View security findings

Use the Security tab in Gemini Enterprise Agent Platform to monitor your deployed AI agents, help assess their security posture, and review related security findings.

Before you begin

To use the Security tab, ensure that you have the required permissions and that the necessary Security Command Center features are configured.

Required roles

To get the permission that you need to view the Security tab and findings, ask your administrator to grant you the following IAM roles on your organization or project:

For more information about granting roles, see Manage access to projects, folders, and organizations.

This predefined role contains the serviceusage.services.get permission, which is required to view the Security tab and findings.

You might also be able to get this permission with custom roles or other predefined roles.

Alternatively, to adhere to the principle of least privilege, you can create a custom IAM role that grants only the necessary permissions. For more information, see Custom roles.

Configure Security Command Center features

For the Security tab to populate with information, you must onboard your organization to Security Command Center Premium or Enterprise to take full advantage of features like AI Protection, Agent Platform Vulnerability Assessment, and attack path simulations. For more information, see Overview of activating Security Command Center.

Enable and configure the following Security Command Center features:

  • AI Protection: Enable the AI Protection service in your Security Command Center settings. For more information, see Set up AI Protection.
  • Agent Platform Vulnerability Assessment: Enable this service in your Security Command Center Premium or Enterprise settings to identify vulnerabilities that are specific to AI agents.
  • Compliance monitoring: Ensure that compliance monitoring is enabled for your organization. Compliance monitoring is enabled by default, but might be explicitly disabled in some environments. For more information, see Enable Compliance Manager.
  • Sensitive data discovery: Enable discovery for AI resources to identify if datasets used in training or fine-tuning contain sensitive data. For more information, see Enable discovery.
  • Model Armor: Enable Model Armor on your Agent Gateway (Private preview) instances and configure at least one template. If Model Armor is not enabled or if no templates are detected, the dashboard hides the related widgets behind a banner. For more information, see Configure Model Armor.
  • AI Discovery: Ensure that AI Discovery is configured to populate the AI Inventory data, including agents, models, and endpoints. For more information, see Configure AI Discovery service.
  • Attack path simulations: If you're using Security Command Center Premium or Enterprise, attack path simulations are enabled by default and help you identify the most risky findings.

Access the Security tab

To access the Security tab, follow these steps.

  1. In the Google Cloud console, go to the Agent Platform Security tab.

    Go to Security

  2. Select your project.
  3. In the navigation menu, click Security.

Monitor and manage AI security risk

Use the Security tab to perform key security tasks and help maintain a secure AI environment.

Triage and remediate production fleet risks

Triage your production fleet by using the following capabilities:

  • Monitor security health: Review aggregate risk metrics, compliance status, and active threat counts to assess your overall security posture.
  • Investigate issues: Click any metric to view the filtered findings list in Security Command Center for further investigation.
  • Remediate findings: For supported findings where the affected Google Cloud resources are managed through Terraform, use Remediate with Gemini to help fix issues. For other findings, use guided remediation snippets.

View summary information of your security posture

Monitor project-scoped risks that are summarized from Security Command Center to identify and address vulnerabilities:

  • Prioritize risks: Identify vulnerabilities, misconfigurations, and toxic combinations—such as an agent with high privileges and exposed data—by using the AI risks by severity widget.
  • Monitor active threats: Use the AI threats widget to review threat detections against Agent Platform control planes and runtimes.
  • Right-size agent access: Identify agents with overly broad roles using the Agents with excessive permissions widget.

Monitor content security and violations

To learn how to track how your deployed agents handle malicious inputs and sensitive data using Model Armor integration, see Monitor content security.

Onboard and activate advanced security

If you're using the Security Command Center Standard tier, you can start a Security Command Center Premium trial with a single click to access further visibility and attack path simulations.

Assess risk for individual resources

Perform granular risk assessments for specific components in your fleet:

  1. In the Google Cloud console, navigate to the details page for an agent, agent gateway, or Model Context Protocol (MCP) server.
  2. To view risks, violations, and discovery graphs that are filtered to that specific resource, select the Security tab.

Security tab widgets

To help you manage your AI security posture, the Security tab includes the following widgets.

  • AI risks by severity: Identify and prioritize your most critical vulnerabilities, misconfigurations, and toxic combinations—such as an over-privileged agent exposed to the public internet. To have agents included in toxic combination calculations, you must designate them as high-value resources by adding them to a high-value resource set. This widget ranks risks by severity and attack exposure score. You're provided with actionable guidance to help securely patch your agentic environment.
  • AI threats: Monitor your agent environment for active, real-time security breaches. This widget highlights critical and high threats against your Gemini Enterprise Agent Platform control planes and runtimes, tracking malicious activity such as anomalous IAM grants, crypto-mining malware, or a compromised agent that is attempting lateral movement so you can rapidly investigate and respond.
  • Agents with excessive permissions: Maintain a strict least-privilege security posture by identifying agents that have been granted overly broad or unnecessary access. This widget lists specific agent identities and provides detailed insights into their unused permissions, allowing you to adjust their roles without breaking functionality.
  • Compliance: Help verify that your AI deployments adhere to industry security standards. This widget monitors your environment against predefined security frameworks and provides a high-level view of your current compliance status, helping you maintain audit readiness and security hygiene.
  • Content violations: Monitor and manage content-related security issues across your AI environment. This widget aggregates findings for content violations, providing visibility into the volume and types of policy breaches that are detected in your organization.

    To help you identify potential surges or patterns in malicious activity, this widget includes Violations over time, which shows a historical view of content violation trends.

What's next

Guide

Learn how to use Identity Access Management (IAM) agent identity to provide security and access management features with Agent Platform.

Codelab

Learn how to secure your agentic applications in the Securing Cross-Cloud Agentic AI Applications codelab.

Overview

Get an overview of Agent Gateway.

Overview

Get an overview of policies in Google Agent Platform.

Overview

Get an overview of Google Agent Platform.