Agentic AI in Google Cloud: data, Model Armor, and Agentic Data Cloud

What works now: customer service/support, marketing, and research/productivity

In 2024 and 2025, AI was discussed as "transformation", "productivity growth", "copilots", "automation", but when you got inside an organization, the same concrete questions would emerge:

• What data is AI allowed to access?
• Who verifies AI results?
• How do we stop a chatbot from saying nonsense to customers?
• How do we move from experiment to the trust needed for internal processes?

In 2026, according to the latest report Google Cloud: AI Agent Trends 2026 (link➛), 52% of leaders in organizations using GenAI report they already have AI agents in production.

At the annual Google Cloud Next event (Las Vegas, April 22-24, 2026), the main theme was the end of the AI pilot era and the move to the agentic AI era.

Sundar Pichai, Google CEO, compared the common 2025 attitude "we can build an agent" with the 2026 one: "How do we now manage thousands of agents?" (Link ➛)

The ranking of departments using these agents is interesting:

• 49% for customer service.
• 46% for marketing operations or cybersecurity (SecOps).
• 45% for technical support.
• 43% for product innovation, productivity, and research.

Why these areas? These departments operate on well-defined procedures and workflows, on a stable data foundation. For example, the organization communicates with customers for support based on technical documentation and written procedures. Even in marketing and cybersecurity, the organization draws on the best available information as a unified whole. In short, these are the areas where the organization acts as a unified whole. An AI agent properly integrated in these areas multiplies people's capacity, without creating new processes.

Moreover, in these areas you don't affect the internal organization (hierarchy, permissions), nor do you need to start from an abrupt organizational change. If support or marketing procedures need to change, a new strategy is defined and then the AI agents can be reconfigured.

But how will agentic AI be used across the entire organization?

Direction for the entire organization: Useful, safe, scalable

A chatbot answers, but an AI agent works within a process. Agents can only function properly where the company has a knowledge base about how it works and what the accepted limits are, which reduces inherent risks. To use agentic AI across the entire organization, including internally, the direction for 2027 is starting to emerge from recent Google Cloud launches, including at Google Cloud Next 26.

There are three complementary directions for creating a shared AI space within a company:

1. Intelligent data access - generalized BI

Integrating AI into data warehouses like BigQuery and into BI tools like Data Studio or Looker. Creates interfaces where the user no longer just looks for a dashboard but can query the data directly, with increased accuracy.

2. Model Armor - LLM Filtering

Model Armor, launched in Google Cloud, is an AI Firewall — a protection layer for AI applications that inspects prompts, responses, and agentic interactions, both at input (prompt, attachments) and at output (AI output). The organization can choose or create security, privacy, brand, and compliance rules on top of the LLM. Some rules are deterministic, for example detecting bank card patterns.

3. Agentic Data Cloud with Knowledge Catalog - Knowledge Infrastructure

Google Cloud products include Agentic Data Cloud with Knowledge Catalog, and the A2A (Agent 2 Agent) and MCP (Model Context Protocol) protocols are used. Data, metadata, business procedures, and policies are organized in a single space for AI agents. A space under the organization's control.

I. Intelligent Data Access for Reporting: The Evolution of BigQuery / AI / Data Studio

The greatest source of management frustration is the gap between owned data and decision-making, when you have the data but analyzing it forces you through the path: request to analyst ➛ SQL query ➛ export ➛ dashboard ➛ interpretation ➛ follow-up questions.

AI adoption in core business is slow for the same reason: how will an AI agent know to account for aspects the manager knows from experience, for data points that must be gathered without a clear procedure?

The 2027 Solution

A data architecture that combines:

• Central data warehouse: BigQuery
• Language models: Gemini
• Visualization and semantic governance layer: Data Studio / Looker.

The data agent transforms the question into a data operation (SQL): generates the query ➛ executes it ➛ verifies the result ➛ produces an explanation ➛ builds a visualization.

Before, the dashboard was like a shop window. You saw what had been prepared for you and had to request changes to the display. In the new model, the dashboard is an analysis desk. You ask, get an answer, verify the source, continue the conversation.

To reduce hallucinations, Google Cloud proposes an optional background coding feature where the AI agent actually executes code to obtain SQL queries and graphic reports instantly.

Dashboards remain very important for monitoring, management, meetings, alerts, and recurring reports. But alongside the dashboard, data conversation appears.

• The combination of BigQuery, Data Studio, and Gemini in Google Cloud is currently the best-suited even for relatively small data volumes — any manager can work with conversational AI at controllable costs. Data Studio also has a no-cost variant for individual analysis (Data Studio Pro is recommended starting at $9 per user x project / month).
• The Looker product (instead of Data Studio) remains ideal for enterprise-governed Business Intelligence, with semantic models and detailed business logic defined, where data sources must be declared for AI performance.

What would management want to know?

• Which products have competitors lowered prices on in the last 30 days?
• Which B2B customers have ordered less frequently this quarter compared to the previous one?
• Which orders are at risk of delay?
• Which campaigns generated quality leads, not just a high volume?
• Which products have good margin but weak conversion?
• What are the top 20 recurring tickets and what internal process generates them?

The right questions for your company are essential for data access control. The AI agent must know which tables it can access, where they come from (ERP / CRM / ecommerce, etc.), what the metrics mean, what data is sensitive, and which answers it should refuse.

Where is intelligent access to company data ideal?

I. Commercial Analysis and Pricing

In the ecommerce and distribution space, data agents can help teams understand prices, inventory levels, competitor behavior, profitability, and seasonality. "Where are we losing competitiveness but can still protect margin?"

II. Sales Support

An agent connected to the CRM and order history can help the sales team prepare meetings, view customer history, spot drops in activity, or suggest the next step.

II. Operational Control for Cash Flow and Quality

In companies with many repetitive processes and high turnover, the AI agent can identify exceptions: stagnant inventory, blocked orders, unclosed invoices, unresolved tickets, out-of-stock products, customers without follow-up — including from data in CRMs like HubSpot, where specialized CRM agents exist.

Example from the Google Report: Suzano

Suzano is one of the world's largest pulp producers. The company worked with Google Cloud and Sauter to develop a Gemini Pro-based AI agent that translates natural language questions into SQL code to query SAP Materials data in BigQuery. The reported result: a 95% reduction in query time for the 50,000 employees who use the data.

This example is important because it shows very clearly where value appears: not in replacing the data team, but in making data access more efficient.

For success, don't forget to index your own data (ERP, CRM, ecommerce) and correlate it, define the questions management wants answered, and based on those, what AI has access to.

Continue exploring the other two areas for success in 2027: LLM filtering (Model Armor) and the company's AI knowledge base (Knowledge Catalog). Filtering reduces risk, while the knowledge catalog and its governance radically increases the consistency of AI agent actions.

II. Safety Filtering in AI Applications: Model Armor

If AI Agents access company data and customers (pillar 1), pillar 2 ensures that AI agents do not expose the company to catastrophic risks, by limiting their actions with explicit rules and filters.

The 2027 Solution

Model Armor is an Enterprise Firewall (security and compliance filter) developed by Google Cloud, placed between the user (or another application) and the actual LLM AI model. It is the technical instantiation of what we call "Business Guardrails" in OPTI Guide 1.

The basic idea is simple:

• Before a prompt reaches the model
• With predefined library rules (cybersecurity, data loss prevention, age verification) or rules defined by the company administrator, security and compliance policies are applied.
• After the model runs but before the response reaches the user or application

LLM risk appears throughout the conversation. An apparently normal prompt can try to manipulate the model; an apparently helpful response can contain sensitive data, content at the edge of legality, or phrasing that creates commercial problems.

Model Armor filters communications around the LLM model (e.g.: Gemini). Beyond actual traffic, it looks at content, intent, sensitive data, hacking techniques (prompt injection, jailbreak, malware, dangerous URLs), and content dangerous to the organization.

What would the security team want to prevent?

Some risks for which predefined filters exist:

• Prompt injection: the user or a contaminated document tries to alter LLM behavior
• Jailbreaking: bypassing safety rules / LLM guardrails
• Sensitive data extraction: the model can return personal data, financial information, passwords, or company secrets (data loss prevention)
• Risky content: responses that harm the brand, the company, or users.
• Legal risk: unapproved commercial promises or risky interpretations.
• Malicious URLs or files produced by prompts or responses;
• Using the agent outside company purposes: using tokens paid by the company for other purposes (e.g.: coding a website in an e-commerce chatbot)

Simplified, Model Armor works in two steps. First, prompt inspection. Depending on policy, the prompt is allowed, blocked, or forwarded with transformations (sanitization). Then, response inspection (also based on context and history). The same options apply based on policy.

Where is LLM interaction filtering ideal?

In practice, policies can differ by AI agent, but centralized control at the security team level is recommended:

• an HR agent has rules for personal data
• a customer support agent has rules for commercial promises, tone, and age verification
• a marketing agent has rules for brand safety
• a financial reporting agent has rules for sensitive data and compliance

1. Agents for regulated processes

In banking, insurance, medical software, or the public sector and education, AI agents cannot be informal experiments. Here Model Armor is more than a security feature.

2. Automated quoting or order-taking systems

AI agents can create and even propose complex quotes, including Bill of Materials. Model Armor can be supplemented by the company with deterministic rules from the application, for example to ensure the total margin never falls below X% or that the quote is reasonable compared to previous ones (according to company-defined policies).

3. Customer service agents

When the AI agent talks to the customer, it can share information about any data it has access to and can be tricked (into offering what it shouldn't) or exploited (into performing unrelated tasks that consume the company's tokens).

Model Armor helps through its library of predefined security rules: what the agent is not allowed to say, what personal data or company secrets it cannot expose, what tone/language must be blocked, and when to transfer the conversation to a human.

Google Cloud Example: Starling Bank

From the available case study (link ➛), UK-based Starling Bank migrated data processing to BigQuery and adopted Vertex AI (today renamed by Google to Gemini Enterprise Agent Platform). They then built a tool called Scam Intelligence, through which customers can submit an image of a marketplace listing, and the system searches for fraud signals: price too low, seller pressure, other signs of deception.

Reported results include a 300% increase in the rate at which customers cancel suspicious marketplace payments, a 50% reduction in customer service calls, and 8,000 hours saved monthly.

III. Agentic Data Cloud and Knowledge Catalog: from isolated agents to an AI department

The third pillar best defines the 2027 horizon, according to Google Next trends. The shift from "AI Assistants that access and recommend for the company" to "AI Agents that execute and negotiate among themselves for the benefit and under the control of the company." The challenge is organizational: within a company, data is often siloed by department:

• The CRM says one thing
• The ERP says something else
• The e-commerce platform has different product codes
• The marketing team and finance department use different metrics

Most importantly, when people work together for a long time, they compensate for these differences: they ask someone, check a spreadsheet, know that a column is no longer used, know that a report has exceptions. Knowledge Catalog in Google Cloud is the attempt to define this shared translation space also for AI agents, to create a real AI department in core business.

The 2027 Solution

Google introduced Knowledge Catalog in Dataplex. This is a catalog with deep AI integration for correct context and governance at the level of company data in the cloud, acting as a single source of truth. On top of this, open protocols such as A2A (Agent2Agent) and MCP (Model Context Protocol) operate, allowing AI agents from different companies or within a company to communicate autonomously.

Agentic Data Cloud with Knowledge Catalog includes:

• Preparing an organization's data for a world where not only people read it, but AI agents use it to work.
• Creating the correct organizational context, for all the purposes and departments where AI agents work. It aggregates metadata, definitions, relationships, governance rules, and prompts for AI.
• It will answer questions like: what the data means, what definitions are official, what relationships exist between entities, which sources are more trustworthy, what policies apply, what query examples are validated, who owns certain data.

What is revolutionary about how it works?

• Continuous Semantic Enrichment. It doesn't rely only on manual labels — Gemini extracts semantics and procedures from logs, schemas, and unstructured documents.
• Secure, Agentic Access. Through policies similar to Model Armor, it dynamically and continuously applies security separations. Each AI agent can have defined rules for data and process access and editing — rules centrally controlled and continuously applied within autonomous execution. Agents can run for days and checks must be performed continuously.
• Zero-Copy Federation. Knowledge Catalog operates in parallel with classic central systems (e.g.: ERP, CRM, ecommerce), with integrations controlled and, ideally, deterministic (the agent does not work directly in SAP).

If AI agents are given access to all data sources without a catalog, they will produce seemingly coherent but inconsistent answers over the medium and long term, because they don't understand what matters and what doesn't. Knowledge Catalog reduces ambiguity, creates relationships between data, aids source discovery, and gives agents the company's shared dictionary.

What does management want to know about how AI agents work?

For example, a company wants to transform manual procurement, stock verification, and invoice reconciliation processes into an ultra-fast agent-to-agent interaction that must be fully auditable. Two protocols, now popular in Google Cloud, will be used: A2A and MCP.

1. A2A (Agent2Agent)

This is the protocol through which agents built on different platforms can communicate and collaborate. No large company has all agents from a single vendor for all functions. There are internally built agents, agents provided by partners, agents from enterprise applications, industry-specialized agents, etc.

2. MCP (Model Context Protocol)

This is the standard through which AI agents can access company tools (including execution tools) and data sources in a structured way. If A2A is the language between agents, MCP is the bridge through which AI agents reach data and tools.

The future of AI in organizations will not be one big chatbot, but a network of specialized agents, with communication, access, audit, and governance rules.

Where is AI agent collaboration in a shared space ideal?

1. Knowledge management and multi-department operational processes

Large companies have thousands of documents: procedures, policies, contracts, manuals, presentations, technical specifications, reports, product documentation. A B2B order touches the areas of CRM, quoting, ERP, inventory, delivery, invoicing, and support.

An agent that must answer the question "why is this customer's order delayed?" must understand the relationships between systems, possibly with hallucination reduction through Knowledge Catalog.

2. Compliance and audit

In regulated industries like medical / pharma, agents can help monitor legislative changes, identify affected procedures, and propose modifications. Traceability is essential, hence the importance of protocols and auditable interaction logs so you know every step executed.

3. Production and operations

In production and distribution, policies and procedures differ from site to site. Documents can be numerous, non-uniform, and hard to compare. An AI agent can extract insights, compare procedures, identify inconsistencies, and reduce the risk of divergent information.

4. Partner ecosystems

AI agents won't only work inside the company. There will be scenarios where a company's agent collaborates with a supplier's agent, a logistics partner's agent, a CRM's, or a support platform's. Interoperability will be essential here.

Google Next also announced the partnership between Salesforce and Google Cloud: CRM agents (Salesforce) communicate natively with data agents (Google Cloud) via the A2A protocol. AI will be able to negotiate between commercial partners through other protocols as well, not just within an organization.

Google Cloud Example: Elanco

According to the Google Cloud case study cited in the report, Elanco (a leader in animal health) uses Gemini agents to automatically restructure and reconcile over 2,500 operational procedure documents per factory.

Agentic orchestration reduces the risk of compliance errors, saving up to $1.3 million.

Useful AI is not the most spectacular, but the best connected

In 2027, the difference between demonstrative AI and business AI will come down to three simple things: data access, control rules, and organizational context.

• An agent without data is just a generic chatbot
• Any agent that takes actions without rules is a risk
• An agent without a shared catalog is an island isolated from the company

Google Cloud is trying to solve exactly these three problems through BigQuery/Data Studio/Looker and data agents, through Model Armor, and through Agentic Data Cloud with Knowledge Catalog.

What can you do now?

Answer 3 questions:

• What data do we want to make accessible through AI?
• What rules must AI follow?
• What minimum benefits are we targeting for the AI integration to be a success?

📖 Read our complete guide for AI in sales: Download for free the "AI în B2B 2026 - Guide #1: AI Recommendations, Upsell, and Rules" series to see code examples and hybrid architectures we are implementing today.

⚙️ Check your readiness level: Schedule a free audit with OPTI Software experts to assess whether your current infrastructure (ERP, databases) is ready for the Agentic Enterprise era.