Google: Gemini 3 in Chrome adds an agentic ‘auto browse’ workflow

2026-01-30 • Category: Security

Google published details on a bigger “Gemini in Chrome” update: a persistent side panel assistant plus an agentic mode called Chrome auto browse that can handle multi-step web chores (forms, scheduling, research, shopping flows) on a user’s behalf — with explicit confirmations for sensitive actions.

What’s new

• Gemini side panel: a persistent assistant alongside your current tab for comparison, summarization, and “too-many-tabs” workflows.
• Connected Apps in Chrome: integrations with Google services (Gmail, Calendar, Maps, Flights, etc.) to pull context into browsing tasks (opt-in).
• Auto browse: an agentic feature that can perform multi-step actions like researching options across date ranges, filling forms, collecting documents, and managing subscriptions.
• Credential use: auto browse can optionally rely on Google Password Manager for sign-in-required tasks (user permission required).
• Commerce standard: Google says Chrome will support its “Universal Commerce Protocol (UCP)” to help agents take actions across retailer flows.

Why it matters

• This is a clear shift from “assistive chat” to action-taking agents embedded in a mainstream browser — which will accelerate automation adoption beyond power users.
• It also enlarges the attack surface: agentic browsing creates new prompt-injection and transaction-manipulation opportunities (malicious pages, hidden instructions, dark patterns).
• For teams: expect browser-based agents to become a new “shadow automation” channel — similar to how macros and RPA spread, but faster.

What to do (if you run security/IT/automation)

1. Update your threat model: treat “browser agents” as a new class of privileged automation with access to sessions, cookies, and enterprise web apps.
2. Define guardrails: set policy for which workflows are allowed (payments, HR actions, admin portals) and require step-up auth for sensitive flows.
3. Instrument approvals: prefer designs that require explicit confirmation before writes (purchases, posts, credential changes) and log those confirmations.
4. Segment identity: use separate browser profiles / accounts for agentic tasks; avoid running agents inside your primary “everything” session.
5. Test prompt-injection resilience: run internal red-team exercises where a page tries to steer an agent to exfiltrate data or alter a transaction.

Sources

• Google (Chrome): The new era of browsing: Putting Gemini to work in Chrome
• Google (DeepMind): Introducing Agentic Vision in Gemini 3 Flash
• Google Security Blog (referenced in the Chrome post): Architecting security for agentic systems