Gemini 3.5 Flash gets computer use as a built-in tool

TL;DR
Google made computer use a built-in tool in Gemini 3.5 Flash on June 24 — agents that see, reason, and click across browser, desktop, and mobile interfaces no longer need the separate computer-use model Google shipped with Gemini 2.5. The company paired the launch with two optional enterprise safeguards: mandatory confirmation for sensitive actions, and automatic task stops when indirect prompt injection is detected. Screen control is becoming a standard model feature, not a specialty product.
What happened
Google DeepMind announced that computer use is now natively integrated into Gemini 3.5 Flash, which the company says delivers its best performance yet on agentic computer-use tasks. The capability was previously available only through a standalone Gemini 2.5 computer-use model; folding it into the mainline Flash model puts screen control alongside Gemini’s existing built-in tools like function calling and Search and Maps grounding.
The pitch is long-horizon and enterprise automation: Google’s examples include continuous software testing and knowledge work across professional applications, plus demos of the model auditing its own documentation for accessibility issues and cataloguing app features by operating the UI. Developers get access through the Gemini API and the Gemini Enterprise Agent Platform, with a reference implementation on GitHub and a hosted demo environment run by Browserbase. Early customer quotes come from Browserbase, Browser Use, and UiPath — the automation vendors with the most to gain from a fast model that can drive screens.
The safety half of the announcement is substantive. Google says it used targeted adversarial training against prompt-injection risks for agents operating in live environments, and released two optional enterprise safeguard systems: one requiring explicit user confirmation for sensitive or irreversible actions, another that automatically stops a task when an indirect prompt injection is identified. The company frames this as “defense-in-depth” and recommends combining the controls with secure sandboxing, human-in-the-loop verification, and strict access controls.
Why it matters
Computer use moves agents beyond APIs into the messy software companies already operate. Folding it into a fast, cheap general model — rather than a separate specialist — makes mixed workflows practical: call an API when one exists, operate the screen when the system has no usable integration. That describes most enterprise software estates, which is why the launch partners are testing and RPA companies.
The safeguard language matters just as much. A computer-using agent reads untrusted interfaces while holding the ability to act on them — the textbook prompt-injection setup. Confirmation gates and injection detection are basic product requirements for this category, and shipping them as first-party features (rather than leaving them to integrators) is the right default.
The fine print
Google’s performance claims cite its own OSWorld-Verified benchmark chart without independent verification, and the two enterprise safeguards are optional — a developer who doesn’t turn them on gets an agent that will happily click whatever the page tells it to. The adversarial training reduces prompt-injection risk; nobody, including Google, claims it eliminates it.
The agent can now use the same awkward internal applications as everyone else. Artificial intelligence has officially joined the workforce.