Google held its annual I/O developer conference on May 19-20, and the announcements were wide-ranging enough to affect nearly every team that builds or operates software commercially. The headline model, Gemini 3.5 Flash, combines frontier reasoning with agentic task execution. It reportedly outperforms Gemini 3.1 Pro across coding, agentic, and multimodal benchmarks while running four times faster and at lower cost than comparable frontier models. For engineering teams, that changes the economics of embedding AI assistance into internal tooling and customer-facing products in a meaningful way.
The security story from I/O is arguably the most consequential for businesses that run their own software. Google DeepMind announced CodeMender, an AI agent designed for both reactive and proactive code security. Reactive mode patches newly discovered vulnerabilities as they are disclosed; proactive mode rewrites code to eliminate entire classes of flaws before they are ever exploited. CodeMender is available through Google’s Agent Platform, meaning third-party developers can deploy it against their own repositories. Alongside CodeMender, Google announced a dedicated AI Vulnerability Reward Program with bounties up to $30,000 and Secure AI Framework 2.0, an updated set of industry standards specifically aimed at securing autonomous AI agents.
On the privacy side, Google expanded SynthID digital watermarking alongside C2PA Content Credentials to make AI-generated media more identifiable and attributable. For organisations that publish digital content or operate platforms where user-generated media appears, this signals that provenance and authenticity tooling is moving from research to production infrastructure. Compliance with emerging AI content labelling requirements will not remain optional for long.
The broader theme running through I/O 2026 is that Google is treating AI agents as the default execution model, not a future concept. Universal Cart, the agentic commerce layer embedded across Search, Gemini, YouTube, and Gmail, is a concrete example of that shift. Businesses that rely on Google’s ecosystem for customer acquisition or marketing need to understand how agentic intermediaries change the way customers find and interact with their services, and how that affects paid and organic channel strategies.
If your team needs help evaluating which I/O announcements affect your architecture, security posture, or digital strategy, contact Excello Digital and we can help you cut through the noise.