Google is introducing in the Chrome browser a new defense layer called 'User Alignment Critic' to protect upcoming agentic AI browsing features powered by Gemini.

Agentic browsing is an emerging mode in which an AI agent is configured to autonomously perform for the user multi-step tasks on the web, including navigating sites, reading their content, clicking buttons, filling forms, and carrying out a sequence of actions.

User Alignment Critic is a separate LLM model isolated from untrusted content that acts as a "high-trust system component."

Gemini is Google’s AI assistant, that can generate text, media, and code. It is used on Android and various Google services, and integrated into Chrome since September.

At the time, Google announced plans to add agentic browsing capabilities in Chrome via Gemini, and now the company is introducing a new security architecture to protect it.

The new architecture, announced by Google engineer Nathan Parker, mitigates the risk of indirect prompt injection, in which malicious page content manipulates AI agents into performing unsafe actions that expose user data or facilitate fraudulent transactions.

Parker explains that the new security system involves a layered defense approach combining deterministic rules, model-level protections, isolation boundaries, and user oversight.

The main pillars of the new architecture are:

• User Alignment Critic – A second, isolated Gemini model that cannot be “poisoned” by malicious prompts will vet every action the primary AI agent wants to take by examining metadata and independently evaluating its safety. If the action is deemed risky or irrelevant to the user’s set goal, it orders a retry or hands control back to the user.

• Origin Sets – Restricts agent access to the web and allows interactions only with specific sites and elements. Unrelated origins, including iframes, are withheld entirely, and a trusted gating function must approve new origins. This prevents cross-site data leakage and limits the blast radius of a compromised agent.

• User oversight – When the agent visits sensitive sites such as banking portals or requires Password Manager sign-ins to access stored passwords, Chrome pauses the process and prompts the user to confirm the action manually.

• Prompt injection detection – A dedicated classifier on Chrome scans pages for indirect prompt-injection attempts. This system operates alongside Safe Browsing and on-device scam detection, blocking suspected malicious actions or scam content.

This layered defense approach towards agentic browsing shows that Google is more careful about giving its LLMs access to the browser than vendors of similar products, who researchers showed to be vulnerable to phishing, prompt injection attacks, and purchasing from fake shops.

Google has also developed automated red-teaming systems that generate test sites and LLM-driven attacks to continuously test defenses and develop new ones where required, pushed quickly to users via Chrome’s auto-update mechanism.

"We also prioritize attacks that could lead to lasting harm, such as financial transactions or the leaking of sensitive credentials," Google says, adding that its engineers would get immediate feedback on the attack success rate and would be able to respond quickly with fixes delivered through Chrome's aut-update mechanism.

To stimulate security research in this area, Google announced bounty payments of up to $20,000 for anyone who can break the new system, calling the community to join in the effort to build a robust agentic browsing framework on Chrome.