Google Cloud unpacks governance challenges of AI agents
With AI agents poised to act as digital co-workers, Google Cloud’s Michael Gerstenhaber argues that IT leaders must rethink identity management, security, and observability to build trust in the technology
An artificial intelligence (AI) agent can’t tell you how much a server costs if it can’t access the price list. But when that price list is highly restricted corporate data, governing which agents can see it – and proving they won’t misuse it – has become one of the toughest problems in enterprise AI.
In a recent interview with Computer Weekly, Michael Gerstenhaber, vice-president of product management for agent platform at Google Cloud, illustrated the challenge using an internal Google example involving two generations of tensor processing unit (TPU) hardware, codenamed Viperfish and Ghostfish.
Gerstenhaber noted that if a user asks an AI agent to calculate the financial conversion ratio between the two systems, the agent cannot simply guess – it requires access to a highly restricted internal rate card.
“That rate card is very sensitive, and you have to have a certain level of privilege to see it,” he explained. “It’s only through identity, permissioning, audit, and observability that I’ll ever be comfortable giving my virtual employee access to sensitive data – because that’s how we treat real employees.”
Indeed, scaling autonomous AI agents requires looking beyond the capabilities of smarter frontier models. Success hinges on how well an organisation embraces AI governance practices, including agent lifecycle management and data access policies, to build trust in the technology.
'Safe by default' and preventing data exfiltration
Gerstenhaber advised organisations to approach agentic AI security with a philosophy that mirrors human corporate accountability: software must be safe by default.
“An employee should have to show good judgment, and that means an agent should have to show good judgment,” he said. “If an employee tries to maliciously exfiltrate data, they should be held accountable – but if they don’t try, it should still be very, very hard to exfiltrate data.”
To enforce this, Google Cloud has deployed an agent gateway that allows administrators to set overarching corporate policies. This defence-in-depth approach combines dedicated agent registries, skills libraries, and a model context protocol (MCP) registry. Together, these tools ensure that even if an AI agent builds a flawed workflow, the enterprise-wide policy will step in to block unauthorised access.
“If you’re going to access a sensitive database, you really want to do it the same way every time, and you want that to be governed,” Gerstenhaber noted.
Managing agent vs human Identities
While AI agents have been described as digital workers, governing agents is completely different from people management. Blending human and agent management into a single dashboard presents unique challenges because their risk profiles are fundamentally different, Gerstenhaber said.
“Agents are infinitely scalable, and Michael is not. Agents are not afraid of getting fired, but Michael is afraid of getting fired,” Gerstenhaber joked. “The amount of judgment you allow them to express is different, and that has to be contemplated in the permissions you give them.”
Managing these permission levels requires strict compartmentalisation. For instance, an AI agent might be granted access to a specific secret document to fulfil a task, while simultaneously being blocked from top-secret files that its human manager is cleared to see.
It’s only through identity, permissioning, audit, and observability that I’ll ever be comfortable giving my virtual employee access to sensitive data – because that’s how we treat real employees
Michael Gerstenhaber, Google Cloud
The observability dilemma
Maintaining visibility into an agent’s decision-making process is another bugbear. Drawing on his previous experience at observability specialist Datadog, Gerstenhaber pointed to the use of distributed tracing to track agentic workflows. Through this, administrators can audit exactly what an agent did, which tools it selected, its permission status during a query, and even the internal “thoughts” of the model.
However, presenting that dense telemetry to business leaders requires careful design. “The difficulty is not scaring the person who’s trying to interpret it," Gerstenhaber said. A sales manager, for example, shouldn’t have to grapple with complex, technical diagrams just to understand what an AI assistant is doing.
On the security front, Google Cloud relies on Model Armor to protect production deployments. Operating entirely out-of-band, Model Armor monitors live interactions between the application programming interface (API) generating the prefill and what gets decoded during inference. Because it operates outside the reach of the engineers who built the agent, it can independently guard against prompt injections and toxicity without internal interference.
Agents may never be decommissioned
When asked how enterprises should manage the agentic lifecycle, specifically commissioning, retraining, and retiring AI agents, Gerstenhaber offered a different perspective: they might never need to be retired at all.
Because the underlying foundation model powering an agent remains immutable after release, the agent’s operational behaviour can be continuously corrected without taking the system offline.
“You don’t even have to decommission it, really,” Gerstenhaber said. By using observability traces, human managers or automated “judges” powered by large language models can flag poor interactions and feed corrections directly back into the agent’s memory.
“It’ll improve with that kind of online learning and ‘fine-tune’ the bad behaviour out of the model during runtime. It’ll get smarter and more precise even though the model itself is trained within the same generation,” he added.
Driving towards ‘elastic intelligence'
The ultimate goal of governed, continuously learning agents is what Gerstenhaber terms elastic intelligence. For enterprise IT, this changes how work is resourced. Instead of complex tasks being bottlenecked by human hours, AI agents allow businesses to scale their operational capacity dynamically.
“We take something that takes time, and instead it takes space or money – but it can be done infinitely quickly for the same budget,” he said.
To realise this vision, Google Cloud is developing advanced capabilities, such as the upcoming Gemini Spark personal AI agent designed to run autonomously. Rather than assigning granular, step-by-step tasks, human workers will direct Spark agents based on high-level business objectives.
“For that to happen, you have to get comfortable giving it permissions upfront so that it can run autonomously,” Gerstenhaber said. Once that trust is established, the enterprise gains a workforce that “never gets bored, never sleeps, and can do a lot of highly complex work on my behalf all the time.”
