Disclaimer: This article is based on actual news from the real world – honestly! However, it has been sprinkled with a healthy dose of satire.
MOUNTAIN VIEW, Calif. – Google announced Monday it will add a second artificially intelligent system to its Chrome browser, tasked with preventing the first artificially intelligent system from doing exactly what everyone said it would do when Google added it three months ago.
Probably a good idea to select the left button. (rafapress/depositphotos)
The company introduced Gemini-powered chat to Chrome in September, promising users could soon give voice commands that would allow the AI to browse the web autonomously on their behalf. Security researchers immediately identified this as “extremely stupid,” a technical term meaning “inviting a machine that hallucinates facts to operate financial controls can only end badly.”
The primary threat, which Google engineer Nathan Parker described as “indirect prompt injection,” occurs when the AI visits a malicious website that politely asks it to ignore all safety protocols and wire all your money to Nigeria. The AI, being fundamentally a very expensive version of that kid who believes everything, reads these instructions and thinks, “Seems legit.”
Google, having invested billions in AI infrastructure it now cannot openly admit was incredibly premature, has instead doubled down. The company’s solution is what Parker calls a “User Alignment Critic,” a second AI model whose sole job is to watch the first AI model and veto any actions that seem misaligned with what humans actually want. Parker insists the Critic cannot be poisoned by malicious content, which possibly represents a fundamental misunderstanding of how the first AI went wrong.
The oversight arrangement follows a pattern formalized in a 2024 Google DeepMind paper called “CaMeL,” which stands for “CApabilities for MachinE Learning” and definitely not “Can Anyone Make this Even Less secure?” The technique involves one machine learning model moderating another machine learning model, which is functionally equivalent to installing a second smoke detector to alert you when the first smoke detector goes off, except both smoke detectors are prone to announcing that fires that don’t exist.
Chrome engineers developed Agent Origin Sets to enforce site isolation for AI-driven browsing, preventing the agent from mixing data across domains, the way early websites used to before everyone agreed that was bad. The technology applies Chrome’s existing security model to AI, which is like applying traffic laws to a driver who interprets red lights as suggestions. Security researchers noted that origin isolation is excellent until someone finds a way around it, and someone always finds a way around it.
Nothing like trusting the AI that doesn't trust the AI. (jetcityimage2/depositphotos)
To provide users with the illusion of control, Chrome’s AI will seek permission before navigating to banks, medical sites, or anywhere else containing information someone might want to steal. The agent will also request confirmation before using Google Password Manager to log in to sites autonomously, which raises the question of why an AI that requires permission to use passwords was given access to passwords. For “sensitive actions” like purchases or sending messages, the AI will either ask permission or simply inform the user to complete the final step themselves, which is functionally identical to not having an AI agent.
The new security model will appear in future Chrome releases. Users who wish to avoid the AI-watching-AI paradigm can continue using Chrome without enabling the agent features, though Google’s track record suggests “optional” often means “optional for now.”
No word on when Google plans to deploy a third AI to watch the second AI watch the first AI. But it’s inevitable.
This story is based on fully factual news, but if we got it wrong, blame these guys, we’re just here to make it funny.
