# Google Cloud Summit ANZ 2026
## Google Cloud Summit ANZ: opening keynote
The opening keynote at Google Cloud Summit ANZ ran through a dense set of product announcements, customer deployments, and partner integrations, all organised around one central claim: the shift from AI as a passive tool to AI as an autonomous agent operating on your behalf.
### Scale in numbers
Paul Migliorini (Vice President AuNZ) opened with usage figures intended to frame just how fast the transition is moving:
- Gemini processed 9.7 trillion tokens per month in May 2024
- One year later: 480 trillion per month
- Now: 3.2 quadrillion per month — a 326x increase since May 2024
### Gemini Enterprise Agent Platform
The platform covers the full agent lifecycle across four stages:
- **Build** : low-code Agent Studio lets non-developers go from idea to deployed agent in hours; Model Garden gives access to 200+ models including Gemini 2.5 Pro and Flash
- **Scale** : agent-to-agent orchestration with predictable, auditable execution paths running in real time, on schedule, or in batch
- **Govern** : each agent gets a unique cryptographic identity; zero trust verification at every interaction step; Model Armor protects models and sensitive data
- **Optimize** : built-in observability lets you trace why an agent made a decision in seconds and tune it over time without inflating compute costs
Antigravity 2.0 is now integrated into the platform, targeting development cycle compression from months to weeks.
A new **Canva Connector** (now in preview) lets users move from business reasoning inside Gemini Enterprise to on-brand design outputs without switching tools.
### Agentic Data Cloud
Good agents need clean, connected data. The Data Cloud announcements addressed two problems directly:
- **Knowledge Catalog** : a universal context engine that integrates natively with BigQuery, helping agents understand company-specific rules and return accurate answers
- **Borderless cross-cloud lakehouse** : built on the open Apache Iceberg standard, it provides direct low-latency connectivity to AWS and Azure with no egress fees, replacing the single-cloud data lake model
Macquarie Bank deployed a 24/7 autonomous AI assistant for retail customers and, by unifying data on BigQuery and Spanner, cut fraud losses and scans by 50%.
### Security: Google + Wiz
Attacks are moving faster. The keynote cited the time for a hacker to hand off control to a specialist group dropping from three hours to 22 seconds over three years.
The response is the Wiz integration, built around three autonomous agents:
- **Red agent** : continuously scans the perimeter, simulating attacks to find vulnerabilities before humans do
- **Green agent** : analyzes identified issues, assigns remediation to the correct code owner, and with one click hands the fix to a coding agent that rewrites and patches the vulnerability
- **Blue agent** : monitors live traffic and responds to active attacks in real time
Automated triage agents in Security Operations are turning 30-minute investigations into one-minute resolutions. Dark web intelligence now identifies external threats with 98% accuracy.
### Customer case studies
**Macquarie Bank** : 5,000 employees have built over 4,800 agents on Gemini Enterprise, recovering 130,000 productivity hours for higher-value work.
**Bunnings** : Launched Buddy, an agentic shopping assistant built on Gemini Enterprise CX, in just over six weeks. Buddy handles project-based queries (not just product search), accepts photo uploads to identify mystery parts or populate a cart from a handwritten list, and understands context without keyword prompting. Since April, Buddy has more than doubled online conversion rates, with basket size increasing particularly for users with multi-turn conversations.
**Transurban** : Operating 22 toll roads across Australia and the US, serving 2.6 million trips per day. Gemini Enterprise is deployed to over 60% of its workforce with 82% adoption. The company is building a personalised omni-channel customer experience using Google Maps, Gemini, and BigQuery — moving from transactional toll collection toward proactive journey guidance and a loyalty rewards ecosystem.
**Xero** : Using Gemini inside Google Workspace, employees are recovering 3.4 hours per week each, with 88% of that time redirected to strategic work.
**CitySky (Civi)** : A wealth management tool built on the Agent Platform in four months. The autonomous multi-agent system has already saved customers $700 million.
**Simple Outdoors demo** : Showed Gemini Enterprise agent studio generating enriched product pages (descriptions, 360 turntables, audio summaries) in minutes from a multi-agent pipeline (catalogue, legal, marketing agents). The customer-facing agent handled natural language, photo uploads, a YouTube video for trail conditions, and switched mid-conversation to Mandarin on request.
### Atlassian: Teamwork Graph
https://teamworkgraph.com
Atlassian's Sherif Mansour made the case that when intelligence is commoditised, competitive differentiation comes from context: your documents, conversations, code commits, and goals. The **Teamwork Graph** connects all of that into a single context layer:
- 350,000 customers already running it
- Over 100 connectors (Google Drive, Salesforce, Figma, Slack, GitHub, etc.)
- Google Workspace is the number one Teamwork Graph connector
- 5 million agent invocations in Atlassian Cloud last month alone
- Switching to Gemini Flash 3.5 as the default model for Rovo agents delivered 2x cost efficiency while maintaining or improving quality
Benchmark results for the Teamwork Graph CLI: 44% improved answer quality, 48% fewer tokens.
SpotOn is deflecting 55% of sales questions using a single Rovo agent grounded in Google Workspace knowledge. Mercedes-Benz eliminated half a week of manual reporting for 35,000 users. Intermate saved over 50 hours per month automating product launches via a Rovo agent in their Jira workflow.
### ReachOut: Ask ReachOut
The keynote closed with a session from swimmer Ian Thorpe as patron of ReachOut, Australia's 27-year-old digital mental health service for young people. 40% of young Australians experience a mental health challenge annually; over one million do not access traditional support each year.
**Ask ReachOut** : built on Google Cloud using the Gemini API, launched in early March 2025. It provides personalised responses drawn from a library of 600+ evidence-informed resources, then routes users to ReachOut's one-to-one human peer support service (PeerChat) when appropriate. Co-designed with 60+ young people. Since launch: approximately 160 inquiries per day, 16,000 people served.
### Platform position
Google's stated platform strategy for ANZ rests on four commitments: full-stack investment (infrastructure through application layer), openness and multi-cloud support without vendor lock-in, enterprise-grade reliability built on the same infrastructure as Google Search and YouTube, and deep local investment including subsea cable systems, K-12 skills programs, and the $1 billion Digital Futures Initiative.
---
## Building with agents: developer track recap
Three sessions from the developer and AI engineering track at Google Cloud Summit ANZ covered complementary ground: how to structure agentic software development, how to build and orchestrate multi-agent systems, and how to evaluate agents in production. Taken together, they sketch a reasonably complete picture of where agentic engineering practice stands right now.
### From vibe coding to structured agentic development
The recurring frustration named in the SDLC session — prompting the same thing repeatedly, losing track of a growing codebase, eventually scrapping it and starting over — comes down to skipping the front-loaded work that software development has always required. Vibe coding compressed the build and test phases dramatically but pushed planning and design out entirely.
The fix is to bring those phases back, but run them through agents. The proposed flow: a mission survey (the agent interrogates you to surface gaps in your intent), then design (requirements doc, technical architecture), then a plan, then execution. Each document feeds the next as a structured input rather than a raw prompt.
Antigravity 2.0, released at Google Next, is built around this workflow. Its CLI includes `/drillme` (questions to extract intent before any design begins), `/planning` (guided planning session producing implementation steps), and `/artifacts` (inline review of generated documents for approval or revision). The demo used a markdown intent file rather than a prompt, with pre-configured specialist agents — cloud architect, security architect, frontend and backend architects — each contributing to the relevant phase.
The underlying principle draws on NASA's [systems engineering handbook](https://www.nasa.gov/reference/systems-engineering-handbook/) from the 1960s: specifications as managed, engineered artifacts that agents can reason against and iterate on. Google published an [SDLC white paper](https://www.kaggle.com/whitepaper-the-new-SDLC-with-vibe-coding ) covering the full framework around the time of the session.
TradeMe's head of security, Kate Pearce, covered the production side. Their approach: sandbox the AI tightly so you can run it freely. Two environments, Hack Labs for non-engineering users, Dev Space for developers with production dependencies, both on GKE with namespace isolation, provisions in roughly 12 minutes. Credentials are swapped at the sandbox boundary so the AI never holds anything with meaningful blast radius. Inside that constraint, YOLO mode is safe.
Their AI code reviewer now handles most merge requests. Review time dropped from over a day to a couple of hours. Thousands of reviews per month at under a dollar each. Development speed up approximately 50-60%, built by two people over a few weeks. The implementation is a repository label that triggers the reviewer to drop comments directly into the pull request.
The closing argument: you don't necessarily need a better model. You need a better org chart: sandboxing, scoped permissions, and agents cross-checking agents. Errors that survive one agent check rarely survive three.
### Multi-agent architecture in practice
The multi-agent session went a level deeper into how these systems are structured, using a hyperlocal demo built in under two days with Antigravity: given a starting location (ICC Sydney) and a destination (Mordiale), plan the optimal route home, refuel, buy biryani ingredients, and find a matching wine.
Without a multi-agent system, that's five or six separate searches across different tools. With one, a central orchestrator receives the prompt, spins up a chef agent, wine agent, fuel agent, and shopping agent concurrently, aggregates their outputs, and presents three route options — fastest, cheapest, premium — in a single interface.
Four design patterns covered:
**Centralised orchestrator** : one agent analyses the prompt, determines which specialist agents to invoke and in what order, and delegates. The orchestrator reasons and plans; the specialist agents execute within their domain. This maps directly to how you'd staff a real project.
**Agentic skills** : rather than loading every possible capability into a single context, agents are given skills as needed. A skill is a markdown file: a front matter block describing what the agent does, plus optional scripts, references, and asset templates. Readable and writable without a software engineering background.
**Agent-to-agent protocol (A2A)** : how agents discover and communicate across organisational and technological boundaries. Each agent has an agent card (essentially a business card advertising its capabilities). The fuel agent in the demo used A2A to pull live fuel prices from Transport NSW's FuelCheck system.
**Model Context Protocol (MCP)** : rather than having agents directly call external APIs, databases, and enterprise systems, MCP servers handle those integrations. Keeps agent responsibilities clean (reasoning, planning, execution) and externalises data access to a reusable, maintainable layer.
Concurrency matters here. Sequential agent execution introduces latency proportional to the number of agents. Running the chef, wine, fuel, and shopping agents concurrently means total latency is roughly equal to the slowest single agent, not the sum of all four. Adding more specialist agents doesn't increase overall latency as long as they run in parallel.
The UI layer is still open. The demo presented route options in a web interface, handled voice input for a second query, and showed in-store aisle navigation generated from planogram data. The argument: input modality and output format should adapt to context rather than defaulting to a chat window.
### Evaluating agents: the quality flywheel
The evaluation session addressed what happens after you deploy — and why most agent quality problems go undetected until users complain.
Six metrics in Google's adaptive rubric framework:
- **Final response** : is the response relevant, appropriately styled, and truthful at the conversation level?
- **Tool use quality** : does the agent use the tools available to it accurately, with valid calls?
- **Trajectory quality** : not just whether tools were called, but whether the sequence of steps made sense for the user's query
- **Task success** : did the agent complete what the user asked?
- **Hallucination** : does the response contain speculated or fabricated information?
- **Safety** : does the response contain anything potentially harmful?
These are available as pre-built rubrics in the evals SDK, via API, and via the Agent Platform UI.
The demo used a travel agent (flight specialist and hotel specialist subagents) to walk through the full eval workflow:
1. **Case generation** : use `generate_conversation_scenario` to simulate the range of situations the agent will encounter. You can constrain this to specific scenario types (e.g. user tries to book a flight then changes destination mid-conversation) and set environment context (current date, user location).
2. **User simulation** : run those cases against the deployed agent to produce actual traces. Set a max turn limit to control token spend.
3. **Custom metrics** : register domain-specific metrics alongside the pre-built rubrics. The demo registered an efficiency metric (penalises extra steps and repeated tool calls with the same parameters) and a tone metric (LLM-judged check for appropriate professionalism and empathy against brand voice).
4. **Issue clusters** : rather than reviewing hundreds of individual traces, run `generate_issue_clusters` to surface failure patterns across the eval dataset. The demo surfaced two clusters under task success: insufficient tool output, and hallucination of missing information — both actionable starting points for fixing agent definitions or tool integrations.
Agent Observability (launched at Google Next) runs this continuously against live production traffic, scoring traces in near real time and alerting on quality degradation via email or Slack. Setup is described as one of the simpler things you can do on Agent Platform.
The flywheel: production failures become test cases. Cluster the failures, fix the agent architecture, validate against offline tests, ship, repeat. Each cycle compounds quality in the right direction. Alongside that loop, model routing (directing tasks to the most appropriate model), caching, and structured output discipline all reduce cost without sacrificing quality.
The closing line from the session: your agent does not have to be perfect. It only has to be improvable. Ship, monitor, improve, and start turning the flywheel.
---
## AI and enterprise security: threat landscape, foundations, and defence
Three sessions from the Google Cloud Summit ANZ security track covered the threat landscape, how to architect a secure AI foundation, and how AI is changing vulnerability exploitation. What follows is a consolidated summary.
### The threat landscape
Andrew Aston (Mandiant Threat Intelligence Services) and Davyn Baumann both gave overlapping but complementary reads on where attacks are heading. The through-line from both: AI is not fundamentally changing what threat actors want (_the TTPs, motivations, and intents are largely the same_) but it is dramatically changing their scale, speed, and sophistication.
**The timeline of attacker AI adoption:**
- 2022–2023: initial exploration : jailbreaking early models, underground forum activity, tools like WormGPT and FraudGPT
- 2024: social engineering at scale : deepfakes, voice cloning (vishing), more convincing phishing lures
- 2025: operationalisation : AI integrated across kill chains, AI-assisted malware creation and modification
- 2026: agentic AI era : automated reconnaissance to execution, vulnerability discovery and exploitation at machine speed
The three capabilities AI gives attackers:
- **Scale** : one operator can target hundreds of organisations simultaneously; SOCs are already saturated with indicators and warnings
- **Speed** : time to exploit a vulnerability has dropped from years to 1.6 days in 2026; some network exploration now happens in seconds
- **Sophistication** : low-capability actors (including hacktivist groups that previously ran basic DDoS attacks) can now impact OT networks and steal data using AI-assisted techniques
The barrier to entry for cybercrime is falling continuously. There are more ransomware groups active now than at any prior point, and roughly half of all organisations posted to ransomware data leak sites in the past year had fewer than 200 employees — organisations unlikely to have internal security teams, let alone vulnerability management programs.
**On vulnerability exploitation specifically:** record numbers of zero-days were exploited last year — approximately 45–50 — split between state actors and cybercriminals. One documented case involved a smaller criminal group using AI to create a zero-day in a web admin tool that bypassed two-factor authentication, with the documentation containing hallucinations that made AI involvement apparent. Threat actors are also ingesting leaked source code and playbooks (the Conti ransomware source code leak being a notable example) and using AI to complete or operationalise incomplete attack components.
**Identity security** is flagged as the domain most likely to converge with AI security over the next 12–24 months. Around 60% of incidents involve attackers logging in rather than breaking in, through stolen credentials, social engineering, or infostealers. As organisations deploy more AI agents, the non-human identity footprint expands — APIs, OAuth tokens, agent identities — and each becomes a potential target.
**The geopolitical dimension:** China has a legislative requirement that domestic IT organisations report discovered vulnerabilities to the state, giving it a sustained supply of zero-days. AI-assisted patching tools are expected to accelerate patch cycles, which is prompting stockpiled zero-days to be deployed now before that window closes. North Korea's regime recently published a five-year plan with AI weaponisation as a stated priority, in parallel with its active IT worker infiltration program. Australia is specifically exposed given AUKUS commitments (_nuclear submarines, advanced frigates from Japan, E-7 Wedgetail aircraft_) with the targeting footprint extending to catering, logistics, and services organisations that touch those programs.
**The recommended defence posture is dual-track:** maintain and strengthen fundamentals (_zero trust, behaviour monitoring, patching discipline_) and augment those with AI capabilities. The defenders who are intelligence-led (who understand attacker TTPs and motivations) will be better positioned to anticipate where AI gets integrated into attacks and prepare accordingly.
### Architecting a secure AI foundation
Stefan Avgoustakis (Google Cloud Security Practice Lead, ANZ) covered the infrastructure security layer, the controls that need to be in place before you start building AI applications.
The Google Secure AI Framework (SAIF), donated to the Open Source Foundation, organises the problem across six domains: expanding existing security foundations to cover AI infrastructure, extending detection and response to AI environments, leveraging AI to automate defences, and ensuring AI-specific controls integrate with the broader security ecosystem rather than sitting adjacent to it.
**Four infrastructure control areas:**
**1. AI inventory**
Most organisations cannot answer how many AI agents are running in their environment. The controls needed mirror what cloud teams already do for VMs, buckets, and Kubernetes deployments, but extended to cover:
- *Model registry* : centralised inventory of first- and third-party models, with versioning, lineage, aliasing (production vs staging), and cryptographic signing so only approved models are deployed
- *Skills registry* : versioned, signed inventory of agent skills; a signed skill provides assurance that its prompts were approved through the organisation's deployment pipeline
- *Agent registry* : centralised governance for agents, each with a unique cryptographically-attested identity; also provides a catalogue of MCP servers, creating a full audit trail across the AI estate
Security Command Center now pulls this inventory together, surfaces posture risks (e.g. a compromised service account touching an AI asset), and prioritises by exposure — whether the asset is externally reachable, for instance.
**2. Access controls**
Agent identity is the most significant addition here. Each agent gets a unique cryptographic identity (based on the SPIFFE standard) instantiated automatically by the platform, not something you configure manually in IAM. This identity is ephemeral and platform-bound, making stolen tokens useless outside the environment.
Two agent identity use cases:
- Agent-to-agent: the agent authenticates to internal services (e.g. BigQuery) using its SPIFFE-based identity
- Delegated authority: when an agent acts on a user's behalf against external systems (Jira, ServiceNow), it receives a delegated OAuth token, meaning the audit trail can distinguish between the agent acting autonomously and the agent acting under explicit user delegation
This distinction matters for security investigations: previously you could identify that an identity did something, but not whether a user authorised it.
**3. Data integrity**
Sensitive data protection applies at two points: redacting PII or other sensitive content from training data before it enters model training pipelines, and intercepting real-time chatbot interactions to redact sensitive data in transit.
Confidential compute addresses the regulated multi-party case: trusted execution environments where data is encrypted at rest, in transit, and in use, allowing multiple organisations (competing banks building shared fraud detection, universities sharing research outcomes) to contribute data without exposing it to any other party (including Google).
**4. Runtime protection**
Model Armor sits between AI applications (agents, chatbots) and models, intercepting communication and applying policies across four areas: content safety, sensitive data detection, jailbreak and prompt injection detection, and URL safety checking. It functions as a centralised firewall-equivalent across all models and applications rather than requiring per-model or per-application configuration.
Wiz adds a further layer at runtime: communication safety between application and model, workload context (e.g. the Kubernetes cluster running the model), and cloud control plane context, all fed into a security graph that provides unified visibility across the AI estate.
**The three questions every security team should be able to answer:** Do you know what AI applications are running in your environment? Do you know how users are interacting with them? Do you have runtime visibility across all AI workloads? Mandiant Consulting can assist where those answers are not clear.
### What ties these sessions together
The threat landscape sessions establish the attack surface and trajectory. The foundation session maps directly to it: agent identity addresses the non-human identity targeting problem; model and skills registries address supply chain integrity; Model Armor addresses prompt injection and jailbreaking; Security Command Center and Wiz address the runtime visibility gap that lets attacks go undetected.
The common framing across all three: defenders cannot use typewriters while attackers use current hardware. The fundamentals still matter — zero trust, patching, behaviour monitoring — but they need AI augmentation to operate at the speed and scale that the threat landscape now demands.
---
The day closed out with a DJ set by Discovery, a Daft Punk tribute band, during networking with food and drinks.
  
---
**Takeaway**: nothing new or surprising today. Google tries to position itself as a cheaper, faster, more secure alternative to AWS and Azure. There was a big push with Wiz (security platform) as an alternative (of sorts) to OpenAI Daybreak and Anthropic's Project Glasswing (very little mention of Mythos). Came away underwhelmed.