Google has outlined its security strategy for the agentic features being introduced in Chrome, which are designed to allow the browser to take actions on users’ behalf—such as booking tickets or comparing products. As these capabilities grow in complexity, so do the associated risks, including unauthorized data access, financial loss, or exposure to malicious sites. To address these concerns, Google is implementing a multi-layered defense system built around observer models, strict origin controls, and explicit user consent. The company’s approach centers on a system of checks and balances between different AI models. One key component is the User Alignment Critic, powered by Gemini, which evaluates the action plans generated by the planner model. If the critic determines that the proposed steps don’t align with the user’s stated goal, it prompts the planner to revise its strategy. Crucially, the critic model only reviews metadata about the planned actions—such as intended URLs or target elements—without accessing the actual content of web pages, preserving privacy. To limit the agent’s access to potentially risky or irrelevant content, Google is using a system called Agent Origin Sets. This framework divides web origins into two categories: read-only and read-writeable. Read-only origins are sites from which the agent can extract data—such as product listings on a shopping site—but not interact with. Read-writeable origins are sites where the agent can perform actions like clicking buttons or entering text. This separation ensures that only approved data is processed and prevents cross-origin data leaks. The browser also enforces these boundaries by withholding data from the model that falls outside the approved set. Google is also monitoring page navigation through an additional observer model that analyzes URLs before any navigation occurs. This helps block attempts to redirect users to harmful or malicious sites generated by the agent’s internal logic. For sensitive tasks—such as accessing banking information, medical records, or sites requiring login credentials—Google is prioritizing user control. Before any action is taken, Chrome will prompt the user for explicit approval. When sign-ins are required, the browser will ask permission to use the built-in password manager, but the agent’s model itself will never see or handle password data. The company also emphasizes that users will be consulted before any irreversible actions, such as making a purchase or sending a message. In addition, Google is deploying a prompt-injection classifier to detect and block attempts to manipulate the agent through deceptive inputs. The company is also testing its agentic features against real-world attacks developed by security researchers to ensure robustness. Other AI-driven browsers are following similar security paths. Earlier this month, Perplexity launched an open-source content detection model specifically designed to defend against prompt injection attacks, highlighting a growing industry focus on securing autonomous browser agents.