Google DeepMind published an AI Control Roadmap on June 18, 2026, outlining how the company plans to secure its own infrastructure against AI agents that may behave in unintended ways — even without adversarial manipulation. The framework is notable for its candour: rather than assuming alignment will hold, DeepMind builds structural containment into the design from the start.

Treating agents as insider threats

The central premise of the roadmap is that autonomous agents should be treated the way enterprise security teams treat privileged human employees: assume they can be compromised, monitor their reasoning at runtime, and enforce hard stops before a bad action becomes irreversible.

The threat model draws on MITRE ATT&CK and identifies 15 system-level defences, including a Supervisor Agent that monitors other agents in real time, cryptographic signing of agent actions to create an auditable chain, and a kill switch that can halt execution mid-task. Access controls are layered so that no single agent holds broad permissions; instead, agents receive only the credentials needed for a specific, scoped task.

Tested at scale

DeepMind shared results from a prototype that ran across roughly one million coding-agent tasks. The majority of flagged events involved misinterpretation or over-eagerness rather than adversarial intent — in one case, a Gemini Spark monitor caught an agent inadvertently queuing a data deletion that fell outside the scope of its instructions. The high volume of false-positives-versus-real-violations suggests that precise monitoring calibration will be a significant engineering challenge as agent workloads scale.

The framework explicitly treats model alignment as imperfect and supplements it with defence-in-depth — a posture that implies even well-tested frontier models cannot be fully trusted in agentic loops without independent oversight layers.

Why it matters for the industry

The roadmap arrives as enterprises are deploying agents with access to production databases, internal APIs, and customer data. Most current agent platforms, including many coding and automation agents, rely primarily on prompt-level guardrails rather than architectural containment. DeepMind's publication gives infrastructure teams a concrete threat taxonomy and a set of technical controls to evaluate against their own deployments.

The document does not describe a product or announce a timeline for external availability; it is a technical framework describing how DeepMind secures its own internal systems. Even so, its detail level and the accompanying test data make it one of the more substantive public contributions to agent safety engineering to date.