Always-On AI Agents Just Shipped Inside Your Existing Tools. Here's What Changes.

The question used to be whether you wanted AI involved in your work. That choice just got narrowed. Google launched Gemini Spark at I/O 2026 (May 19) — a 24/7 personal agent that runs inside Gmail, Docs, Sheets, and Calendar, taking actions on your behalf even when your device is off. It doesn't wait to be opened. It monitors your inbox, parses financial statements you've received, drafts follow-ups from meeting notes, and reprioritises your schedule. The question is no longer "should I try AI?" It's "what is it doing right now, and did I authorise that?"

What changed and why it matters

Gemini Spark is not a new app. It arrives inside tools you already open every morning — no download, no separate sign-in. The defaults are set by Google.

Simon Willison flagged the immediate risk (simonwillison.net, May 20): an agent with continuous access to email, calendar, and documents is a target for prompt injection, where a malicious email or document tricks the agent into taking an unintended action. A supplier invoice with hidden instructions. A calendar invite with embedded commands. The attack surface is everything your inbox has ever touched.

Ethan Mollick added the economic frame (X and LinkedIn, May 19–21): agents consume thousands of times more compute than chatbots. The free tier of AI stays chatbot-level. Always-on agents sit behind higher pricing tiers. The platforms know that professionals who come to rely on an always-on agent are far more likely to keep paying for it than to quit it.

What to do differently on Monday

Three decisions every professional faces when Gemini Spark (or anything like it) lands in their tools:

Decide what permissions to grant — and what to deny. Spark requests broad access by default. Inbox monitoring: probably fine. Sending emails on your behalf without confirmation: worth restricting. Access to documents shared by external parties: worth pausing to consider what those documents contain. The default answer to every permission request is not "yes."

Build an audit habit before you need it. Agents that act continuously produce logs. Those logs are not surfaced prominently — you have to look. Checking what the agent has done once each morning and before any meeting with an external party takes three minutes. It is the same due diligence you would apply to a new member of staff before their first month is out.

Set the autonomy level before the agent sets it for you. An agent that can draft a reply and an agent that can send one without asking are different tools with different risk profiles. Drafting: run automatically. Sending to external contacts: require a confirmation step until you know its error rate on your specific communication style.

Priya: permissions before access

Priya manages content and partner communications at a 45-person SaaS. When Gemini Spark became available in her Workspace, she spent 20 minutes in the permission settings before enabling anything. She granted inbox monitoring and draft generation. She denied send-on-behalf.

Her reasoning was straightforward: she needs to know what the agent wrote before a partner sees it. She also denied document creation on her behalf — she has templates partners rely on, and Spark doesn't know which formatting choices are deliberate and which it can change.

Six weeks in, she's saved roughly 40 minutes a day on first-draft review. She also caught two cases where the agent drafted replies to emails she hadn't actually read yet.

James: waiting for a clear answer on what it can see

James handles invoices, payments, and vendor contracts at a 200-person professional services firm. He hasn't enabled Gemini Spark yet. His reason: "It can access documents shared by others. Our NDAs, our rate cards, our client contracts — all of that lives inside Workspace. I need to know what it can see before I let it act."

Willison's prompt injection concern is directly relevant here (simonwillison.net, May 20). A confidential document shared by a counterparty could, in principle, carry instructions that the agent reads and acts on. James is not being overcautious — he's applying the same logic he uses for any third-party tool that touches sensitive data: understand the access model before accepting the terms.

His plan is to enable Spark for his personal calendar and internal scheduling, where the stakes of an error are low and the documents involved are all internal. He'll revisit external-facing features once Google publishes clearer documentation on how Spark handles adversarial content.

The actual decision

An always-on agent is not a productivity setting you flip on. It is a set of choices about what you are delegating, to what standard, and who answers for it when something goes wrong. Priya made those choices explicitly. James is making them by waiting. Both are more in control than someone who enabled all defaults in 30 seconds and moved on.

The professionals at most risk from always-on agents are not the ones who choose to wait. They are the ones who accepted the defaults without reading them.