Google is preparing to roll out advanced AI-powered "agentic features" in Chrome, designed to automate tasks like booking tickets or online shopping. Recognizing the inherent security risks associated with such capabilities, the tech giant has now detailed a robust set of security measures and privacy guardrails to protect user data and financial information. These features, initially previewed in September, are expected to launch in the coming months.

An increasing number of browsers are experimenting with these agentic features, which can take actions on behalf of users. However, these capabilities also come with significant security risks, potentially leading to data or financial loss.

Advanced Security Models for Agentic Actions

To ensure agentic actions align with user intent and remain secure, Google is deploying a multi-layered approach using several models. A key component is the "User Alignment Critic," powered by its Gemini AI. This critic scrutinizes tasks proposed by the primary "planner model." If the critic determines a planned action doesn't serve the user's goal, it prompts the planner to re-evaluate its strategy. Importantly, Google notes that the critic model only accesses metadata of proposed actions, not sensitive web content, enhancing privacy.

A pair of screenshots showing what Chrome's agent model can see from a website.
Image Credits: Google

Agent Origin Sets and URL Scrutiny

Further bolstering security, Google is implementing "Agent Origin Sets." These sets restrict AI agents to specific "read-only" and "read-writeable" origins, preventing access to untrustworthy or disallowed sites. For instance, on an e-commerce site, the agent might only be allowed to read product listings (relevant data) but not banner ads. Similarly, agents are confined to interacting (clicking or typing) only within designated iframes on a page.

"This delineation enforces that only data from a limited set of origins is available to the agent, and this data can only be passed on to the writable origins. This bounds the threat vector of cross-origin data leaks. This also gives the browser the ability to enforce some of that separation, such as by not even sending to the model data that is outside the readable set," Google stated in a blog post.

This strict separation minimizes the risk of cross-origin data leaks and empowers the browser to prevent unauthorized data transmission to the AI model. An additional observer model is also being employed to scrutinize URL navigation, preventing agents from inadvertently directing users to malicious or harmful model-generated websites.

User Consent for Sensitive Actions

Crucially, Google emphasizes user control for sensitive operations. When an agent attempts to access sites containing banking or medical information, or requires sign-in, it will explicitly prompt the user for permission. For sign-ins, Chrome will request user consent to utilize the password manager, with Google assuring that the agent's model itself has no exposure to password data. Furthermore, users will be asked for approval before any significant actions, such as making a purchase or sending a message.

A screenshot showing Chrome's agent model asking user permission before paying for an item while shopping.
Image Credits: Google

Beyond these measures, Google has developed a prompt-injection classifier to thwart malicious commands and is rigorously testing its agentic capabilities against attack scenarios devised by security researchers.

This focus on security is a growing trend among AI browser developers. Earlier this month, Perplexity, for instance, released a new open-source content detection model specifically designed to combat prompt injection attacks targeting AI agents.