Google Workspace AI control center: what changed this week for IT, security, and compliance

Google’s May 4, 2026 AI control center announcement is real, but the net-new governance change is narrower than the label suggests. The main admin surface is Admin console > Generative AI > Gemini for Workspace, where Google now groups three policy areas: Workspace Intelligence, Feature access, and Conversation history & deletion.^[6]^[1]^[2]^[3]

What was actually new in the last 7 days falls into two buckets. First, Google made the new control-center framing explicit in Workspace Updates.^[6] Second, Google’s newly explicit conversation-history retention and deletion controls for Gemini in Workspace appear to be the clearest new policy capability in this window.^[3]^[5]

By contrast, centralized Gemini administration itself did not begin this week. Google had already logged Streamlining admin controls for Gemini Enterprise in the Google Workspace Admin console on April 13, 2026.^[4] The service-level Feature access controls are best read as a cleaner, more legible centralized panel, not a wholly new enforcement model.^[4]^[2]

The practical before-vs-after shift is that Google now separates three governance questions that were easier to blur together before: can users invoke Gemini in a service, can Gemini actively search a Workspace source for grounding, and how long Gemini in Workspace conversation history is retained or user-deletable.^[1]^[2]^[3] That separation is the real governance improvement.^[1]^[2]^[3]

1) What was announced in the last 7 days

AI control center announcement. On May 4, Google publicly framed a centralized AI control center for managing AI and agent access to Workspace data. The announcement says the control center will, to start, show usage for Gmail, Drive, Docs, Sheets, Slides, Meet, Calendar, Chat, and the Gemini app.^[6]

Conversation history policy controls. Google’s admin help for Conversation history & deletion, last updated May 4 UTC, documents two policy settings for Gemini in Workspace: whether users may manually delete their own conversations, and whether inactive conversations are auto-deleted after 90, 540, or 1080 days, never, or according to user choice.^[3]

Feature access was newly explicit, but not truly first-time. Google’s Feature access page was updated May 1 and documents service-by-service Gemini feature controls under the same Gemini for Workspace area.^[2] Before vs. after: before this 7-day window, Google had already begun consolidating Gemini administration in the Admin console on April 13; after this window, the same controls are easier to find and explain from one Gemini for Workspace landing area.^[4]^[2]

Workspace Intelligence is the key governance primitive from the recent baseline. Google’s April 20 release introduced Workspace Intelligence with admin controls, which is the source-selection layer for cross-app grounding across Gmail, Drive and Docs, Calendar, and Chat.^[4]^[1] Before vs. after: before April 20, admins had older service-level settings, smart-feature dependencies, and permission/DLP controls; after April 20 and now reinforced by the control-center packaging, they have a distinct cross-app source toggle workflow.^[1]^[8]

Adjacent developer/agent announcement. Google separately published agent tools and security updates for Workspace developers, including a gradual rollout of the Workspace MCP server starting May 1, 2026. Based on the available Google documentation, that is adjacent to the AI control center, not a control-center panel itself.^[7]^[1]^[2]^[3]

2) What actually changed for IT, security, and compliance teams

IT admins now have cleaner separation of rollout decisions. Before, the practical controls were easier to conflate: turning Gemini on in an app, relying on existing permissions, and managing whatever history existed were not presented as one clean control family.^[4]^[1]^[2]^[3] After, Google gives admins three distinct levers: Feature access for product exposure, Workspace Intelligence for cross-app source search, and Conversation history & deletion for retention and end-user deletion behavior.^[1]^[2]^[3]

Security teams now get a real source-selection control, but not a hard isolation boundary. Before, Google exposed service-level settings and existing permission, smart-feature, and DLP layers, but did not give an equally clear single workflow for deciding which Workspace services Gemini could actively search for cross-app grounding.^[1]^[8] After, a super admin can selectively turn Gmail, Drive and Docs, Calendar, and Chat on or off as Workspace Intelligence sources, with all four defaulting to on and changes taking up to 48 hours to fully apply.^[1] This is a cleaner governance step than before, but Google explicitly says disabled sources stop only active search; they do not block grounding on specifically referenced items or currently open content.^[1]

Compliance teams now have a visible retention-style control for Gemini in Workspace history. Before this week, Google’s documentation did not present an equally explicit admin-side retention and manual-deletion policy for Gemini in Workspace conversations.^[3]^[5] After, admins can set deletion windows and decide whether users may manually delete their own Gemini in Workspace conversations.^[3] That gives compliance and records teams an interim policy lever they did not have as cleanly before, even though the eDiscovery story is still unresolved.^[3]^[11]^[12]

Security operations and IT reporting improve, but policy monitoring remains thin. Google provides Gemini usage reports with org- and user-level views, spreadsheet export, a 2–3 day reporting lag, and up to 72 hours for org-structure changes to appear.^[9] For actual activity telemetry, Google documents gemini_in_workspace_apps events in the Reporting API with up to 180 days of history.^[10] Before vs. after: after this announcement cluster, there is better visibility into usage and a clearer control taxonomy, but the reviewed Google docs still do not document policy-change alerts or a policy-management API for the new control-center settings.^[9]^[10]^[1]^[2]^[3]

3) Affected products and admin workflows

Workspace Intelligence applies to Gemini in Workspace and lets admins control whether Gemini can actively search Gmail, Drive and Docs, Calendar, and Chat as grounding sources.^[1] Admin workflow: Generative AI > Gemini for Workspace > Workspace Intelligence, then scope by organizational unit or configuration group.^[1] Before vs. after: before this control, admins could rely on permissions, smart features, and DLP to constrain access; after it, they can also decide whether Gemini should actively search those sources at all.^[1]^[8]

Feature access is the service-level enablement layer for Gemini features in Gmail; Drive, Docs, Sheets, Slides, Forms, Drawings, and Vids; Meet; Chat; and Google Workspace Studio.^[2] Admin workflow: Generative AI > Gemini for Workspace > Feature access, again scoped by organizational unit or configuration group.^[2] The limitation is explicit: if Gemini is turned off in one service, users can still ask Gemini in another service about content from the disabled service.^[2] Before vs. after: before, service exposure controls existed in less consolidated form; after, Google exposes them from one obvious landing area but without turning them into a strict data-boundary control.^[4]^[2]

Conversation history & deletion applies to Gemini in Workspace conversation history. Admin workflow: Generative AI > Gemini for Workspace > Conversation history & deletion.^[3] Before vs. after: before, user-facing history behavior existed, but older side-panel interactions were not included; after, admins get an org-level policy surface for deletion rights and retention windows.^[5]^[3]

Gemini app remains a separate product boundary from Gemini in Workspace. Google’s privilege definitions say admins with the broader Gemini privilege can control who uses the Gemini app and turn the Gemini app on or off.^[14] That matters because the new Gemini for Workspace controls do not unify policy across every Google AI surface. Google explicitly says Workspace Intelligence does not govern those sources for the Gemini app, Gemini for Education, or NotebookLM.^[1]

Workspace Studio is only partly inside this story. It appears in the Gemini for Workspace Feature access list, but Google also maintains a separate Studio admin surface under Apps > Google Workspace > Workspace Studio for steps, starters, webhooks, add-ons, integrations, and service-specific steps.^[2]^[13] For service-specific Studio steps, Google documents API-controls-based trust or block actions for apps such as Gemini for Workspace Studio, Drive for Workspace Studio, Gmail for Workspace Studio, Google Calendar for Workspace Studio, and Google Chat for Workspace Studio.^[13]

4) Rollout timing and prerequisites

Rollout timing is staggered across the announcement cluster. The AI control center announcement landed on May 4.^[6] The related Feature access help page shows a May 1 update date.^[2] The Conversation history & deletion help page shows a May 4 update date.^[3] The adjacent developer announcement says Workspace MCP server rollout starts May 1 and is gradual.^[7]

Propagation timing matters operationally. Workspace Intelligence changes can take up to 48 hours to fully apply.^[1] Gemini usage reports can lag by 2–3 days, and org-structure changes can take up to 72 hours to appear in those reports.^[9] For deployment teams, that means a same-day policy change and a same-day reporting check may not line up cleanly.^[1]^[9]

Edition support is uneven across the three control areas. Workspace Intelligence is broadly documented across Business Starter, Business Standard, Business Plus, Enterprise Standard, Enterprise Plus, Education Plus, Frontline Plus, Enterprise Essentials, Enterprise Essentials Plus, Nonprofits, and the AI Expanded Access, AI Ultra Access, Google AI Pro for Education, and Teaching and Learning add-ons.^[1] Feature access is narrower, documented only for Enterprise Standard, Enterprise Plus, Teaching and Learning add-on, Education Plus, Google AI Pro for Education, and AI Ultra Access.^[2] Conversation history settings use a different eligibility list again: Business Starter, Business Standard, Business Plus, Enterprise Starter, Enterprise Standard, Enterprise Plus, Education Plus, Teaching and Learning add-on, Google AI Pro for Education add-on, Google AI Pro, Google AI Ultra, and Frontline Plus.^[3]

Privilege prerequisites are also uneven. Workspace Intelligence and Feature access require a super administrator.^[1]^[2] Conversation history & deletion instead requires the narrower Gemini Settings administrator privilege.^[3] Before vs. after: delegated administration improved for history settings, but the two most consequential controls for grounding and service exposure remain concentrated at the highest admin tier.^[1]^[2]^[3]

One naming ambiguity remains. Google’s admin-facing licensing text uses AI Expanded Access and AI Ultra Access on some pages, while the conversation-history page also refers to Google AI Pro and Google AI Ultra.^[1]^[2]^[3] The safe enterprise reading is to preserve Google’s exact product names page by page rather than assume one fully reconciled SKU taxonomy from this source set.^[1]^[2]^[3]

5) Enterprise use cases

Authoring-first rollout with retrieval minimization. A common enterprise pattern is to enable Gemini features in authoring surfaces such as Docs, Gmail, Meet, or Chat for a pilot OU while turning off Gmail and Chat as Workspace Intelligence sources.^[1]^[2] Before vs. after: before, the cleanest option was often broader enablement or broader disablement by service; after, admins can let users draft and summarize in-place while reducing broad cross-app search over mailboxes and chats.^[1]^[2] Likely owners: IT admin, privacy office, records/compliance, and legal.^[1]^[2]^[3]

Records-sensitive deployment with deletion locked down. Compliance and legal teams can set conversation history to 540 or 1080 days and disable manual deletion while they decide whether Gemini in Workspace history should be treated as a business record.^[3] Before vs. after: before, there was no comparably explicit admin-side history-retention knob in this source set; after, admins can at least stop user self-deletion during policy review.^[3]^[5]

Security-led deployment using existing controls as the hard boundary. In stricter environments, security architecture teams may treat the AI control center as a convenience layer and keep DLP, data regions, API controls, and Context-Aware Access as the real enforcement boundaries.^[1]^[15]^[13] Before vs. after: the control center improves usability, but it does not replace these older security rails.^[1]^[15]^[13]

Adoption monitoring versus forensic review. IT can use Gemini reports for adoption tracking, while security operations can use Reporting API activity events for actual usage telemetry.^[9]^[10] Before vs. after: before this clustering of controls and docs, those workflows were easier to muddle together; after, Google’s documentation makes the difference between adoption reporting and activity logging easier to operationalize.^[9]^[10]^[1]

6) Limitations and unanswered questions

Data residency is still governed largely outside the AI control center. Google’s advanced data regions settings let admins disable nonregionalized features on a per-service basis, and the affected-features guidance explicitly includes multiple Gemini and Gemini-in-Workspace capabilities.^[15] Before vs. after: the AI control center improves app-level governance, but it does not resolve residency-sensitive processing questions by itself.^[15]^[1]^[2]^[3]

Vault, legal hold, and eDiscovery for Gemini in Workspace history remain unresolved. Google now documents retention-style controls for Gemini in Workspace conversation history, but the reviewed Vault supported-services matrix documents search and export only for the Gemini app and explicitly says Gemini app search is not applicable to Gemini for Google Workspace because prompts or responses are not retained for those interactions in that older Vault context.^[3]^[11] The reviewed Google docs still do not establish that Gemini in Workspace conversation history is discoverable in Vault, can be placed on legal hold, or can be exported through a dedicated eDiscovery workflow.^[3]^[12]^[11]

DLP coverage is acknowledged, but evaluation order is undocumented here. Google says access to Workspace Intelligence data sources is also controlled by the organization’s DLP rules.^[1] The reviewed docs do not explain precedence when DLP, Workspace Intelligence source settings, service-level feature access, user smart-feature settings, and content-owner restrictions disagree.^[1]^[8]

Scope granularity is useful, but not complete. Feature access and Workspace Intelligence can be scoped by organizational unit or configuration group, but disabling a service or source does not fully block specifically referenced or currently open content from being used.^[2]^[1]

Delegated administration remains partial. Conversation history settings can be delegated through the Gemini Settings administrator privilege, but Workspace Intelligence and Feature access still require super admin.^[3]^[1]^[2] Before vs. after: this is better than an all-super-admin model, but it still keeps the two most consequential controls at the highest privilege tier.^[3]^[1]^[2]

API availability and alerting are still thin on the control plane. Google’s administrator privilege definitions say admins can perform corresponding actions in the Admin API, but the reviewed Gemini for Workspace control pages do not publish API endpoints for setting Workspace Intelligence sources, Feature access, or Conversation history policies.^[14]^[1]^[2]^[3] The clearest documented API surface in this set is activity retrieval through the Reports API, not policy management.^[10]^[1]^[2]^[3] Google also documents usage reporting and investigation access to Gemini events, but the reviewed material does not document policy-change alerts or a dedicated investigation workflow for control-center setting changes.^[4]^[9]^[10]^[1]^[2]^[3]

Practitioner skepticism remains plausible. Older r/gsuite discussions described confusion around Gemini visibility, plan gating, and whether disablement had fully taken effect. Those threads predate the current control center and are not authoritative on current behavior, but they are a fair reminder that rollout UX can lag documentation.^[16]^[17]

7) Concise comparison to Microsoft 365 and Slack/Atlassian where useful

Microsoft 365 Copilot: Google’s improvement is in governance separation. It now distinguishes service exposure, cross-app grounding sources, and conversation-history behavior more clearly than before.^[1]^[2]^[3] Microsoft is still ahead on documented retention and eDiscovery maturity: Purview documents dedicated Copilot and AI-app retention locations, storage behavior, hold interaction, and searchability.^[23] For Google buyers, the point is narrow: Google has improved administrative usability, but its documentation is still weaker where legal and records teams need explicit preservation and discovery paths.^[1]^[2]^[3]^[23]

Slack: Slack is stronger on direct assignment granularity for AI feature access. Enterprise admins can target no one, specific people and groups, everyone except specific people and groups, or everyone.^[20] Google’s model is workable through organizational units and configuration groups, but some of its most consequential controls still require super admin and are not expressed as the same kind of direct people/group assignment model.^[1]^[2]^[20]

Atlassian: Atlassian is the simpler contrast. Its reviewed AI materials emphasize inherited permissions, organization-level preferences, and connector/privacy guidance rather than a Google-like split between source toggles, feature exposure, and conversation-history behavior.^[21]^[22]^[1]^[2]^[3] Google now sits between Slack and Atlassian: more nuanced than Atlassian’s reviewed model, less directly targetable than Slack Enterprise, and still less mature than Microsoft on retention documentation.^[20]^[21]^[22]^[23]^[1]^[2]^[3]

Implementation color from enterprise IT coverage. TechCrunch’s April 22 framing of Workspace Intelligence as drawing on Gmail, Calendar, Chat, and Drive captures the tradeoff many buyers will recognize: more data access yields more capable assistance.^[19]^[1] Computerworld’s adjacent coverage of Google’s broader agent-platform push also helps explain why admins may conflate Workspace AI governance with Google’s larger agent story; the current evidence says they should keep those boundaries separate.^[18]^[1]^[2]^[3]

Made with Webhound · Ask questions about this research, build on it, or start your own