Google Gemini Enterprise Security: Configuration, Risks, and Controls

Most enterprises treating Google Gemini as a simple API call are misunderstanding their actual exposure.

Google Gemini enterprise security is not a single problem. It spans five distinct attack surfaces: the Gemini API, Vertex AI and Agent Builder, Google Workspace AI (Gmail, Docs, Drive, Calendar), the Agent Gateway, and the identity layer connecting them all. A security team that hardens one surface while ignoring the others leaves exploitable gaps that researchers have already demonstrated in 2025 and 2026.

This guide covers the threat model security teams need, the real vulnerabilities found in active deployments, and the specific controls that close gaps Google's own documentation does not address.

The Gemini Enterprise Attack Surface Map

Most security evaluations of Gemini focus on a single question: "is our data safe?" That framing misses the architectural complexity. Google's Gemini ecosystem for enterprises includes:

Gemini API: Direct REST or SDK access to Gemini 2.0 and 2.5 models. Used by developers building internal tools, customer-facing applications, and agentic workflows. Security risk centers on API key management, prompt injection in application logic, and output validation.

Vertex AI and Agent Builder: Google Cloud's managed ML and agent hosting platform. Agents run here with access to GCP resources via service accounts. The default service account configuration is over-privileged, creating lateral movement risk if an agent is compromised.

Google Workspace AI: Gemini integrated into Gmail, Google Docs, Drive, Calendar, Meet, and Chat. Accesses enterprise data through the user's existing permissions. Risk profile is directly tied to Workspace IAM health; overly broad sharing policies become Gemini attack surfaces.

Agent Gateway: Google's programmable enforcement point for agent communications, introduced at Cloud Next 2026 in April 2026. Inspects prompts, responses, and tool calls in real time.

Agent Identity: Cryptographic X.509-based identities for agents, announced alongside Agent Gateway. Provides traceability for all agent actions.

We have seen enterprises invest significant effort in Vertex AI governance while leaving Workspace AI completely unmonitored, and vice versa. Both approaches leave critical gaps.

Known Vulnerabilities: 2025-2026

Before outlining controls, it is worth examining attacks that have already been demonstrated against real Gemini deployments. These are documented incidents, not hypothetical scenarios.

GeminiJack: Zero-Click Data Exfiltration via Workspace

Noma Security researchers disclosed GeminiJack in May 2025. The attack required no user interaction beyond the victim having Gemini for Workspace enabled.

An attacker who could create a shared Google Doc, send a calendar invite, or write an email to a target could embed malicious instructions in that content. When Gemini retrieved those documents to ground its responses (using Retrieval-Augmented Generation), it also executed the embedded instructions. Researchers demonstrated automatic exfiltration of entire Gmail threads, calendar histories, and document repositories.

Google acknowledged the vulnerability on August 8, 2025, and separated Vertex AI Search from Gemini Enterprise as the fix. Enterprises should verify post-patch configurations. More broadly, any employee-editable data source connected to a Gemini deployment should be treated as a potential injection vector. This is now a permanent architectural consideration, not a one-time patch.

Gemini CLI CVSS 10.0 Remote Code Execution

Google patched a critical RCE vulnerability (CVSS 10.0, GitHub Advisory GHSA-wpqr-6v78-jr5g) in Gemini CLI in April 2026. The flaw was in --yolo (headless, automated) mode: this configuration ignored tool allowlists and workspace trust checks entirely, allowing arbitrary command execution.

For enterprises running Gemini CLI in CI/CD pipelines, this was an active supply chain risk. An attacker placing a malicious configuration file or workspace folder in a build environment could achieve token theft, lateral movement, and downstream compromise. The fix shipped in Gemini CLI v0.39.1 and v0.40.0-preview.3. Any automated pipeline using Gemini CLI should be verified against the patched version.

API Key Scope Expansion: The Silent $82,000 Incident

TruffleSecurity researchers documented a systemic behavior in February 2026: when the Generative Language API is enabled on a Google Cloud project, all existing API keys in that project silently gain Gemini access. Google has not characterized this as a security vulnerability, but the real-world impact has been severe.

One developer reported $82,314.44 in charges accumulated over 46 hours after a previously low-risk API key was compromised. That key had been publicly exposed in a mobile application and was considered low-value. Once Gemini access was added to the project, the key became valuable for large-scale AI-driven operations.

Researchers estimated approximately 3,000 Google Cloud API keys were affected. Enterprise teams enabling the Generative Language API on existing projects need to audit every API key in those projects immediately. Legacy keys embedded in mobile apps, documentation sites, or client-side code are now AI service credentials.

Vertex AI P4SA Over-Privilege

Palo Alto Networks Unit 42 published "Double Agents: Exposing Security Blind Spots in GCP Vertex AI" in April 2026. The research focused on the default Vertex AI per-project service agent (P4SA), which by default is granted:

• Read access to all Cloud Storage buckets in the project
• Access to private Artifact Registry repositories, including Google Reasoning Engine container images
• OAuth 2.0 scopes for Google Workspace (Gmail, Drive, Calendar)

An attacker who achieves prompt injection against an Agent Builder deployment inherits these permissions. Unit 42 demonstrated exfiltration of unrelated GCS bucket contents and access to Google's internal infrastructure container images. The practical exploitation chain: craft a malicious document or user message that causes the agent to query unintended storage paths, exfiltrate results via tool calls to attacker-controlled endpoints.

The mitigation is replacing P4SA defaults with custom service accounts scoped to exactly the data sources each agent needs. This is not applied automatically when creating an agent; it requires explicit configuration.

Workspace AI Data Governance

Google Workspace AI is where most enterprise employees interact with Gemini daily, and it is the attack surface most commonly overlooked in security reviews.

Gemini treats available data as usable data. If a user's account has access to a folder because of an overly broad sharing policy applied three years ago, Gemini can read and reason over that folder's contents. Outdated group memberships, legacy inherited permissions, and permissive Drive sharing settings all become Gemini data exposure.

In practice, standard IAM hygiene reviews now carry Gemini-specific urgency. A quarterly access review that previously addressed only data sprawl risk now also determines Gemini's effective data scope.

DLP and IRM integration: Apply Workspace DLP policies to classify documents containing PII, PCI, PHI, or proprietary information. Configure Information Rights Management restrictions on sensitive documents: Gemini does not retrieve IRM-protected documents for processing. This is a concrete, deployable control that directly limits Gemini's access to sensitive content.

Audit logging configuration: Default Workspace logging captures file access but not AI-level interactions. Explicitly enabling Gemini activity logging provides visibility into what Gemini is reading and processing. Route these logs to BigQuery for analysis and retention.

Data processing settings for regulated industries: Healthcare and financial services organizations should configure Gemini data processing restrictions to prevent prompt and response data from being used for model improvement. This is configured separately from standard data retention controls in the Workspace Admin Console.

CASB integration: Modern Cloud Access Security Broker solutions are adding Gemini-specific detection rules that standard Workspace audit logs do not cover. CASB can identify misconfigured sharing settings that would expose sensitive documents to Gemini queries, and detect anomalous AI activity patterns such as unusually broad data access through Gemini.

Vertex AI and Agent Builder: Configuration Priorities

For teams deploying agents on Vertex AI and Agent Builder, five configuration areas address the most commonly exploited gaps:

1. Service account replacement: Remove P4SA as the operating account for any agent. Create a custom service account with explicit, minimal permissions. Map out exactly which GCS buckets, APIs, and Workspace scopes the agent needs, grant only those, and review quarterly.

2. Tool allowlisting: Agent Builder supports explicit tool whitelists. Define permitted API calls and function invocations. Agents should not be able to invoke arbitrary external APIs; a whitelist enforced at the platform level is more reliable than application-layer validation alone.

3. Prompt and response logging: Enable Cloud Logging for all agent interactions. Without this, prompt injection attacks and anomalous behavior are undetectable after the fact. Pipe logs to BigQuery or an existing SIEM for analysis.

4. Model registry integrity: Verify SHA-256 checksums for any models imported from external sources, including HuggingFace and public Artifact Registry repositories. Unit 42's ModeLeak research demonstrates that poisoned models can execute in the context of the service account running a custom training job. Model scanning tools such as ModelScan can be integrated into the import pipeline.

5. Sandboxed evaluation environments: Test new models in isolated GCP projects with restricted service accounts before deploying to production. This limits the blast radius of supply chain attacks and provides a baseline for behavioral comparison.

Google Cloud Next 2026 Controls: What They Do and What They Require

Google announced meaningful new security capabilities for agentic AI at Cloud Next 2026 in April 2026. Understanding what each control actually does, and what its limits are, helps security teams prioritize deployment.

Agent Identity

Every agent in the Gemini Enterprise platform now receives a cryptographic identity: an X.509 certificate that is bound to the agent's authorization policy. All agent actions are traceable to this identity.

What this solves: token theft and reuse. Without cryptographic identity binding, a stolen bearer token can be used by any process claiming to be the agent. X.509 binding ties the token to the specific agent instance.

What this does not solve: a compromised agent acting within its defined permissions. If prompt injection causes an agent to exfiltrate data, the agent's legitimate identity is attached to those actions. Identity verification is not behavioral threat detection.

Agent Gateway

Agent Gateway is the programmable enforcement layer for agent communications. It inspects user-to-agent, agent-to-agent, and agent-to-tool traffic in real time, without requiring code changes to the agent.

Capabilities: prompt injection detection, DLP scanning of agent communications, tool call whitelisting, behavioral anomaly detection, and deep protocol inspection of MCP (Model Context Protocol) and Agent2Agent (A2A) traffic.

Agent Gateway integrates with 14 security vendors at launch including Palo Alto Networks, CrowdStrike, Broadcom, Check Point, Cisco, Zscaler, and Okta.

Critical deployment note: Agent Gateway is not on by default. It must be explicitly positioned in the agent traffic path. Enterprises need to define which agents route through it, which inspection policies apply, and which vendor integrations to activate before it provides any protection.

Agent Anomaly Detection

Agent Anomaly Detection uses a combination of statistical models and an LLM-as-a-judge framework to identify unusual patterns in agent reasoning and behavior. It flags suspicious reasoning before the agent takes action.

Practical consideration: anomaly detection requires a behavioral baseline. For newly deployed agents, there is no established baseline, which means the system will generate more alerts initially. Plan for a 30 to 60-day tuning period with human review of flagged events before using anomaly detection for automated response.

Compliance Framework Mapping

Three frameworks provide structured approaches for Gemini risk assessment that security teams can apply directly.

OWASP LLM Top 10 (2025): The most relevant categories for Gemini deployments are LLM01 (Prompt Injection, covering both direct and indirect grounding-based variants demonstrated by GeminiJack), LLM06 (Sensitive Information Disclosure, including system prompt leakage and Workspace data exfiltration), LLM07 (Insecure Plugin Design, applying to Agent Builder tool configurations and the P4SA over-privilege issue), and LLM09 (Improper Output Handling, covering unvalidated tool invocation results). The OWASP LLM Top 10 provides the full taxonomy with mitigation guidance.

NIST AI RMF: The Map, Measure, Manage, Govern structure applies directly to Gemini enterprise deployments. Map your deployment architecture including all five surfaces discussed above. Measure risk through red team exercises targeting known Gemini attack patterns. Manage through technical controls: Agent Gateway, DLP integration, service account scoping, API key audits. Govern through policies on acceptable agent autonomy, data access scope, and human oversight escalation procedures. See the NIST AI RMF documentation for the complete framework.

MITRE ATLAS: The adversarial tactics most relevant to Gemini deployments are Initial Access (malicious document injection, email-based grounding data poisoning), Execution (tool invocation hijacking, function calling abuse via crafted system prompts), Persistence (memory poisoning via long-term agent context, stored in multi-turn sessions), and Exfiltration (data theft via tool calls to attacker-controlled endpoints and crafted response outputs).

For a structured approach to AI security assessment that incorporates all three frameworks, see the BeyondScale AI security assessment process.

Assessment Priorities: Where to Start

A complete Google Gemini enterprise security assessment covers all five attack surfaces. In practice, the Workspace surface is often the most exposed because it inherits the IAM posture of the Google Workspace deployment, which accumulates permission sprawl over years without the structured review cadence applied to cloud infrastructure.

The highest-priority findings from Gemini assessments we conduct consistently are:

• P4SA default service accounts on all Agent Builder deployments, with no custom scoping applied
• Workspace AI active with no DLP integration on documents containing PII or proprietary information
• API keys with Gemini scope in projects where developers did not intend to grant Gemini access
• Agent Gateway deployed but with no active inspection policies configured
• No Gemini activity logging, meaning there is no forensic trail if an incident occurs

Start with a full inventory of which GCP projects have the Generative Language API enabled, which Workspace users have Gemini for Workspace active, and which Agent Builder deployments are running with what service accounts. This inventory alone will identify the most urgent configuration gaps.

Run the Securetom AI security scan to identify exposed AI services and misconfigured endpoints across your environment.

Conclusion

Google Gemini enterprise security is more complex than securing a single LLM endpoint. The combination of Gemini API, Vertex AI, Workspace AI, Agent Builder, and Agent Gateway creates an interconnected system where a weakness in one surface can be exploited through another.

The incidents from 2025-2026 confirm these are real attack paths. GeminiJack required zero user interaction. The Gemini CLI flaw was a CVSS 10.0 RCE affecting CI/CD pipelines. The API key scope expansion cost one organization over $82,000 in 46 hours.

Google's Cloud Next 2026 announcements provide meaningful new controls, but they are not automatic protections. Agent Identity, Agent Gateway, and Anomaly Detection each require deliberate deployment and configuration to function.

Security teams that understand the full Gemini attack surface, apply least-privilege service account configurations, integrate DLP with Workspace AI, and actively configure Agent Gateway will be substantially ahead of most enterprise deployments today.

To discuss a structured security assessment of your Gemini deployment, contact BeyondScale or run the Securetom scan to identify your most urgent AI security exposures.