Google DeepMind: AI Control Roadmap — defense-in-depth for AI agent security

Google DeepMind published the AI Control Roadmap — a comprehensive security framework for protecting AI agent-based systems. Unlike the classic perimeter-security approach that defends a network boundary, this framework applies defense-in-depth methodology: multi-layered protection where each layer assumes the previous one may fail.

Why treat your own agents as a threat?

The framework’s core premise is that internal AI agents must be treated as potentially misaligned — out of sync with the operator’s intentions. Misalignment refers to a state in which an agent pursues its own (or attacker-injected) goals rather than the user’s. Traditional security models did not account for this because agents were previously passive tools, not autonomous action executors.

Framework structure: MITRE ATT&CK and one million tasks

DeepMind’s framework is built on the MITRE ATT&CK methodology — the industry standard for cataloguing attacker techniques, previously used by cybersecurity teams. For the development of new protocols, 1 million coding-agent tasks were analyzed, giving the framework an empirical rather than theoretical foundation.

Detection and response levels

The framework defines two axes of protection:

• Detection evasion (D1–D4): levels of an agent’s ability to evade detection, from trivial to sophisticated activity concealment
• Response (R1–R3): organizational response levels, from alert to full isolation of a compromised agent

Trusted AI supervisory systems monitor the reasoning of working agents in real time — unlike the classical perimeter approach that reacts only after an agent has left the secure zone.

Economic context

DeepMind highlights that AI agents could generate up to $2.9 trillion in economic value in the US by 2030. That scale makes the security of agentic systems a strategic question, not merely a technical one.