Google is adding a new defense layer in Chrome called User Alignment Critic to protect forthcoming agentic browsing features powered by Gemini. Agentic browsing is an AI mode that autonomously performs multi-step web tasks such as navigating sites, reading content, clicking buttons and filling forms. Google had previously announced plans to add agentic browsing capabilities to Chrome via Gemini.
According to Google engineer Nathan Parker, the User Alignment Critic is a separate LLM isolated from untrusted content that vets every action the primary agent proposes by examining metadata and independently evaluating safety. If the critic deems an action risky or irrelevant to the user’s goal, it can request a retry or hand control back to the user, Google said.
The company described a layered defence that combines deterministic rules, model-level protections, isolation boundaries and user oversight. One component called Origin Sets limits agent access to specific sites and elements, with unrelated origins withheld and a trusted gating function required to approve new origins to prevent cross-site data leakage.
Chrome will also pause agent activity and prompt the user for confirmation when visiting sensitive sites such as banking portals or when the Password Manager is needed to sign in, and a dedicated classifier will scan pages for indirect prompt-injection attempts alongside Safe Browsing and on-device scam detection. Google said it uses automated red-teaming systems that generate test sites and LLM-driven attacks to continuously evaluate defenses and that fixes can be pushed quickly via Chrome’s auto-update mechanism.
Google is offering bounty payments of up to $20,000 for successful attacks against the new system and invited the security community to help harden the agentic browsing framework; the company added that it prioritizes attacks that could cause lasting harm such as financial transactions or credential leaks. Google has not specified a public rollout date for the new architecture.