Google has outlined how it plans to safeguard users on Chrome by combining observer models with explicit user consent before any action is taken. The company first previewed these agentic features in September and stated that they will be gradually introduced in the coming months.
According to Google, several AI models work together to monitor and control agent-driven actions. One of these is the User Alignment Critic, built with Gemini, which evaluates action plans created by the planner model for specific tasks. If the critic determines that a proposed plan does not align with the user’s intended objective, it prompts the planner to revise its approach. Google emphasized that this critic model reviews only the metadata of proposed actions and does not access the underlying web content.
To further limit agents’ access to unsafe or unreliable websites, Google is implementing Agent Origin Sets, a system that confines models to specific read-only and read-write origins. Read-only origins contain information that Gemini is allowed to process. For example, on an e-commerce site, product listings may be relevant to a task, while banner advertisements are excluded. In the same way, the agent is permitted to interact—such as clicking or typing—only within designated iframes on a webpage.
According to Google, this separation ensures that only data from approved sources is made available to the agent, and that such data can be forwarded solely to authorized writable origins. This approach reduces the risk of cross-origin data leakage and allows the browser to enforce strict boundaries, including blocking any data outside the approved readable set from being sent to the model.
Additionally, Google monitors page navigation by analyzing URLs through a separate observer model. This mechanism helps prevent agents from navigating to potentially harmful, model-generated links, the company added.
Google noted that it gives users full control over sensitive activities performed by agents. For example, when an agent attempts to access a website involving sensitive information such as banking details or medical records, it must first request the user’s approval. Similarly, for websites that require login credentials, Chrome will seek the user’s consent before accessing stored information through the password manager. Google emphasized that the agent’s model does not have access to any password data. The company also stated that users will be prompted for confirmation before an agent carries out actions such as completing a purchase or sending a message.
In addition, Google said it employs a prompt-injection classifier to block unauthorized or malicious actions and is actively testing its agentic features against attack scenarios developed by security researchers.
Other AI-focused browser developers are also prioritizing security. Earlier this month, Perplexity introduced a new open-source content detection model designed to defend agents against prompt-injection attacks.
