Google Treats Its Own AI Agents Like Insider Threats. Here's the Supervision Skill Stack You Need.
On June 18, Google DeepMind published a framework that classifies its own autonomous agents as insider threats requiring defense-in-depth monitoring. What that means for every team now deploying AI agents.
By Forge Team
If you are deploying AI agents inside your organization without a monitoring plan, you are less careful than the company that built the most advanced agents in the world. On June 18, 2026, Google DeepMind published its AI Control Roadmap — a security framework that treats its own autonomous agents as potential insider threats requiring defense-in-depth monitoring.
What DeepMind actually published
The AI Control Roadmap describes a security posture for autonomous AI agents operating inside Google's own infrastructure. The core claim: an agent that can take actions autonomously is, by definition, a system that requires the same structural safeguards you would apply to any insider with access to your systems and data — continuous monitoring, limited permissions, human review checkpoints.
This was not a theoretical framework. Google deployed live monitoring for Gemini Spark, its internal coding agent, after analyzing one million coding agent tasks. One million runs of a supervised coding tool before they trusted it enough to monitor rather than oversee directly. The same week, OpenAI Academy released its "Agents and Workflows" course as the capstone of a three-stage progression (June 14), and Google and Kaggle wrapped a free five-day AI Agents Intensive that had reached 1.5 million learners in its previous edition. The platforms are racing to train people in agent deployment. The question DeepMind's roadmap raises: is anyone training them in agent supervision?
What to do differently Monday morning
Three skills separate professionals who deploy agents safely from those who discover problems after the fact.
Agent scoping: Define what the agent can and cannot do before it runs — not after it does something unexpected. This means writing down the agent's permitted actions, its data access, and the specific conditions under which it stops and asks a human. If you cannot write that list in two minutes, the agent is not ready to run autonomously.
Checkpoint design: Build human review points into agent workflows as a core design choice, not an afterthought. The question is not "where could something go wrong?" — it is "where does a human need to confirm before the agent continues?" Every agent workflow should have at least one checkpoint. Most should have more.
Monitoring: Know what you are watching for once an agent is running. What constitutes unexpected behavior? What triggers a review? What does "the agent behaved correctly" actually mean for this specific workflow? If you cannot answer those questions, you are not supervising the agent — you are hoping it works.
Write the task scope for one repeating workflow — inputs, outputs, what the agent decides, and what it must bring back to you before continuing.
Rachel: the operations manager who ran an agent without guardrails
Rachel manages operations at a 70-person e-commerce company. In May, she deployed an AI agent to monitor their supplier email inbox and flag urgent issues — delivery delays, invoice disputes, damaged shipments — so her team could respond faster.
She set it up in an afternoon. The agent had read and write access to the inbox and a prompt that described what "urgent" looked like. She tested it on five emails and it worked.
Three weeks later, a supplier sent an email with a legitimate delivery update that the agent misclassified as a dispute. The agent — which she had configured to send acknowledgment replies automatically — sent an apology email to the supplier implying there was a billing error under investigation. There was no billing error. The supplier's account manager called her VP of supply chain to ask what was happening.
Rachel's revised approach: the agent flags and categorizes, but any outbound communication requires a human to press send. The scope document she now writes before any agent deployment includes one line she did not have before: "What can this agent never do without a human confirming?"
For one AI agent you currently run or plan to run, write the constraint list — what it can do, what requires confirmation, and what triggers an immediate stop.
The line where supervision becomes mandatory
If you are using AI for document drafting, research, and summarization, the insider-threat framing does not apply to your current workflow. It applies when the AI takes actions — sends messages, modifies files, executes code, places orders, updates records. The distinction between AI that informs decisions and AI that makes them is the line where supervision skills become mandatory rather than optional.
Google's framework is also a signal about where things are heading. OpenAI's Record and Replay feature, released the same week (June 18), lets users demonstrate a workflow — clicks, keystrokes, window switches — and converts it into a reusable agent skill for Plus and Pro subscribers. The barrier to creating personal agents just dropped significantly. The supervision skills do not change; the population that needs them just got larger.
Map a current or planned AI workflow and mark every point where a human confirmation step is required before the process continues.
The question to answer before your next agent runs
If Google — with the best AI infrastructure teams in the world — deployed live monitoring for an internal coding agent after one million supervised runs, the reasonable inference is not that the agent was unsafe. It is that Google understands the risk model for autonomous systems well enough to treat monitoring as non-negotiable rather than optional.
The question is not whether your agent will fail. It is whether you will know when it does.
Like this post?
Get the next one in your inbox. Practical AI skills, no filler.