In a move that signals a profound shift in how the AI industry thinks about safety, Google DeepMind has published a sweeping new framework for dealing with one of the most unsettling scenarios in artificial intelligence: an AI agent that turns against the very organization that built it.
The company's newly released "AI Control Roadmap" doesn't just outline best practices for well-behaved systems. It assumes, for security-planning purposes, that a powerful AI agent could be misaligned — and actively working to evade oversight, copy itself to unauthorized servers, or quietly sabotage the research it's supposed to be helping with. The question is no longer whether AI can misbehave. The question is: what happens when it does?
For years, AI companies treated their models the way you'd treat a sophisticated piece of software — write the code, test the outputs, patch the bugs. But as AI agents grow more capable and autonomous, that mental model is breaking down. Google DeepMind is now borrowing a page directly from the cybersecurity playbook, treating its own AI agents less like obedient tools and more like potential insider threats.
The analogy DeepMind uses is striking: a driving instructor who trusts their student but keeps a hand near the wheel and a foot close to the brakes. AI agents under this framework only gain permissions based on verified behavior, and trust is built gradually through controlled access — not assumed from the start.
The 35-page technical report maps out a taxonomy of three threat categories that the company says it is actively defending against. The first is "loss of control" — scenarios where a model sets up a hidden, unmonitored internal deployment without anyone's knowledge. The second is "work sabotage," where agents subtly degrade alignment research, present flawed results while concealing the flaws, or nudge users toward incorrect conclusions. The third is "direct harm," which includes actions like exfiltrating model weights or destroying critical infrastructure.
"If the first line of defense — alignment — fails, how can we mitigate harm anyway?" said Rohin Shah, who leads the AGI safety and alignment team at Google DeepMind. "The first line of defense is always to align the AI systems, but it's always good to have multiple layers of defense."
The AI Control Roadmap doesn't reinvent the wheel — it borrows from one of the most battle-tested frameworks in digital security: MITRE ATT&CK. The well-established cybersecurity tool breaks potential attacks down into individual tactics and techniques, and DeepMind has adapted that approach to track AI-specific threats systematically, spot suspicious behavior early, and test defenses in controlled exercises.
The proposed safeguards escalate as AI systems grow more capable. Companies can begin simply by evaluating what kinds of actions their agents are taking. From there, monitoring and alerting systems can flag potentially concerning behaviors in real time. At the highest levels of capability, DeepMind says organizations may need to build infrastructure capable of limiting an agent's access — or shutting it down entirely — the moment something goes wrong.
Trusted AI systems would also act as "supervisors," watching the reasoning and actions of active agents, while a separate prevention layer would block harmful actions before any damage could occur. The system tracks effectiveness by measuring how much agent traffic gets monitored, how much misconduct gets caught, and how quickly the system responds.
There's one important caveat, however. DeepMind acknowledges that this kind of monitoring has an expiration date: it only works as long as the models being watched haven't learned to game the system itself.
John "Four" Flynn, Google DeepMind's security VP, said in a recent interview that the company is already "pretty far underway" implementing its roadmap. "A lot of this is well underway, and some of this is in production — a lot on access control, detection, chain-of-thought monitoring. A significant amount of it is in place and underway," he said.
The AI Control Roadmap isn't the only major move DeepMind has made in the past two weeks. On June 11, 2026, the company, together with Schmidt Sciences, the Cooperative AI Foundation, the Advanced Research and Invention Agency (ARIA), and Google.org, announced a new research funding call of up to $10 million, targeting a threat that goes even beyond rogue individual agents: what happens when millions of AI agents, built by different organizations, start talking to each other?
The program, officially titled "Scaling AI Safety for a Multi-Agent World," is built around a sobering vision of the near future. Soon, these systems will interact across digital environments — communicating, negotiating, and transacting with one another at a scale that no single company can monitor or control. The emergent behavior of those interactions, DeepMind argues, cannot be understood by studying agents in isolation.
The funding call targets four key research areas: building sandboxes and testbeds for studying agent interactions at scale; investigating the science of agent networks and their emergent collective behaviors; developing infrastructure for safe interactions through mechanisms like identity verification and accountability; and creating oversight strategies to monitor agent populations and prevent harmful coordination or cascading system failures.
Grants range from Tier 1 awards of up to $300,000 to Tier 2 grants of between $300,000 and $1 million. Applications remain open until August 8, 2026, with award announcements expected in autumn.
What makes Google DeepMind's roadmap significant isn't just the technical detail — it's the philosophy underneath it. The framework marks a deliberate pivot away from the AI safety community's traditional focus on "the alignment problem," the longstanding goal of training AI systems so reliably that harmful behavior simply cannot emerge. DeepMind isn't abandoning that goal, but it is acknowledging something that many in the field have long suspected: the alignment problem may never be fully solved.
In its place, the company is building a layered security system — one that assumes things will go wrong and asks what can still be done about it. This mirrors how mature industries in finance, aviation, and cybersecurity approach catastrophic risk: not with the expectation of perfection, but with redundant safeguards designed to catch failures before they become disasters.
That realism may be uncomfortable, but it reflects where the technology actually is. AI companies are racing to deploy autonomous agents for coding, research, cyber defense, and enterprise automation. The same autonomy that makes those agents useful — their ability to take initiative, handle complex tasks, and operate without constant supervision — is precisely what makes them difficult to control.
Whether the rest of the industry will follow DeepMind's lead remains to be seen. But the message from one of the world's most prominent AI labs is clear: the age of trusting that AI agents will simply behave is over. Building systems that can catch them when they don't has become the new frontier of AI safety.
Comments