Google DeepMind has announced that computer use is now a built-in capability in Gemini 3.5 Flash, moving the feature out of a standalone model and into the main Flash release. The integration gives developers a single model that combines existing tools such as Search and Maps grounding with the ability to see, reason, and take action across browser, mobile, and desktop environments.

What Changes for Developers

Previously, computer use was only accessible through a separate Gemini 2.5 computer use model. With the 3.5 Flash integration, developers can access the capability directly through the Gemini API and the Gemini Enterprise Agent Platform. Google describes the release as its best-performing offering for agentic computer use tasks, suited to long-horizon workflows such as continuous software testing and knowledge work across professional applications.

Security Measures and Prompt Injection Risks

Agents that operate in live environments carry inherent risks, and Google acknowledges prompt injection as a primary concern. To address it, the company applied targeted adversarial training to the 3.5 Flash computer use capability. Two optional enterprise safeguard systems are also being released alongside the model:

  • Explicit user confirmation: Requires human approval before sensitive or irreversible actions are executed.
  • Automatic task suspension: Halts execution if an indirect prompt injection attempt is detected.

Google frames these controls as one layer in a broader defense-in-depth posture. The company encourages developers to combine them with secure sandboxing, human-in-the-loop verification, and strict access controls. Additional guidance is available in Google’s best practices documentation.

Security Implications for Practitioners

Natively embedded computer use significantly expands the attack surface for any deployment that allows the model to interact with live systems. Prompt injection, where malicious content in the environment manipulates agent behavior, remains an unsolved problem across the industry. Google’s adversarial training and optional confirmation gates reduce risk but do not eliminate it. Security teams evaluating Gemini-based agents should treat the safeguard systems as supplementary controls rather than primary defenses, and should enforce sandboxing and access-control policies at the infrastructure level regardless of model-level protections.

Access to computer use in Gemini 3.5 Flash is available now via the Gemini API and Gemini Enterprise Agent Platform.