Computer use, the ability for an AI to see a screen, click buttons, and type inside other apps, is moving from an experimental model into Gemini 3.5 Flash, with two enterprise safeguards against prompt injection, the practice of smuggling hostile instructions into the pages and…
Google is shipping the ability for an AI to see a screen, click buttons, and type text inside other software as a native capability of Gemini 3.5 Flash, the lightweight, lower-cost tier that most mainstream developers build on. According to Google, computer use, the industry term for an AI that drives a browser or app on a user's behalf, is now built into the Gemini API and the Gemini Enterprise Agent Platform, and the older Gemini 2.5 computer-use preview remains in the reference repository as a fallback. What makes the move more than a routine product update is what Google is quietly admitting in the process: that prompt injection, the practice of smuggling hostile instructions into the webpages and documents an agent reads, is a live, unsolved problem, and that the response has to be a product feature, not a research promise.
The mechanism is straightforward. Computer use in 3.5 Flash is a tool the model can invoke, not a separate model developers have to call. The agent works across browser, mobile, and desktop environments, stitching together screens, applications, and the inputs a user would normally provide by hand. The reference implementation on GitHub lists gemini-3.5-flash as the default model and gemini-2.5-computer-use-preview-10-2025 as the experimental predecessor; both are wired to Playwright, a local Chrome automation library, or Browserbase, a hosted browser backend that runs a public Gemini computer use demo. The predecessor Gemini 2.5 Computer Use model was announced as a standalone experimental model; the 3.5 Flash move is the moment that capability becomes a default, not a choice.
The post positions computer use for narrow, well-defined work: long-horizon enterprise automation, continuous software testing, and knowledge work that lives inside professional applications. Two worked examples show what that looks like in practice. In one, the agent analyzes the Gemini app and returns a categorized feature list. In the other, it audits its own product documentation for accessibility issues, scanning pages, opening the right tools, and producing a list of fixes. Neither is a general-purpose assistant, and that is the point; Google is framing the tool for tasks where the inputs and the desired output are both legible.
The interesting engineering is in the safeguards. Google describes adversarial training against prompt injection plus two optional enterprise controls: the first requires explicit user confirmation before sensitive or irreversible actions, and the second automatically stops the task if the model suspects an injection attempt. The company is not claiming these are sufficient. Its developer documentation recommends a defense-in-depth posture: combine the model-level safeguards with secure sandboxing, human-in-the-loop review, and strict access controls. The constructive read is that the prompt-injection problem is being treated as an engineering problem to be operated in production, not a research problem to be solved before release.
The stakes are concrete. Independent analyst Simon Willison frames Gemini 3.5 Flash as "more expensive, but Google plan to use it for everything," a read consistent with Google's own positioning of Flash as the volume tier. Browserbase's own writing on training and evaluating browser agents places the new capability in an emerging market for browser-agent evaluation, where reliability and resistance to injection are the metrics that matter. If developers start shipping agents that click through internal tools, those agents will be reading untrusted inputs: web pages, PDFs, support tickets. The injection problem is not theoretical; it is the shape of the workload.
The post is also notable for what it does not include. There are no third-party benchmarks of computer-use success or failure rates, no named independent customers, and no disclosure of what the agent does when the optional safeguards are off. Metacto's May 2026 pricing guide covers Gemini API tiers but does not break out a computer-use line item. The customer and pricing framing in Google's post should be read as company positioning, not third-party validation.
The short-term watch item is whether other model providers respond with their own injection-aware agent loops, and whether enterprise buyers actually toggle the new safeguards on by default. The Gemini API Computer Use documentation is the place to look for what those toggles expose and what they leave to the developer. For now, Google is shipping the capability on its highest-volume tier and asking the market to treat agent security as part of the product, not a footnote.