Google DeepMind unveils AI Control Roadmap to secure increasingly capable agents

Google DeepMind outlined an AI Control Roadmap to secure internal AI agents against risks posed by increasingly capable but potentially misaligned systems. The framework is designed to provide assurance even if alignment is imperfect, combining traditional safeguards with system-level security measures.

The roadmap begins with foundational cybersecurity practices such as sandboxing, endpoint security, and prompt injection resistance. It then layers on model alignment as a primary defense, while explicitly accounting for scenarios where alignment may fail. Google DeepMind compares this layered approach to a driving instructor with dual controls: the system grants agents permissions based on verified behavior and retains the ability to intervene if necessary.

To systematically identify and mitigate risks, Google DeepMind developed a threat-modeling framework for AI that treats untrusted agents as potential 'insider threats.' This framework adapts the MITRE ATT&CK framework—an industry-standard knowledge base of adversary tactics and techniques—to AI-specific contexts. By breaking down potential attacks into discrete tactics and techniques, the approach enables methodical tracking of risks, early detection of misbehavior, and controlled testing of defenses.

Real-time monitoring is central to the roadmap. Google DeepMind uses trusted AI systems as 'supervisors' to continuously review an agent’s reasoning, actions, and plans. If a supervisor detects harmful intent or deviation, it can intervene to block actions before damage occurs. The framework also emphasizes measurable performance across three metrics: coverage (fraction of traffic monitored), recall (fraction of misaligned behaviors caught), and time-to-response.

The roadmap scales security in tandem with AI capability advancements. As models become more capable—potentially evading detection through opaque reasoning or oversight awareness—the framework adapts by shifting from reviewing visible chain-of-thought to analyzing behavior and inspecting inner workings. It also adjusts protocols based on the potential harm of actions, with stricter oversight for higher-risk or irreversible decisions.