Overview
- A separate Gemini-based User Alignment Critic now vets each planned action, viewing only metadata to avoid poisoning and vetoing steps that don’t match the user’s goal.
- New Agent Origin Sets confine the agent to task‑relevant domains and elements, separating read‑only from read‑writable origins to reduce cross‑site data exposure.
- Chrome keeps users in the loop with work logs and pauses for confirmation on sensitive steps such as banking and medical navigation, password manager sign‑ins, purchases, and messaging; the model cannot access stored passwords directly.
- A prompt‑injection classifier runs alongside the planner to block actions triggered by malicious content, complemented by automated red‑teaming and bug‑bounty rewards up to $20,000 for breaches of these boundaries.
- Some origin‑isolation work is already landing in Chrome builds according to reporting, with broader agentic capabilities slated to roll out in the coming months as industry advisors continue to flag residual risks.