>
    Strata Copilot
    Onboard Gemini Enterprise to SaaS Agent Security
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Agent Security
    3. Onboard AI Agent Platforms to SaaS Agent Security
    4. Onboard Gemini Enterprise to SaaS Agent Security
    Download PDF
    SaaS Agent Security

    Onboard Gemini Enterprise to SaaS Agent Security

    Table of Contents

    Onboard Gemini Enterprise to SaaS Agent Security

    Onboard Gemini Enterprise to SaaS Agent Security to gain deep visibility and security for your Gemini Enterprise AI platform and apps.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • SaaS Agent Security license
    Or any of the following licenses that include the SaaS Agent Security license:
    • CASB-X
    • CASB-PA
    • SaaS Security Posture Management license
    Gemini Enterprise is a new AI platform from Google designed for businesses that integrates its most advanced models into a single conversational interface for employees. It allows employees to use pre-built agents or create their own custom agents to perform tasks, analyze data, and automate workflows by securely connecting to company data and applications like Google Workspace and Salesforce. The platform aims to shift employees from tedious tasks to high-impact work while providing central governance and security.
    Onboard Gemini Enterprise to gain deep visibility and security for your Gemini Enterprise platform and apps.
    To access your Gemini Enterprise instance, SaaS Agent Security requires the following information, which you will specify during the onboarding process.
    ItemDescription
    Service Account EmailA service account email in Gemini Enterprise is a special non-human account. Applications and virtual machines use this account to authenticate and access Google Cloud resources securely. It provides a secure identity for programmatic access to the Gemini for Google Cloud API and related services.
    Project IDA Project ID in Gemini Enterprise is a unique identifier for a Google Cloud project. Gemini Enterprise uses the Google Cloud platform, so its services and resources are organized within the same project structure. A Project ID is needed for authentication, billing, and access control when working with Gemini models and related services.
    Location
    In Google Cloud's Gemini Enterprise, a "location" is a specific geographic area for creating, processing, and storing data. Location selection allows enterprises to control data residency. This control is important for data privacy, compliance, and meeting requirements in different regions.
    The types of locations available for data storage in Gemini Enterprise and the wider Google Cloud infrastructure include:
    • global
    • eu
    • us
    New locations created by Gemini Enterprise will be added by SaaS Agent Security in a phased manner.
    1. Go to your project home page (where you developed your agent) in the Google Cloud console.
    2. Copy your project ID and project number and keep it handy for onboarding later.
    3. Enable Discover Engine API
      1. From Google Cloud console, select MenuAPIs & ServicesEnabled APIs & Services+Enable APIs and services.
      2. Search for Discovery Engine API and enable it.
    4. To create a new service account, select MenuIAM & AdminService Accounts+Create service account.
    5. Specify a service account name, account ID, and description and click Create and continue.
    6. In the Permissions section drop-down, choose Service Account Token Creator, Discovery Engine Viewer roles and click Save.
    7. In the list of service accounts, click on the service account that you just created.
      The service account details are displayed.
    8. Copy the service account email address and keep it handy for onboarding later.
    9. Select Principals with accessView by principalsGrant access.
    10. In the Add principals section, specify the name of the principal.
      Your service account email has the following template: agentspace-agent-scan-connecto@<region-name>.iam.gserviceaccount.com. The following are the region names for different regions.
      • US: agentspace-agent-scan-connecto@sspm-identity-us-west2.iam.gserviceaccount.com
      • EU: agentspace-agent-scan-connecto@sspm-identity-europe-west3.iam.gserviceaccount.com
      • UK: agentspace-agent-scan-connecto@sspm-identity-europe-west2.iam.gserviceaccount.com
      • AUSTRALIA: agentspace-agent-scan-connecto@sspm-australia-southeast1.iam.gserviceaccount.com
      • INDIA: agentspace-agent-scan-connecto@sspm-asia-south1.iam.gserviceaccount.com
      • JAPAN: agentspace-agent-scan-connecto@sspm-asia-northeast1.iam.gserviceaccount.com
      • SINGAPORE: agentspace-agent-scan-connecto@sspm-identity-asia-southeast1.iam.gserviceaccount.com
    11. In the Assign roles section, select the Service Account Token Creator role and Save.
    12. To start onboarding Gemini Enterprise to SaaS Agent Security, log in to Strata Cloud Manager.
    13. Select AI SecuritySaaS AgentsAgent Platform OnboardingOnboard Agent PlatformGemini Enterprise.
    14. Ensure you have completed all the three steps mentioned in the following onboarding wizard and then Get Started.
    15. On the Authorization Method Selection page, the API authentication method is selected by default. Click Next.
    16. On the Onboard Agent Platform page, enter the following information (that you gathered in STEP 2 and STEP 7) and Complete.
      • Service Account Email
      • Project ID: You can use either the project ID or the project number.
      SaaS Agent Security establishes the API connection and validates the credentials and permissions. After the validation is successful, you will see the following confirmation message.
    17. SaaS Agent Security immediately begins to scan your onboarded agentic platform after a successful validation.
      The amount of time SaaS Agent Security takes to scan varies based on the amount of data it is required to scan. At a minimum, it takes at least one hour to scan and display data in the SaaS Agent Security dashboard.

    © 2026 Palo Alto Networks, Inc. All rights reserved.