As more browsers experiment with agentic tools capable of booking tickets, comparing products, or completing tasks automatically, the security risks grow alongside the convenience. Google has now outlined how Chrome will manage these risks, detailing a multilayered system designed to keep automated actions aligned with user intent and protected from manipulation. The company first previewed Chrome’s agentic capabilities in September, with a broader rollout expected in the coming months.
At the core of Google’s approach is an internal oversight structure built around multiple models. The company uses a User Alignment Critic powered by Gemini to review the actions proposed by Chrome’s planner model. This critic only sees metadata, not full webpage content, and evaluates whether the planned steps genuinely support the user’s goal. If anything appears off, the planner is prompted to revise its strategy before the browser takes action. Google describes this as a guardrail that helps stop agents from drifting into behaviour that doesn’t match user intent.
Chrome is also enforcing strict limits on what the agent can read and where it can act through a system called Agent Origin Sets. Read-only origins define which parts of a site the model can consume — for example, product listings on a shopping page — while banner ads or irrelevant elements stay off limits. Read-write origins are even more restricted, determining where the agent is allowed to interact by clicking or typing. By preventing cross-origin mixing, the browser reduces the risk of data leakage and ensures the model only receives information from approved sources. Chrome can block unsupported content outright, ensuring it never reaches the model.
Navigation is governed by yet another observer model that evaluates URLs before the agent loads them. This aims to stop the model from generating or wandering into harmful sites. When tasks involve sensitive information, control is handed back to the user. If the agent attempts to visit a banking portal or a medical records site, Chrome will ask for explicit permission. The same applies to using stored passwords. Google says the agent itself never sees password data, and that any action involving purchases or sending messages requires user confirmation.
Alongside these controls, Google has deployed a prompt-injection classifier to detect and block attempts to manipulate the agent. The company is also actively testing Chrome’s agentic systems against attack scenarios built by researchers to identify weaknesses before release.
Other AI-centric browsers are taking similar precautions. Perplexity recently released an open-source content detection model aimed at preventing prompt injection attacks on agents, signalling that the broader industry recognises the scale of the challenge.
With Chrome preparing to automate more tasks than ever, Google’s security framework reflects a clear understanding that agentic convenience cannot come at the cost of user trust.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
