Google imposes agent guardrails and Workspace monitoring after poisoning warnings

Google spent last week’s Cloud Next ’26 event turning AI agent security into an admin-console feature, not just a model-safety promise. (cloud.google.com) The company said new agent governance controls include an AI control center, agent management, and Workspace Studio controls to monitor, control, and audit agent access to Workspace data. (cloud.google.com) Google also rolled out Workspace Intelligence on April 22, an underlying system that gives Gemini real-time context from Gmail, Chat, Calendar, Drive, Docs, Sheets, and Slides. Admins can now turn those data sources off by domain, organizational unit, or group. (workspaceupdates.googleblog.com) That matters because AI agents do not just answer questions; they read files, pull context from multiple apps, and can take follow-up actions across a company’s documents and inboxes. Google’s new controls are designed to decide what those systems can see before they start searching broadly. (workspace.google.com) (workspaceupdates.googleblog.com) The security problem is called indirect prompt injection, which works like a hidden note slipped into material an AI system later reads. A poisoned web page, email, or document can try to make the model follow the attacker’s instructions instead of the user’s. (security.googleblog.com 1) (security.googleblog.com 2) Google escalated that warning on April 23, when its security team said it had scanned public web data for known prompt-injection patterns and found the technique showing up in the wild. The company used Common Crawl’s monthly snapshots of 2 billion to 3 billion English-language pages for the study. (security.googleblog.com) Inside Workspace, Google says it is responding with layered defenses rather than claiming the problem is solved. Its April 2 security post described human red-teaming, automated red-teaming, bug rewards, and live hacking events for pre-release features. (security.googleblog.com) The admin side is getting consolidated too. Google said Gemini Enterprise settings, including service toggles and data-sharing configurations, now sit in the Generative AI section of the Workspace Admin console. (workspaceupdates.googleblog.com) For developers running longer-lived agents, Google is also pushing runtime observability. Gemini Enterprise Agent Platform documentation now highlights traces, agent relationships, online monitors, evaluation metrics, failure-cluster analysis, and quality alerts. (docs.cloud.google.com) The net effect is that Google is treating agent security as an operations problem that keeps running after deployment. The model may still generate the answer, but administrators are now being handed more switches to decide what the agent can reach, watch what it did, and shut down risky paths faster. (cloud.google.com) (docs.cloud.google.com)