Tomorrow, Google will take the stage at I/O 2026 and make Gemini Intelligence sound like the only reasonable future for Android. They're not wrong. Autonomous AI agents running natively on phones — reading what's on your screen, navigating across apps, completing multi-step tasks without a tap — is a genuine capability leap. Google has shipped it cleanly.
What the keynote won't cover: if your employees use Gemini Intelligence on corporate Android devices, you now have autonomous agents operating inside your enterprise without a governance layer.
Not a light governance gap. A structural one.
Agentic governance is the set of runtime policies and enforcement mechanisms that define and constrain what AI agents can access, spend, and do — independent of the agent's own reasoning. It operates at three layers: policy definition (the rules), runtime enforcement (policies that fire before actions execute), and audit (documenting every governance decision for accountability). It is not observability. Observability tells you what happened. Governance determines what's allowed to happen.
Google has built excellent agentic governance for agents you build on its cloud. Gemini Intelligence — the agent running on your employees' phones this summer — ships with something different: user controls. Well-designed for consumers. Structurally insufficient for enterprise.
What Is Gemini Intelligence, Exactly?
Gemini Intelligence is Google's agentic layer for Android, announced May 12 at The Android Show pre-I/O event and launching on the latest Pixel and Samsung Galaxy devices this summer before rolling out to Android broadly. It is Google's implementation of "computer use" — the agent reads what's on your screen, understands context, and acts autonomously across apps to complete tasks.
In practice: a user asks Gemini to turn a grocery list into a delivery order, fill out a multi-step form across several apps, book a reservation using calendar context, or run workflows that would otherwise require a human to manually navigate through three or four screens. The agent has session-level memory, cross-app access, and the ability to take real-world actions on the user's behalf without asking again at each step.
This is not a chatbot that answers questions. It is an action-capable agent shipping at consumer scale — hundreds of millions of Android devices.
Google's own threat intelligence team documented the risk context directly: malicious prompt injection attempts against AI agents and AI-enabled web services increased 32% between November 2025 and February 2026. Google's research, which scanned the CommonCrawl web archive, found that most of these attempts were still low sophistication — individual website authors running experiments rather than coordinated attacks — but the directional trend matters: the attack surface is growing as agents with real-world tool capabilities become more widespread targets. Separately, security firm ESET disclosed a proof-of-concept Android malware strain called "PromptSpy" that exploits Gemini to automate its persistence mechanism — described as the second known case of AI-driven mobile malware. ESET has not detected PromptSpy in product telemetry and confirmed widespread in-the-wild deployment has not been observed. It is a research finding, not yet an active mass threat — but the technique it demonstrates is real.
What Governance Google Provides — and What It's Designed For
Google shipped real consumer-facing controls with Gemini Intelligence, and they're well-designed for their intended audience.
Users get explicit opt-in authorization — Gemini cannot automate an app you haven't approved. A persistent notification chip appears at the top of the screen whenever automation is active. The Android Privacy Dashboard is being enhanced to show which AI assistants were active and which apps they touched in the last 24 hours. Core security architecture is open-source and third-party audited. Purchases require user confirmation before Gemini executes them.
These controls answer the consumer question: does the user know what the agent is doing, and can they stop it?
They do not answer the enterprise question: can IT define policy for what the agent is allowed to do across all employee devices, enforce that policy at runtime, and produce a compliance-grade audit trail of what the agent did?
The answer is no. Not through Gemini Intelligence on Android.
What's Missing for Enterprise Deployments
When an enterprise deploys Android to its workforce, it can manage apps, enforce MDM policies, restrict network access, and control device enrollment. What it cannot do — through Gemini Intelligence — is any of the following.
Set organizational agent policies. There is no IT admin console where a security team can specify that Gemini agents on corporate devices may not touch files in particular directories, may not auto-complete forms in apps that handle customer data, or must trigger a human-approval step before acting on any CRM-connected workflow. User opt-in is not IT policy enforcement.
Enforce fleet-level kill switches. If a new prompt injection attack vector surfaces and the security team needs to halt Gemini Intelligence activity across its entire Android fleet in response — there is no organizational kill switch. The controls live at the user level.
Audit what the agent did on behalf of the enterprise. The Android Privacy Dashboard shows users their last 24 hours of AI activity. That's a privacy transparency feature. It is not an enterprise audit trail — immutable, exportable, attributable to a session, a policy state, and a user identity in a format a compliance reviewer can actually use.
Define cross-app scope limits. An enterprise might legitimately want Gemini Intelligence available for productivity tasks while blocking it from operating in apps that touch source code, financial records, or customer PII. That boundary does not exist as a configurable enterprise policy.
Note what this list is not: it's not a criticism of Google's consumer product. Gemini Intelligence's user controls are good. The problem is that enterprise governance is a different category than consumer privacy controls, and the two aren't substitutes.
Google Has the Answer — for a Different Product
Google does have enterprise-grade agentic governance. It's called the Gemini Enterprise Agent Platform, and it includes Agent Identity (cryptographic per-agent identities with scoped authorization policies), Agent Gateway (policy enforcement and prompt injection protection for all agent-to-tool and agent-to-agent connections), and Agent Registry (a central catalog of approved agents and MCP servers with enforced metadata). This is serious infrastructure, announced at Google Cloud Next '26 in April.
The Gemini Enterprise Agent Platform governs agents you build and deploy on Google Cloud. It is not a governance layer for Gemini Intelligence running on employee Android devices. The two products live in different parts of Google's stack.
This is the gap: Google's enterprise governance tools assume you built the agent. Gemini Intelligence is an agent you didn't build, running on your fleet, acting on behalf of your employees.
Only 36% of organizations have a centralized approach to agentic AI governance, according to Google's own 2026 AI Agent Trends Report. Just 12% use a centralized platform to maintain control over AI sprawl. Gemini Intelligence's rollout this summer will expand that exposure significantly before most enterprise security teams have a plan for it.
What Happens When Gemini Intelligence Gets Prompt-Injected?
Google's security framework documents the risk: when Gemini operates with tool-use capabilities, injected instructions from malicious content — a poisoned web page, a crafted document, a message in a third-party app — can trigger real-world actions. Google has built safeguards at the Android layer to catch this, similar to Chrome's auto-browse protections.
But for enterprise deployments, the risk calculus differs from consumer use. A successful prompt injection against Gemini Intelligence on an employee's corporate device isn't just a personal inconvenience. It's a potential unauthorized action inside the enterprise: a form submitted, a file attached, a message sent from a work identity to an external system. Prompt injection is an agent-layer problem — it targets the reasoning system, not just the access layer — and user-level opt-in settings are not a defense against it. Current observed attempts are mostly low sophistication; that won't remain true as agents proliferate and the payoff from exploitation grows.
Enterprise governance requires policies that intercept actions before they execute, independent of what the agent decides to do. That's the layer missing from Gemini Intelligence.
How Waxell Connect Handles Agents You Didn't Build
This is the use case Waxell Connect was built for: governing AI agents you didn't write.
Waxell Connect enforces governance policies on external and third-party AI agents — agents you don't control the code of — without requiring an SDK, code changes, or access to the agent's internals. No rebuilds. You define policies across 26 policy categories: Content (filter what data the agent can see), Control (require human approval for specific actions), Kill (terminate sessions that exceed behavioral boundaries), Cost (cap what the agent can spend per session), and Quality (enforce output constraints). Waxell Connect enforces them at the boundary between agent and system.
For enterprise Android fleets running Gemini Intelligence, this means an IT security team can set organizational governance rules that apply to Gemini agents operating on behalf of employees — across every device, every session, without modifying the Android installation or waiting for Google to ship an enterprise controls update.
The audit trail is a first-class output. Every governance decision — every policy evaluation, every action allowed or blocked — is captured with full session context in a format built for compliance review, not debugging. That's the documentation that matters when a regulator or auditor asks what your agents were doing. (For what a complete compliance audit trail for agents looks like in practice, see our detailed breakdown.)
Waxell Runtime handles the other half of this: if your team is building agentic workflows that interact with the same enterprise systems that Gemini Intelligence touches, Runtime provides the policy enforcement and durable execution layer for the agents you're running directly. The same 26 policy categories. The same audit trail. Two-line initialization against 200+ framework and provider libraries.
The "wait for Google to ship enterprise controls for consumer Gemini" strategy is a plan to be ungoverned during the period when agent adoption is accelerating fastest. Tomorrow's I/O keynote will not retroactively govern the fleet you already have.
Frequently Asked Questions
What is Gemini Intelligence?
Gemini Intelligence is Google's agentic AI layer for Android, announced May 12, 2026 at The Android Show pre-I/O event. It functions as a "computer use" agent — reading screen content, navigating apps autonomously, and completing multi-step tasks on the user's behalf without manual input at each step. Launching on the latest Pixel and Samsung Galaxy devices in summer 2026 before rolling out to Android devices broadly.
Is Gemini Intelligence safe for enterprise use?
Google has built consumer-grade safety controls: per-app opt-in authorization, an active session notification chip, a 24-hour AI activity dashboard, and purchase confirmation gates. These are user-facing controls. Enterprise governance requires organizational policy enforcement, fleet-level kill switches, and a compliance-grade audit trail — capabilities that do not ship with Gemini Intelligence on Android.
What is the enterprise governance gap with Gemini Intelligence?
IT administrators cannot define organizational policies for what Gemini agents can do on corporate devices, cannot enforce kill switches at the fleet level, and cannot produce a compliance-grade audit trail of Gemini agent activity. Google's enterprise governance stack (Gemini Enterprise Agent Platform) governs agents you build on Google Cloud. It does not govern Gemini Intelligence on Android.
How do you govern AI agents you didn't build?
Waxell Connect governs external and third-party AI agents without requiring SDK integration or code changes. You define policies across 26 policy categories — including Content, Control, Kill, Cost, and Quality — and Waxell Connect enforces them at the boundary between agent and system.
What is the prompt injection risk with Gemini Intelligence?
Google's own threat intelligence found a 32% increase in malicious prompt injection attempts against AI agents and AI-enabled services between November 2025 and February 2026 — though most observed attempts were low sophistication, with researchers characterizing them as experiments rather than coordinated attacks. When an agent has tool-use capabilities, a successful injection can trigger real-world actions. ESET has disclosed a proof-of-concept malware strain ("PromptSpy") that demonstrates Gemini being exploited to automate persistence — the second known example of this attack class. ESET has not confirmed widespread in-the-wild deployment; it remains a research finding. Enterprise deployments need policy enforcement that operates independently of user-level controls and intercepts actions before they execute — because the direction of travel is clear even if mass exploitation hasn't arrived yet.
What does "agentic governance" mean?
Agentic governance is the set of runtime policies and enforcement mechanisms that define what AI agents can access, spend, and do — independent of the agent's own reasoning. It covers policy definition, runtime enforcement (before actions execute), and audit (every governance decision recorded for accountability). It is distinct from observability, which shows what an agent did after the fact.
Sources
- Google, Android's Agentic Future: Building Gemini Intelligence on a Foundation of Security & Privacy (May 2026) — https://blog.google/security/android-gemini-intelligence-security-privacy/
- Google Cloud, AI Agent Trends Report 2026 — https://cloud.google.com/resources/content/ai-agent-trends-2026
- Google Cloud, Introducing Gemini Enterprise Agent Platform — https://cloud.google.com/blog/products/ai-machine-learning/introducing-gemini-enterprise-agent-platform
- TechCrunch, Google brings agentic AI and vibe-coded widgets to Android (May 12, 2026) — https://techcrunch.com/2026/05/12/google-brings-agentic-ai-and-vibe-coded-widgets-to-android/
- The AI Insider, Google Unleashes Gemini Intelligence Across Android (May 13, 2026) — https://theaiinsider.tech/2026/05/13/google-unleashes-gemini-intelligence-across-android-with-ai-dictation-custom-widgets-and-agentic-capabilities/
- Google Security Blog, AI Threats in the Wild: The Current State of Prompt Injections on the Web (April 2026) — https://security.googleblog.com/2026/04/ai-threats-in-wild-current-state-of.html [Source for 32% increase in prompt injection attempts]
- BankInfoSecurity, Android Malware Taps Google Gemini at Runtime ("PromptSpy") — https://www.bankinfosecurity.com/android-malware-taps-google-gemini-at-runtime-a-30819
- AI News, Google made agentic AI governance a product. Enterprises still have to catch up. — https://www.artificialintelligence-news.com/news/agentic-ai-governance-enterprise-readiness-google/
- The Register, Google says it has all the answers for AI agent sprawl (April 22, 2026) — https://theregister.com/2026/04/22/google_enterprise
Top comments (0)