Google DeepMind just gave Gemini 3.5 Flash the ability to operate a computer the way a person does, clicking, typing, and navigating live software on your behalf. According to Google DeepMind, this new computer use capability ships with built-in safety work and two optional enterprise safeguards aimed squarely at the biggest risk in agentic AI: prompt injection. That focus on safety, not just speed, is what stands out here.
Computer use is one of the hottest frontiers in AI right now. An agent that can drive a browser or an app opens the door to real automation, filling forms, pulling data, completing multi-step workflows. It also opens the door to new attack surfaces. Google DeepMind is leaning into both sides of that equation with this release.
What Google DeepMind launched
- Computer use in Gemini 3.5 Flash. The model can now operate inside live environments, taking actions on screen rather than just describing them. Flash is Google’s fast, cost-efficient tier, so this puts agentic control in a model built for speed and volume.
- Targeted adversarial training. To cut down prompt injection risk, Google DeepMind trained the model against adversarial examples. Prompt injection is when hidden instructions, say, buried in a webpage, try to hijack the agent into doing something it shouldn’t. Training the model to resist those attacks is the first line of defense.
- Two optional enterprise safeguards. Companies can switch on systems that require explicit user confirmation before the agent takes sensitive or irreversible actions, and automatically halt a task if an indirect prompt injection gets detected mid-run.
The defense-in-depth approach
Google DeepMind isn’t pitching these safeguards as a complete solution on their own. The company recommends a layered, “defense-in-depth” strategy and encourages developers to combine the new features with:
- Secure sandboxing, so the agent runs in an isolated space
- Human-in-the-loop verification for high-stakes steps
- Strict access controls that limit what the agent can reach
Google DeepMind points developers to its best practices documentation for the full set of safety measures. The message is clear: an agent that can click buttons in the real world needs guardrails at every level, not just one.
Why this matters
The race to ship computer-use agents has been moving fast, with several labs putting out models that can control a screen. The hard part has never been getting an agent to click. It’s getting it to click safely when the web is full of content trying to trick it. By bundling adversarial training with optional enterprise controls, Google DeepMind is treating safety as a product feature rather than an afterthought.
That matters most for enterprises. A consumer playing with an agent in a sandbox is one thing. A business letting an agent touch internal systems, customer data, or anything that costs money is another. The confirmation-before-irreversible-action safeguard and the auto-stop-on-injection system are aimed at exactly those buyers, the ones who won’t deploy without controls they can audit and trust.
Who it’s for
Google DeepMind says customers are already driving value with computer use, though the article keeps the details light on names and specifics. The pairing with Flash is telling. Because Flash is the efficient, lower-cost model in Google’s lineup, this is positioned for workloads that run at scale, where you’re firing off many agent actions and can’t afford a premium model on every step.
A few caveats worth flagging. The enterprise safeguards are optional, which means the responsibility to turn them on sits with developers and the businesses deploying agents. And Google DeepMind itself frames these tools as one layer in a broader strategy, not a guarantee against every prompt injection attempt. The original announcement is also short on hard numbers, no benchmark scores, pricing breakdown, or rollout dates in the material provided.
What comes next is the real test. Computer-use agents only earn trust once they’ve run in messy, adversarial environments without getting hijacked. Google DeepMind has laid out its safety playbook. Now it’s on developers to build with it. Full details are available at the original Google DeepMind source.