Stub — pending full migration
AI Security Contributions (from ai-security-standards-in-q1-2026)
- SAIF — AI security framework; SAIF Risk Map and Risk Assessment donated to CoSAI in 2024
- A2A Protocol (v1.0.0, released 2026-03-12) — Agent-to-Agent protocol with signed Agent Cards (§8.4) and opacity principle; donated to Linux Foundation 2025-06-23; hosted under LF’s Agentic AI Foundation
- Google ADK Go 1.0 (March 31, 2026) — ships with
before_model_callbackhooks, OpenTelemetry integration, and Model Armor integration — reference implementation of platform-level enforcement - CoSAI Premier Sponsor — key contributor to MCP Security White Paper
Workspace Security
Nicolas Lidzborski (Principal Software Engineer, Google Workspace security; ~3 years on GenAI security) presented a three-year retrospective at [[unprompted-conference-march-2026|[un]prompted March 2026]]: Securing Workspace GenAI at Google. The talk introduces the wiki’s Prompt as Code structural framing, names Agency Gap / Orchestration Hijacking / Recursive Prompt Injection (and Semantic Gaslighting) as threat sub-classes, and documents the “Architecting the Fortress” four-layer structural blueprint paired with Plan-Validate-Execute as Google’s canonical HITL pattern for high-stakes irreversible actions. Cross-validates the Lethal Trifecta framing from the productivity-environment angle (calendar invites + email + smart-home control as concrete real-world impact surface).
Project Glasswing partnership (May 2026)
Google is a named launch partner in Project Glasswing (Anthropic’s coalition initiative applying Mythos Preview to defensive vulnerability discovery on critical software). Heather Adkins (VP of Security Engineering) is the quoted executive. Google makes Mythos Preview available to Glasswing participants via Vertex AI, and operates two parallel Google-internal AI-powered cybersecurity tools — Big Sleep (discovery, Project Zero + DeepMind, 2024) and CodeMender (patching, DeepMind, 2025) — described in Adkins’s quote as Google’s tools to “find and fix critical software flaws.” See the Glasswing announcement for coalition context.
AI-Powered Cybersecurity Stack
Google operates a two-agent AI security stack on the DeepMind side, paired with infrastructure participation across Google Cloud Security:
| Agent | Role | Origin | First public milestone |
|---|---|---|---|
| Big Sleep | Variant-analysis vulnerability discovery | Project Zero + DeepMind | Oct 2024 paper — first AI-discovered real-world exploitable memory-safety bug (SQLite); Cloud CISO Perspectives blog reports July 2025 SQLite CVE-2025-6965 as the first AI-foiled in-the-wild exploit |
| CodeMender | Patching (reactive + proactive code rewrite) | DeepMind | Oct 2025 paper — 72 OSS patches upstreamed in 6 months; libwebp -fbounds-safety annotations as the proactive-class example |
The two agents are designed as discovery → patching counterparts; integration architecture between them is not publicly documented. Both are research-stage with select deployment.
Predecessor framework
- Project Naptime (June 2024) — LLM-assisted vuln research framework that achieved state-of-the-art on Meta’s CyberSecEval2 benchmark; the direct precursor to Big Sleep.
Lineage
Google’s AI-cybersecurity stack lineage (per CodeMender announcement): OSS-Fuzz → AI-powered fuzzing (Aug 2023) → Project Naptime (June 2024) → Big Sleep (Oct 2024) → CodeMender (Oct 2025).
CaMeL pattern
Google DeepMind published the CaMeL pattern (March 2025, arXiv 2503.12599) — privileged + quarantined LLM split with a structured output channel. Research-stage as of Q2 2026; it is the architecturally pure form of the channel-separation insight that Prompt as Code points to.
Q1 2026 supply chain incident
A LiteLLM supply chain compromise was detected in Google ADK dependencies (March 24, 2026), demonstrating that even Google’s AI toolchain is not immune to the supply chain risks active in this period.