Google’s newest AI product doesn’t wait for you to open an app and type a prompt. Called Gemini Spark, it runs continuously in the cloud, connects to Gmail, Calendar, Drive, and a handful of other Google services, and keeps working even after you lock your phone or close your laptop. It can draft replies, organize files, and coordinate tasks across your digital life without you hovering over it.
The catch: Spark is available only to subscribers of Google AI Ultra, which costs $99.99 per month. That puts the most capable version of Google’s always-on AI assistant behind a paywall of roughly $1,200 a year, a price that exceeds what most people spend on any single software subscription. A higher tier at $199.99 per month also exists, though Google has not clarified what additional capabilities it unlocks beyond what Ultra already includes.
As of June 2026, the rollout is limited to U.S. users and English only. No free or lower-cost Google plan includes Spark, and Google has not announced a timeline for broader availability.
What Spark actually does
According to Google’s product page, Spark is powered by Gemini 3.5 Flash and an internal system Google calls Antigravity (a name the company has not explained in any public technical documentation). The agent can connect natively to Gmail, Calendar, Drive, Docs, Sheets, Slides, YouTube, and Maps. Every one of those connections ships turned off by default; users must opt in before Spark can touch any service.
Because Spark is cloud-based, it does not depend on a single device staying awake. Associated Press reporting from Google I/O confirmed that the agent continues executing tasks after a user walks away. Google designed Spark to request explicit permission before performing high-stakes actions like sending emails or completing purchases, and its official blog described the agent as helping “around the clock.”
In practice, that could look like this: you tell Spark on Monday morning to find every email from a specific client over the past month, pull the relevant attachments from Drive, summarize them in a Doc, and block time on your Calendar for a review. Spark works through those steps in sequence, checking back with you before doing anything irreversible. The appeal is obvious. So are the risks.
The security questions no one has answered yet
Google says Spark asks permission before high-stakes actions, but no independent audit or technical log has been published showing how those permission prompts actually work, how often they fire, or what qualifies as “high-stakes” versus routine. That boundary has not been publicly defined, leaving open whether certain sensitive operations could slip through without explicit confirmation.
Separately, a research preprint titled “Whispers of Wealth” tested adversarial prompt-injection attacks against a shopping agent built on Google’s Agent Payments Protocol (AP2), which uses the same underlying Gemini technology. The researchers found that malicious instructions embedded in product descriptions or external web content could steer the agent toward unauthorized purchases or payment redirections.
That study targeted an AP2 shopping prototype, not the shipping Spark product, so the specific vulnerabilities it uncovered may not apply directly. But the underlying risk mechanism matters: when an AI agent reasons across multiple data sources and then acts on your behalf, injected prompts can hijack its intent. No published study has measured prompt-injection success rates against Spark specifically, and Google has not released red-team results or formal security guarantees for the agent’s financial or account-level actions.
The preprint has not completed formal peer review, which is worth noting. But it is hosted on arXiv, a well-established open research platform run by a consortium of academic institutions, and it represents the only adversarial security research publicly available on Gemini-powered agent payment flows.
Data retention and third-party apps remain murky
Google has said Spark can maintain context over time to carry out multi-step tasks, but has not specified how long that contextual memory persists, whether users can systematically review or delete it, or how it is separated from broader model training data. Without a detailed retention policy tied to Spark, users cannot easily assess what traces of their activity the agent stores.
The company’s marketing materials describe connections exclusively within its own ecosystem. Any expansion to non-Google apps, and the data-sharing terms that would accompany it, remains unconfirmed. Google has not said whether future integrations would rely on APIs, email parsing, or other mechanisms, or how much granular control users would have over what Spark can access outside the eight native services.
How Spark stacks up against the competition
Google is not the only company building always-on AI agents, and the $99.99 price tag looks steep in context. OpenAI’s ChatGPT Pro subscription costs $200 per month but targets power users and researchers with access to the most capable reasoning models. Microsoft’s Copilot is bundled into Microsoft 365 plans that many enterprise users already pay for. Apple has been integrating its own on-device intelligence features into iOS and macOS at no additional subscription cost, though Apple’s approach is narrower in scope and does not offer the same cross-app reasoning Spark promises.
For most consumers, the question is not whether an always-on AI agent sounds useful. It is whether the specific set of Google app integrations Spark offers today, limited to Gmail, Calendar, Drive, Docs, Sheets, Slides, YouTube, and Maps, covers enough of their daily workflow to justify a subscription that costs more per year than many people spend on all their streaming services combined.
What subscribers are really betting on
The tension at the center of this launch is not complicated. Google has built an agent that can reason across your email, documents, and calendar without you being present. It asks before acting, and its connections default to off. Those are meaningful safety choices that separate Spark from a less constrained automation tool.
But the security research on Gemini-based agent payment flows shows that adversarial prompt injection is not hypothetical; it is a demonstrated risk for agents that handle money and sensitive operations. And the permission-prompt design that is supposed to protect users has not been independently tested. Overly vague confirmations could lead people to approve actions they do not fully understand. Overly detailed ones could create “consent fatigue” that pushes users to click through warnings without reading them.
Until independent audits or peer-reviewed studies examine Spark directly, subscribers are balancing Google’s assurances against a broader pattern of vulnerabilities that researchers keep finding in agentic AI systems. Two things are clear right now: the most capable version of Gemini Spark sits behind a steep paywall, and its real-world safety depends on how well those permission guardrails hold up when someone creative and persistent tries to break them.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
