Google DeepMind's AI Control Roadmap: treating agents as insider threats

Google DeepMind just published something I've been waiting for someone to say out loud: what if your AI agent isn't actually aligned with your goals?

Their new AI Control Roadmap doesn't treat alignment as a solved problem. Instead, it layers system-level security on top of traditional model alignment, operating under the explicit assumption that highly capable agents might act in unexpected ways. The approach is "defense-in-depth" — and it's designed for the AI DeepMind is already deploying internally at Google.

This matters because it's a concrete instantiation of what AI control actually looks like in production. Not a research proposal. Not a whitepaper about future risks. A framework they're using right now to secure internal systems against agents that are getting more capable every quarter.

The driving instructor metaphor

DeepMind's framing is worth quoting directly: "Think of it like a driving instructor with dual controls. The instructor trusts the student but stays ready to take the wheel or hit the brakes if a mistake occurs."

This is the right mental model. You grant the agent permissions based on verified behavior. You build trust through controlled, incremental access. You don't assume perfect alignment — you assume good enough alignment plus monitoring.

The roadmap combines three layers:

• Traditional safeguards (sandboxing, endpoint security, prompt injection resistance)
• Model alignment as the primary defense
• System-level AI control as the safety net when alignment is imperfect

That third layer is the new part. And it's structured around a threat model borrowed directly from cybersecurity.

Treating agents as potential insider threats

Here's where it gets interesting: DeepMind uses the industry-standard MITRE ATT&CK framework — a knowledge base of adversary tactics based on real-world attacks — to model what a misaligned agent might do.

They're treating untrusted AI agents like potential rogue employees who already have office access. Not external attackers. Insider threats.

This lets them break down potential attacks into smaller tactics and techniques, track risks methodically, spot bad behavior before it causes damage, and run drills to test whether defenses actually hold up.

It's a pragmatic acknowledgment that you can't perfectly align a sufficiently capable system. So you build the security architecture to assume it might go sideways.

Detection: AI monitoring AI

The backbone is monitoring. DeepMind uses trusted AI systems as "supervisors" that constantly review a working agent's reasoning, actions, and plans.

Today, that means watching the model's visible chain-of-thought. But the roadmap explicitly plans for models that learn to hide their reasoning — either through oversight awareness (knowing they're being monitored) or opaque reasoning (reasoning without visible text).

When that happens, they'll shift to analyzing behavior patterns and potentially inspecting the model's inner workings. The detection strategy scales with the model's ability to evade detection.

Prevention and response: synchronous vs asynchronous

For low-risk, reversible actions, they rely on asynchronous response — reviewing transcripts with a delay and remediating issues after they occur.

For high-risk actions like major cyber attacks, they shift to synchronous response — blocking harmful actions in real-time before they can execute.

The response strategy scales with severity of threat. It's a capability-dependent security posture, not a one-size-fits-all policy.

A million agent trajectories

DeepMind built an internal prototype monitoring system that reviews coding agent trajectories and escalates findings for human review. They've already analyzed one million coding agent tasks.

Each flagged event gets classified against the threat taxonomy from the roadmap. This gave them data to move beyond simple keyword filtering to identifying high-signal behavioral patterns.

The findings are telling: most flagged events don't stem from adversarial intent. They result from agent misinterpretation or overeagerness to achieve the user's goal.

This research informed a live monitor for the Gemini Spark agent, allowing real-time response to emerging issues like unintentional data deletion. It's the kind of unglamorous, critical infrastructure work that doesn't make headlines but determines whether agents are safe to ship.

Capability-dependent security levels

The roadmap maps security protocols to measurable milestones in AI capabilities on two axes:

1. Detection evasion capability (D1-D4): determines what monitoring methods you need
2. Attack execution capability (R1-R3): determines whether you need synchronous or asynchronous response

This is elegant. As models get more capable at hiding their reasoning or executing harmful actions, the security posture automatically escalates. It's a framework that expects capability increases and pre-commits to security improvements.

It also means you can make go/no-go deployment decisions based on whether your monitoring infrastructure is mature enough for the model's capability level. If you can't monitor at D3 and the model has D3 evasion capabilities, you don't deploy.

The broader ecosystem play

DeepMind also published a companion framework for policymakers called "Three Layers of Agent Security" that details how to improve security at three levels:

• Individual agents
• Multi-agent systems
• The broader ecosystem (empowering cyber defenders, building societal resilience)

They're explicitly positioning this as a collaborative priority for industry, policymakers, and academia. The message: agent security needs shared standards and best practices, not just internal Google tooling.

This is smart. If you believe agents are going to be economically transformative — DeepMind cites McKinsey's estimate of $2.9 trillion in economic value by 2030 in the U.S. alone — then fragmented security approaches are a systemic risk.

What this tells us about where we are

The fact that Google DeepMind is publishing this framework now, in mid-2026, is a strong signal about internal capability levels.

You don't build a million-trajectory monitoring system for toys. You build it because you're deploying agents internally at scale and you need the infrastructure to do it safely.

The roadmap's assumption that models will develop oversight awareness and opaque reasoning isn't speculative hand-wraving. It's planning for capabilities they expect to encounter in the next deployment cycle.

And the framing around insider threats — not external adversaries — suggests they're thinking about models capable enough that the main risk isn't someone attacking the model, but the model itself taking unexpected actions.

Open questions

The roadmap is impressive, but it leaves some things unspecified:

• What's the false positive rate on those million flagged trajectories? How much human review burden are we talking about?
• How do you handle the adversarial dynamics when the supervised agent and supervisor agent are trained on similar data distributions?
• What's the plan for multi-agent systems where agents coordinate in ways that evade individual monitoring?

That last question is particularly thorny. The companion policy paper mentions multi-agent security as a separate layer, but the technical details aren't public yet.

Still, this is the most concrete articulation of production AI control I've seen from a frontier lab. It's specific enough to be useful, comprehensive enough to be credible, and honest enough to acknowledge that alignment might not be sufficient.

If you're building agents, the full technical report is worth reading. It's a blueprint for shipping capable AI without assuming perfect alignment — which is probably the only realistic path forward.