Google DeepMind's AI Control Roadmap: 15 System-Level Defenses for Agents That May Not Stay Aligned

The question Google DeepMind is asking isn’t whether AI agents can be made trustworthy. It’s what you build when they aren’t.

Google DeepMind’s AI Control Roadmap, published June 18, 2026, frames agent security as a defense-in-depth problem, not a model improvement problem. The framework adopts what it describes as a defense-in-depth approach, treating model alignment as potentially imperfect and requiring structural containment as a supplement. This is a meaningful conceptual shift. Alignment research asks “can we make the model do the right thing?” The control framework asks “what constraints limit damage if it doesn’t?”

According to Google DeepMind’s published roadmap, the framework identifies 15 system-level defenses. Per the document, these include mechanisms such as delegation protocols, reputation systems, and virtual agent economies, infrastructure-layer controls, not model-layer adjustments. The companion policy guide, “Three Layers of Agent Security,” addresses the problem across three levels: individual agent, multi-agent systems, and the broader digital ecosystem.

Both documents were confirmed accessible at the URLs above at time of production. The accompanying blog post URL was unavailable; direct PDF access is the verified path to the source material.

The roadmap cites research projecting AI agents could generate $2.9 trillion in U.S. economic value by 2030, the underlying research isn’t independently identified in the document, so treat that figure as DeepMind citing unnamed external analysis, not a confirmed independent projection.

Why it matters for practitioners. This isn’t a research paper. It’s a production guidance document from one of the three organizations most actively deploying frontier agents at scale. When DeepMind publishes a framework saying “assume alignment may fail, build containment infrastructure accordingly,” teams deploying autonomous agents should treat that as a signal from an organization with direct deployment experience.

The three-layer structure, individual agent, multi-agent orchestration, digital ecosystem, maps directly to where production failures occur. Individual agents hallucinate tool calls. Multi-agent systems amplify errors through orchestration loops. Ecosystem-level risks involve supply chain compromises and identity spoofing across agent boundaries. The framework addressing all three in a single publication is notable.

Context. This lands in an unusually dense week. Databricks published its Omnigent agentic governance framework on June 15. Beyond Identity released its Ceros agent identity framework on June 16. Hugging Face and a coalition including Microsoft and Google published the Agent Resource Discovery specification on June 17, covered in yesterday’s TJS brief. Four distinct frameworks addressing overlapping layers of agent security in four days. The convergence isn’t coincidental.

What to watch. None of these frameworks are currently mandatory. They’re advisory. The EU AI Act’s provisions for high-risk agentic systems are the nearest regulatory forcing function. Watch for whether any of these voluntary frameworks get referenced in formal regulatory guidance, that’s the transition from “recommended” to “expected.”

TJS synthesis. DeepMind’s control framework is worth reading before your next agentic deployment review. The 15-defense taxonomy in the roadmap PDF gives teams a concrete checklist against which to evaluate their current architecture, not because it’s regulatory, but because it’s from practitioners who’ve built what you’re building. The practitioner gap nobody addresses yet: most of these defenses require infrastructure that doesn’t ship with any current agent framework out of the box. The gap between the roadmap’s recommendations and what any vendor’s SDK currently provides is where real security work starts.