A few weeks ago, the team at Cloudasta was at Google Next 2026. The session I attended, led by Abhishek Hemrajani, a Senior Director, Product Management at Google Cloud, was in my personal opinion the most interesting and exciting one of the entire conference.
As it is for many of you, cybersecurity concerns and governance regarding AI and the agentic transformation have been a top point of discussion and concern for our team. We are currently facing a critical divide: AI technology is advancing at an exponential rate, while organizations and traditional security frameworks tend to evolve at a much slower, linear pace. This gap between the rate of technological change and our ability to secure it is the defining cybersecurity challenge of our time.
This is what we learned Google is rolling out to tackle these challenges head-on.
During the presentation, Abhishek detailed a fundamental transformation in how organizations must secure their cloud environments. With non-human and AI agent identities now outnumbering human identities by an astonishing 82 times, traditional Identity and Access Management (IAM) frameworks built in the 2010s are officially obsolete.
Because we are now dealing with autonomous agents moving at machine speed, Abhishek pointed out a harsh reality: security needs to be algorithmic, too. To safely govern these applications and match that automated pace, Google Cloud is introducing a comprehensive agent security and governance platform built upon several foundational pillars.
The foundation of this new security stack is a decisive move away from traditional service accounts. Because 43% of AI agents already possess sensitive or over-provisioned permissions, relying on standard service accounts, which can easily be shared across multiple workloads and possess independent lifecycles, presents a massive attack vector.
To mitigate this, Google has introduced Agent Identity.
These new identities support the three primary ways agents work: collaborating with human users, operating with their own autonomous agency, and acting via delegated authority on a user's behalf.
Once an agent has a secure identity, its access must be heavily governed. To accomplish this, Google is rolling out highly granular tools that go beyond basic allow-and-deny permissions:
To give administrators deep visibility into their AI footprint, the Security Command Center (SCC) is now enabled by default for all Google Cloud customers.
Serving as the central hub for AI security posture, SCC delivers agentless discovery of an organization's entire inventory of agents, models, and data stores. SCC continuously monitors these deployments, actively flagging toxic combinations of permissions, uncovering software vulnerabilities hidden in agent packages, and providing active threat detection for suspicious behaviors like privilege escalation attempts.
Perhaps the most crucial paradigm shift is acknowledging that autonomous agents act as inherent insider threats. Because they operate relentlessly at machine speed, an agent does not need to be malicious or compromised to cause catastrophic damage; a simple logic error or misinterpretation of data can be enough.
To enforce zero trust during runtime, the platform employs two core defenses:
By combining ephemeral, cryptographically secure identities with rigorous access boundaries, deep environment visibility, and automated runtime defenses, Google Cloud is re-engineering its security stack from the ground up. This holistic approach ensures that businesses can deploy rapid AI innovation without compromising on the governance or algorithmic safety required to protect the modern cloud.
As Google continues rolling out these updates over the coming months, our team at Cloudasta will be right on top of them. We are committed to making sure our customers take full advantage of all the free tools and capabilities Google has to offer here, ensuring your AI deployments remain as secure as they are innovative.
