Google Gemini Enterprise Security Guide 2026

Google Gemini Enterprise security is not optional configuration: it is the baseline your organization must complete before production deployment. In June 2025, security researchers at Noma Labs disclosed GeminiJack, a zero-click indirect prompt injection attack that exfiltrated years of corporate email, calendar entries, and documents from Gemini Enterprise environments. The victim needed to do nothing except run a normal Gemini query.

This guide gives CISOs and security architects the specific controls, configuration steps, and compliance mappings needed to deploy Gemini Enterprise with an appropriate security posture. It covers the full attack surface: Workspace data retrieval, Chrome extension vectors, Gemini CLI, third-party connectors, and the new agentic platform launched at Google Cloud Next 2026.

The GeminiJack Attack: What Actually Happened

Understanding GeminiJack is the best way to build intuition for Gemini's threat model, because it is not a theoretical vulnerability. It happened.

An attacker creates a Google Doc, Calendar invite, or email containing embedded AI instructions invisible to human readers (white text on white background, or hidden metadata). The target employee runs a routine Gemini query: "summarize my Q2 pipeline" or "what meetings do I have this week?" Gemini's retrieval-augmented generation layer fetches relevant documents and processes the embedded malicious instruction as a legitimate command. Gemini then gathers sensitive data from the user's emails, calendar, and documents, and the malicious instruction encodes that data into a URL parameter of an HTML tag. When the browser attempts to load the image, an HTTP request carries the stolen data to the attacker's server. Zero clicks. Zero user interaction beyond the normal Gemini query.

What leaked in demonstrated attacks: years of internal emails, complete calendar histories revealing business negotiations, and entire document repositories including contracts and technical architecture.

Google fixed the specific GeminiJack vector by separating Vertex AI Search from Gemini Enterprise's RAG workflows. However, HiddenLayer research published separately demonstrated that control tokens embedded in Gmail messages and Google Slides speaker notes can still override Gemini's output, forcing it to display phishing messages or false security alerts. The underlying attack class, indirect prompt injection via trusted Workspace data, is not fully solved by a single patch.

This is the defining characteristic of Gemini's threat model: Gemini trusts the content of files and emails the user can access. Attackers who can write to those files can influence what Gemini tells the user.

Gemini's Attack Surface Map

Gemini Enterprise is not a single product. It spans four distinct surfaces, each with its own security configuration requirements.

Gemini for Google Workspace provides AI features embedded in Gmail, Docs, Drive, Sheets, Slides, Meet, and Calendar. This surface has the largest blast radius because it retrieves content from the user's entire accessible Drive and Gmail corpus.

Gemini for Google Cloud provides AI assistance in the Cloud Console, targeting platform engineers and developers. Threat vectors here are distinct: privilege escalation via Cloud IAM misconfigurations and infrastructure reconnaissance.

Gemini Code Assist provides coding assistance in IDEs and Cloud Shell. The Gemini CLI RCE vulnerability (CVSS 10.0, disclosed by Novee Security in 2026) affected this surface. An unprivileged external attacker could force malicious content to load as Gemini CLI configuration, triggering remote code execution before the sandbox initialized.

Gemini API and Extensions provides programmatic access and third-party connectors to SharePoint, Jira, ServiceNow, and Confluence. The agentic platform launched at Google Cloud Next 2026 extends this surface further with MCP server support and the Agent Gateway governance layer.

Each surface requires separate security assessment. Most organizations focus only on Workspace and miss the CLI and API surfaces entirely.

Top 5 Enterprise Risks

1. Indirect Prompt Injection via Drive, Docs, and Gmail

Any attacker who can write a document the target user can access has a potential injection vector into that user's Gemini queries. This includes external collaborators, compromised vendor accounts, phishing emails that land in the inbox, and any shared Drive link. The practical implication: Gemini's trust boundary is as wide as the user's sharing permissions, which in large enterprises often covers tens of thousands of files.

The control: apply IRM policies to sensitive files to exclude them from Gemini retrieval. Files with IRM labels are cryptographically excluded from Gemini's data access. This is the most direct technical mitigation available today.

2. Oversharing Amplification

Gemini executes at AI speed. A user with read access to 10,000 Drive files (common in organizations that use "Anyone with the link" sharing) can ask Gemini to synthesize, summarize, and surface sensitive content from all of them in seconds. What previously required deliberate human browsing becomes an instant reconnaissance capability, for both legitimate users and compromised accounts.

This is not a Gemini vulnerability. It is the intersection of pre-existing Drive misconfiguration with AI-scale data access. A Gemini deployment audit should include a Drive sharing audit.

3. DLP Gap: Gemini Output Bypasses Traditional Controls

Traditional DLP tools inspect inbound and outbound file transfers. They do not inspect what Gemini synthesizes and pastes into a new document or email. An employee (or compromised account) can ask Gemini to "summarize all salary data mentioned in HR files" and paste the response into an external email. The DLP tool never sees the synthesis step.

The control: configure DLP policies to inspect generative content output. This requires enabling Gemini-specific DLP rules in the Admin Console, not just the standard file transfer controls.

4. CVE-2026-0628: Chrome Extension Privilege Escalation

Patched January 2026, disclosed October 2025 by Palo Alto Unit 42. A malicious Chrome extension with basic permissions could hijack the Gemini Live panel in Chrome, gaining access to local OS files and live session context. This targets endpoint-level Gemini integrations.

Attack scenario: a user installs a malicious extension disguised as a productivity tool. The extension reads Gemini conversation history and injects instructions into the Gemini panel. Mitigation: enforce Chrome Enterprise Browser Management policies that limit extension installation to an allowlist, and treat the Gemini Chrome panel as a privileged application surface.

5. Third-Party Connector ACL Sync Lag

Gemini Enterprise connectors to SharePoint, Jira, ServiceNow, and Confluence ingest both content and ACLs from source systems. If ACL sync is delayed or misconfigured, Gemini may surface content the user should not access in the source system. This is particularly risky during role changes, offboarding, or acquisition integrations where permissions change faster than connector sync cycles.

The control: verify connector ACL sync intervals and test cross-system permission boundaries before enabling connectors in production.

Admin Console Hardening: Tiered Controls

These controls are in the Admin Console under Apps > Google Workspace > Generative AI (redesigned April 2026).

Tier 1: Access Control

Disable Gemini for all users by default and enable per organizational unit (OU), starting with non-sensitive departments. Gemini access to Workspace data is independently configurable from the service toggle: a user can have Gemini enabled without AI data retrieval. Use this separation for users who need Gemini for drafting assistance but should not have AI-mediated access to Drive.

Restrict which Workspace apps Gemini can read at the admin level. For organizations with highly sensitive Docs or Gmail content, restrict Gemini retrieval to Sheets and Calendar only while the organization completes its DLP and IRM configuration.

Tier 2: Data Governance

Apply IRM policies to sensitive files. In DLP rules, configure actions that apply IRM labels (no download, no print, no copy) to files containing sensitive data patterns. Files with IRM labels are excluded from Gemini retrieval. This is the most direct control for protecting sensitive data from AI-mediated access.

Enable Drive Trust Rules to restrict Gemini retrieval by controlling internal-to-external data sharing. Since Gemini only retrieves content the user can access, trust rules directly limit Gemini's blast radius across your sharing boundaries.

Enable AI-powered data classification labels in Drive. Auto-classification combined with auto-applied IRM creates a pipeline where sensitive files are automatically excluded from Gemini without requiring manual tagging.

Disable Gemini conversation history for sensitive user groups. Admin controls let you enforce deletion policies or disable history organization-wide.

Tier 3: Encryption

Enable client-side encryption for your most sensitive data classes. CSE-protected files are cryptographically opaque to Gemini because Google never holds the decryption keys. Cloud HSM as an encryption key service for Workspace CSE became available in 2026 for organizations requiring hardware-level key protection.

The trade-off: CSE files cannot be searched, summarized, or used in Gemini workflows. Apply CSE to files that should never be AI-accessible (M&A documents, board communications, clinical trial data) rather than broadly.

CMEK (customer-managed encryption keys) is available in US and EU regions and satisfies data sovereignty requirements for most regulated industries.

Tier 4: Audit and Monitoring

Export Gemini audit logs to BigQuery. Logs capture Gemini feature usage by user, app, and date, plus data access patterns. Connect BigQuery to your SIEM (Splunk, Chronicle, or Microsoft Sentinel) for alerting on anomalous Gemini usage patterns.

Configure the AI Control Center (launched at Google Cloud Next 2026) as your unified compliance dashboard for Gemini activity across the organization. This is specifically designed for teams with stringent compliance requirements.

Set anomaly detection alerts for: unusually high Gemini query volume from a single account, Gemini access to files outside normal working hours, and Gemini queries that retrieve files from multiple unrelated departments.

Tier 5: Connector and Extension Controls

Maintain an explicit allowlist of approved connectors. Non-allowlisted connectors are blocked by default in the Admin Console. Review and re-validate the allowlist quarterly.

Enforce Workforce Identity Federation for all third-party connector authentication. Do not allow connectors to use service accounts with ambient, long-lived credentials.

Verify ACL sync intervals for each connector and document the maximum sync lag. Incorporate sync lag into your access review process: when an employee changes roles, verify that connector ACLs are updated within the sync window.

Compliance Mapping

HIPAA

Gemini achieved HIPAA compliance in December 2024. Requirements: sign a BAA with Google, deploy within HIPAA-eligible Workspace and Cloud services, apply IRM controls to PHI-containing files, and configure audit log retention for a minimum six-year period.

Critical gap: the HIPAA BAA with Google does not cover Gemini Extensions to third-party applications. Each SharePoint, Jira, or ServiceNow connector that touches PHI requires a separate BAA with the respective vendor. This is a common oversight in healthcare Gemini deployments.

SOC 2

Gemini holds SOC 1, SOC 2, and SOC 3 reports. For SOC 2 Type II compliance, BigQuery-exported admin audit logs satisfy CC7 (system operations monitoring) and CC6 (logical access controls). IRM policies map to CC6.1. Document your IRM configuration and audit log pipeline in your SOC 2 control evidence.

EU AI Act

Gemini Enterprise holds ISO 42001 certification (AI Management Systems), the first international standard for AIMS. CMEK with EU data residency satisfies Article 10 data governance requirements for high-risk AI deployments. Google has published DPIA support documentation for GDPR Article 35 / AI Act Chapter III requirements.

Gemini audit logs exported to BigQuery support Article 13 transparency and Article 26 operator documentation obligations. Organizations in regulated EU sectors should complete a DPIA before enabling Gemini retrieval for users with access to personal data.

The New Agentic Attack Surface

The Gemini Enterprise Agent Platform, launched at Google Cloud Next in May 2026, introduces autonomous agents that can take actions across Workspace and third-party systems. This expands the attack surface significantly.

The Agent Gateway provides a governance layer with unified connectivity and consistent security policy enforcement. Agent Gateway integrates with Model Armor, Google's runtime prompt sanitization layer that detects and blocks adversarial prompt injection before it reaches the model.

MCP server support (announced at Next 2026) allows Gemini agents to connect to Model Context Protocol servers for external tool access. The MCP security risks we have documented elsewhere, including tool poisoning and trust boundary abuse, apply directly to Gemini's MCP connector surface.

For agentic deployments: configure Agent Gateway before enabling any production agents, enable Model Armor for all agent endpoints, enforce agent identity authentication (ensure agents operate with authenticated authority rather than ambient permissions), and enable Agent Threat Detection for visibility into agent actions including unexpected external connections.

This mirrors the security configuration pattern used for Microsoft 365 Copilot agents, where agentic capabilities introduced a distinct security layer that required separate assessment from the base AI features.

For organizations managing AI security across multiple platforms, our managed AI security service provides continuous monitoring across Gemini, Copilot, and other enterprise AI deployments.

What the Vulnerability Research Tells You

HiddenLayer discovered the control token injection vulnerability. Noma Security disclosed GeminiJack. Palo Alto Unit 42 found CVE-2026-0628. All three organizations published the vulnerability details. None of them published the admin console hardening guide that tells you what to do next.

Google's own documentation is accurate and current, but it is written from a vendor perspective: it describes capabilities without adversarial context, and it does not tell you which controls matter most when you have limited implementation bandwidth.

The practitioner priority order, based on current threat intelligence:

Apply IRM policies to files containing sensitive data categories (PHI, PII, financial, M&A). This eliminates the most dangerous GeminiJack attack pattern.

Enable CSE for your highest-sensitivity data classes. This is the only control that makes data cryptographically inaccessible to Gemini.

Enable BigQuery audit log export and configure anomaly detection alerts. Visibility is required for incident detection and compliance evidence.

Audit Drive sharing permissions before enabling Gemini retrieval. Gemini amplifies oversharing; fix the sharing first.

Verify connector ACL sync intervals and BAA coverage for each third-party integration.

Configure Agent Gateway and Model Armor before enabling any agentic Gemini workflows.

Conclusion

Google Gemini Enterprise security requires explicit configuration. The default settings, like most enterprise AI platforms, prioritize feature adoption over security posture. GeminiJack demonstrated that the consequences of misconfiguration are not theoretical: zero-click data exfiltration from a normal query.

The controls exist. IRM policies, CSE, trust rules, audit logging, and the new agentic governance layer give security teams real tools to reduce Gemini's attack surface. The gap is implementation, not capability.

If you are deploying Gemini and want to verify your configuration against the controls in this guide, run a free Securetom scan to identify exposed AI infrastructure and configuration gaps in your environment.

Authoritative references:

• OWASP Top 10 for LLMs 2025
• NIST AI Risk Management Framework
• Google Workspace: Enterprise security controls for Gemini
• GeminiJack disclosure: Noma Security Labs
• HiddenLayer: New Gemini for Workspace Vulnerability
• Palo Alto Unit 42: CVE-2026-0628 Gemini Live in Chrome