# Google DeepMind AI Control Roadmap source note — 2026-07-06 Purpose: weekly Managing Expectations AI Papers Library maintenance note. Selected item: Google DeepMind's June 2026 AI Control Roadmap and companion agent-security policy framework. ## Bottom line Substantive source found and selected for one new library/blog note. Google DeepMind published `Securing the future of AI agents` on June 18, 2026, with a 36-page technical PDF, `GDM AI Control Roadmap`, and a 37-page companion policy framework, `The Three Layers of Agent Security`. This fits the AI Papers Library because it is a primary-source frontier-lab safety/security report about how a lab proposes to control increasingly capable agentic systems inside sensitive infrastructure. Editorial framing: treat it as a company safety roadmap and threat-model proposal, not proof that a particular agent has gone rogue or that the roadmap is sufficient. The useful Managing Expectations angle is the shift from vague AI-agent excitement to operational controls: threat modelling, monitoring coverage, recall, response time, mitigation tiers and human escalation. ## Sources checked this run ### Google DeepMind blog / official source - Page: https://deepmind.google/blog/securing-the-future-of-ai-agents/ - Accessed: 2026-07-06 - Published metadata found in HTML: 2026-06-18T14:00:00+00:00 - Authors listed on page: Rohin Shah and Four Flynn - Page description: DeepMind describes an `AI Control Roadmap`, a defense-in-depth system for managing advanced, potentially misaligned AI agents. Key page facts verified from the HTML/text: - The article says AI agents are being used for tasks from cyber defence to scientific discovery and product development. - It says DeepMind developed an `AI Control Roadmap` for internal Google deployments and presents it as a defense-in-depth approach that could also inform wider industry practice. - The roadmap assumes a cautious scenario in which a highly capable AI agent may not be aligned with the deployer's goals and may act unexpectedly. - It lists three focus areas: AI-specific threat modelling; deployment of AI-control mitigations; and monitoring metrics such as coverage, recall and time-to-response. - It says DeepMind built an internal prototype asynchronous monitoring system for coding-agent trajectories and analyzed about one million coding-agent tasks. - It cautions that many flagged events may come from misinterpretation or overeagerness rather than adversarial intent. ### Technical report PDF - PDF: https://storage.googleapis.com/deepmind-media/DeepMind.com/Blog/securing-the-future-of-ai-agents/gdm-ai-control-roadmap.pdf - Accessed/downloaded for extraction: 2026-07-06 - Local verification: PDF header present; 492,675 bytes; 36 pages by pypdf extraction. - PDF metadata creation/modification date: 2026-06-22. - First-page title/heading extracted: `2026-6-22 GDM AI Control Roadmap`. - Authors extracted: Mary Phuong, Erik Jenner, Laurent Simon, Lewis Ho, Rohin Shah, Sebastian Farquhar and Scott Coull. Key technical-report facts from the extracted first pages: - The report presents `GDM AI Control Roadmap (v0.1)` as internal guardrails to catch potential adversarial behavior by AI agents even as they become harder to oversee and contain. - It introduces `TRAIT&R`, a taxonomy inspired by MITRE ATT&CK, for hypothetical AI-adversary tactics and techniques. - It groups hypothetical threats into loss of control, work sabotage and direct harm. - It defines two control invariants: reliable detection of misaligned intent/actions and effective prevention/response to attack attempts. - It proposes capability-based mitigation ladders: Detection tiers D1-D4 and Prevention/Response tiers R1-R3. - It lists 15 concrete tiered mitigations ranging from chain-of-thought monitoring and asynchronous alerts to stronger access-control, anomaly-detection, internal-activation-monitoring and shutdown-infrastructure ideas. ### Companion policy/security framework PDF - PDF: https://storage.googleapis.com/deepmind-media/DeepMind.com/Blog/securing-the-future-of-ai-agents/three-layers-of-agent-security.pdf - Accessed/downloaded for extraction: 2026-07-06 - Local verification: PDF header present; 2,061,015 bytes; 37 pages by pypdf extraction. - Extracted title: `The Three Layers of Agent Security: A Framework for Policymakers`. - Authors extracted: Shaun Ee and Pegah Maham. - Framing: policy companion rather than the main technical roadmap. It separates individual-agent security, multi-agent risks, and cyber-defender/resilience needs. ### Google DeepMind news/blog index - Page: https://deepmind.google/discover/blog/ and canonical https://deepmind.google/blog/ - Accessed: 2026-07-06 - Noted recent Responsibility & Safety items including: - `Securing the future of AI agents` — June 2026. - `Investing in multi-agent AI safety research` — June 2026. - `Unlocking UK house-building with AI-accelerated planning` — June 2026. - Selection rationale: the AI Control Roadmap is more directly suited to the Managing Expectations AI Papers Library than the funding-call item because it includes a primary technical report and concrete safety/security framework. ### Anthropic Research feed - Page: https://www.anthropic.com/research - Accessed: 2026-07-06 - Latest visible feed items still included Anthropic Economic Index: Cadences (Jun 26, 2026), Project Fetch: Phase two (Jun 18, 2026), Claude Code expertise/economics, agents in biology, N-day exploits, chemistry and AI-enabled cyber-threat items. - Local duplicate check: the June 26 Economic Index and June 18 Project Fetch items already have Managing Expectations source notes/articles. ### OpenAI official RSS / blocked page check - RSS: https://openai.com/news/rss.xml - Accessed: 2026-07-06 - RSS was reachable and showed June 30, 2026 items including `Introducing GeneBench-Pro`, `Inside Genebench-Pro`, and `How ChatGPT adoption has expanded`, plus earlier GPT-5.6 Sol and agent/work posts. - Direct OpenAI article pages returned Cloudflare/403 in this runtime. Therefore OpenAI items were treated as leads from official RSS metadata only, not selected for publication because the article body/technical report could not be fully verified from the primary page in this run. ### LawZero / Yoshua Bengio - Homepage: https://lawzero.org/en - News: https://lawzero.org/en/news/ai-predicts-has-no-hidden-agenda-lawzero-lays-out-formal-safety-case-its-scientist-ai - Publication: https://lawzero.org/en/publication/safety-honesty-disinterested-ai-predictor - Accessed: 2026-07-06 - Current LawZero/Bengio Scientist AI materials were already captured in the local source note `research/ai/yoshua-bengio-update-2026-07-02.md` and summarized on `ai.html`. They remain important but were not selected as a second blog article in this weekly run. ### Tooling note General `web_search`/`web_extract` was unavailable in this Hermes runtime because Firecrawl was not configured. Fallback checks used direct URL retrieval, official RSS, HTML parsing and PDF extraction. OpenAI pages remained blocked by Cloudflare/403 even though the official RSS was reachable. ## Why this was selected - Primary source from a frontier AI lab: Google DeepMind. - Technical report, not only a marketing announcement. - Directly relevant to current frontier-agent deployment and safety/security operations. - Distinct from existing Managing Expectations AI articles: Anthropic Project Fetch focused on physical-agent red teaming; this DeepMind item focuses on internal agent control, insider-threat style modelling and operational mitigations. ## Article framing used Title: `Google DeepMind’s AI Control Roadmap: Treat Agents Like Insider-Risk Systems` Evidence label: `frontier-lab technical safety report / agent-control roadmap` Core caution: DeepMind's roadmap is useful because it makes AI-agent safety operational, but it is still a company proposal and internal deployment plan. It should not be read as independent proof that all future agents are controllable, nor as evidence that any specific AI system is intentionally malicious.