrary actions.

Gating functions assess each new origin for relevancy before navigation, reducing opportunities for compromised agents to act unpredictably.

The system enforces whitelists and checks so model-generated URLs are vetted and actions are logged in real time with prompts for sensitive steps like banking or purchases.

Industry context includes Gartner’s warnings about AI browsers, highlighting the risks of agentic features in browsers.

A prompt-injection classifier runs in parallel with the planner to block actions induced by manipulative content, complementing Safe Browsing and on-device defenses.

Google is testing defenses against simulated attacks and notes industry efforts, with open-source models from peers to detect malicious content targeting agents.

New whitelisting and real-time logging are in place, with explicit user confirmation required for high-sensitivity steps like logging in, accessing financial sites, or making purchases.

The User Alignment Critic, a Gemini-based model, independently checks each proposed action against the user’s goals and can veto unsafe or misaligned moves using metadata alone.

For highly sensitive tasks, user consent is required before actions such as navigating banking or medical sites and before using the password manager for logins.

A work log and deterministic checks keep the user in the loop, requiring confirmation before sensitive actions like navigating to banking portals, signing in, or making purchases.

Chrome will prompt for user confirmation before dangerous tasks and may request permission for consequential actions.

A layered defense combines deterministic and probabilistic methods to deter attackers from compromising agent actions.

A dedicated prompt-injection classifier detects social-engineering attempts, operating alongside other protections like Safe Browsing and on-device detection.

Chrome’s prompt-injection safeguards run in parallel with the planner to block manipulated actions and prevent undesired outcomes.

A prompt-injection classifier helps prevent unwanted actions, with ongoing testing against attacker vectors by researchers.

Related security communications note concerns about prompt injection and phishing risks in agentic features across the industry.

The rollout signals a broader shift toward secure, user-centric adoption of agentic browser features, balancing automation with protections.

Automated red-teaming and sandboxed sites generate attack simulations to continuously test defenses, with updates delivered through Chrome’s update mechanism.

Testing includes synthetic attacks focusing on user-generated content, ads, credential leaks, and unwanted financial transactions.

Industry context includes open-source detection models and broader security developments responding to prompt injection threats.

Industry veteran notes indirect prompt injection as the principal new threat for agentic browsing and underscores the need for robust oversight.

Security coverage references related stories about Chrome and browser security enhancements and high-severity vulnerabilities.

Chrome’s agentic features raise security concerns about user data and finances as they begin to act autonomously.

Initial Gemini-powered chat interfaces sparked fears of indirect prompt injection that could steer actions like financial transactions or data exfiltration.

Google is expanding its Vulnerability Rewards Program to offer rewards up to twenty thousand dollars for researchers who uncover breaches in the AI security boundaries.

Open bounty programs encourage researchers to probe the agentic system to strengthen its security posture.

The rewards program now includes protections for agentic boundaries, inviting security discoveries that test these new capabilities.

The browser enforces data access restrictions to prevent cross-origin data leaks and ensure disallowed data never reaches the AI model.

Google details security measures for Chrome’s agentic features, including observer models and explicit user consent for actions.

The User Alignment Critic analyzes action metadata to protect privacy, maintaining a separation between AI goals and web content.