Deployment guidance for Gemini for Government

Last reviewed 2026-04-23 UTC

This document provides technical guidance for US Federal agencies and DoD departments on deploying and using Gemini for Government in compliance with FedRAMP High and DoD Impact Level 4 (IL4) requirements. This document describes which services and features are included in the authorization boundaries and the steps to help you meet your compliance obligations.

Gemini for Government uses Assured Workloads to help with compliance requirements. You must deploy all Gemini for Government resources within an Assured Workloads folder that's configured for your specific compliance regime (FedRAMP High or IL4).

Core product dependencies

Gemini for Government relies on several Google Cloud services. The following table lists the compliance status for each service.

Google Cloud service FedRAMP High status IL4 status

Gemini Enterprise

Authorized

Authorized

Generative AI on Gemini Enterprise Agent Platform (formerly Generative AI on Vertex AI)

Authorized

Authorized

BigQuery

Authorized

Authorized

Cloud Storage

Authorized

Authorized

Looker (Google Cloud core)

Authorized

Submitted

Authorized services and features

The following table lists the services and features that you can use within Gemini for Government for FedRAMP High and IL4 deployments.

Feature FedRAMP High IL4

The following models:

Authorized

Authorized

Autocomplete

Authorized

Authorized

Serving controls

Authorized

Authorized

Authorized data stores such as Cloud Storage and BigQuery

Authorized

Authorized

Web Grounding for Enterprise

Authorized

Authorized

Uploading documents from local machines

Authorized

Authorized

Ability for end users to select models

Authorized

Authorized

Deep Research agent

Authorized

Submitted

No-code agent creation using Agent Designer

Authorized

Submitted

Agent Gallery

Authorized

Submitted

Image generation using Nano Banana

Authorized

Submitted

Model Armor

Authorized

3PAO

Unauthorized features that you should disable manually

The following services and features aren't authorized for FedRAMP High or IL4. However, they aren't blocked by the Assured Workloads control packages and are available in your project. As part of your risk assessment, you might need to evaluate service usage relative to sensitive data and any mitigating controls available to you. You may need to manually disable the features on this list in your Gemini Enterprise app configuration based on your assessment.

Agents and galleries
Grounding
Generative features
User, session, and UI features
Other features

For more information about implicit context caching, see Gemini Enterprise Agent Platform and zero data retention.

Unauthorized features that you can't disable

The following services and features are available in the Assured Workloads control package. You can't disable them. If you use these features, we recommend that you conduct a proper risk assessment prior to granting your authorization to make sure service usage is appropriate for your FedRAMP High or IL4 deployment. For example, you can assess service usage relative to data sensitivity. You can also evaluate if any mitigating controls based on data encryption are available to you to establish sole control over data access.

Agents and galleries

To remove availability for this agent, contact our sales team or your Google Cloud representative.
Analytics and dependent features
Data connectors and stores
User, session, and UI features
Other features

Deploy your environment

Follow these steps for assistance with deploying an environment that meets your compliance obligations:

  1. Deploy Assured Workloads:
    1. Create an Assured Workloads folder that uses Data Boundary for FedRAMP High or Data Boundary for IL4.
    2. Create your Google Cloud project inside this folder.
    3. Verify that all users and service accounts have the required Identity and Access Management (IAM) permissions.
  2. Configure your FedRAMP High or IL4 network. For more information, see Configure network for FedRAMP and DoD on Google Cloud.
  3. Create a Gemini Enterprise app. Select US Multi-region as the location. The Assured Workloads data residency policy enforces this option.

  4. Connect to a Google data source that's located within your Assured Workloads folder. The authorized data stores for FedRAMP High and IL4 are Cloud Storage buckets and BigQuery datasets.

  5. Configure authorized compliance features.

  6. Turn off the unauthorized features that are described in unauthorized features that you should disable manually.

  7. Train your personnel not to use unauthorized features that you can't disable.

Turn off unauthorized features

Complete the tasks in this section to turn off unauthorized features that you can disable manually.

Complete this task for each app that you deploy in Gemini Enterprise.

Ensure that you have one of the following roles:

  • Discovery Engine Admin (roles/discoveryengine.admin)
  • Gemini Enterprise Admin (roles/discoveryengine.agentspaceAdmin)

  • A custom role with the discoveryengine.engines.update permission

Console

  1. In the Google Cloud console, go to the Gemini Enterprise apps page.

    Go to Apps

  2. Select the app.

  3. In the navigation menu, click Configurations and then select the Feature Management tab.

  4. Turn off Enable prompt gallery.

  5. Click Save.

REST

To update the feature control map of your app, use the engines.patch method on the discoveryengine.googleapis.com API endpoint.

Set the prompt-gallery key to FEATURE_STATE_OFF in your engine's features configuration.

Before using any of the request data, make the following replacements:

  • PROJECT_ID: the ID of your project
  • APP_ID: the ID of your app

HTTP method and URL: 

PATCH https://discoveryengine.googleapis.com/v1/projects/PROJECT_ID/locations/global/collections/default_collection/engines/APP_ID?updateMask=features

Request JSON body: 

{
  "features": {
    "prompt-gallery": "FEATURE_STATE_OFF"
  }
}

To send your request, expand one of these options:

You should receive a JSON response similar to the following:

{
  "name": "projects/PROJECT_ID/locations/global/collections/default_collection/engines/APP_ID",
  "features": {
    "prompt-gallery": "FEATURE_STATE_OFF"
  }
}

Turn off grounding with Google Maps Platform

To turn off grounding with Google Maps Platform for all requests, you can disable the Maps Grounding API (mapsgrounding.googleapis.com) using one of the following methods:

  • In the APIs & Services page on the console, locate the Map Grounding API (mapsgrounding.googleapis.com), and select Disable API. For more information, see Enable and disable services.

  • In the Google Cloud CLI, run:

    gcloud services disable mapsgrounding.googleapis.com

To turn off grounding with Google Search for all requests, set the constraints/vertexai.disableGenAIGoogleSearchGrounding organization policy boolean constraint to true at the Assured Workloads folder level. For more information, see Updating policies with boolean rules.

Turn off grounding using Google Drive uploads

Grounding with Google Drive is only enabled when you connect a Google Drive data store to your app. To disable grounding with Google Drive uploads, complete the following:

  • Ensure that no Google Drive data stores are configured in your Gemini Enterprise apps. If an app is already connected to a Google Drive data store, remove it from the app's settings in the console, or delete the data store using the dataStores.delete method in the Discovery Engine API.

  • Disable Workspace data-sharing capabilities in the Google Admin console, or disable Smart features and personalization in Google Workspace to block the connector from accessing user documents in Google Drive.

Turn off grounding using Microsoft OneDrive uploads

Grounding with Microsoft OneDrive is only enabled when you connect a Microsoft OneDrive data store to your app. To disable grounding with Microsoft OneDrive uploads, complete the following:

  • Ensure that no Microsoft OneDrive data stores are configured in your Gemini Enterprise apps. If an app is already connected to a Microsoft OneDrive data store, remove it from the app's settings in the console, or delete the data store using the dataStores.delete method in the Discovery Engine API.
  • To block the connector's access, revoke the credentials or delete the registered OAuth 2.0 application client ID and credentials in Microsoft Entra ID (Azure AD) that is used for Microsoft OneDrive connectivity.

Turn off Imagen and Veo

To turn off image generation using Imagen and video generation using Veo, complete the following:

  • Set the constraints/vertexai.allowedModels or constraints/vertexai.allowedGenAIModels organization policy list constraint at the folder or organization level to deny the imagen and veo models (for example, publishers/google/models/imagen-4.0-ultra-generate-001) or to permit only approved models. For more information, see Control access to Model Garden models.

  • To restrict prediction access on Imagen or Veo models, configure an IAM deny policy that denies the aiplatform.endpoints.predict IAM permission on the resource path for the model. The model resource path is projects/PROJECT_ID/locations/LOCATION/publishers/google/models/MODEL_NAME.

    Replace the following:

    • PROJECT_ID: the ID of your project
    • LOCATION: the location of the app
    • MODEL_NAME: the name of the model to allow or deny

Turn off user events for Gemini Enterprise apps

User events are sent by client-side event trackers or imported in bulk. To disable user events collection, complete one of the following:

  • When configuring the search widget for your application, disable event logging by setting the disableUserEventsCollection property to true inside the uiSettings configuration namespace. For example:

    "uiSettings": {
  "disableUserEventsCollection": true
}

  • Don't call the event injection endpoints (specifically the userEvents.collect method and the userEvents.write method) and ensure that search pixel scripts (such as v1beta_event.js) are not active on your client pages.

  • Update the setting at the application level, as follows:

    1. In the Google Cloud console, go to the Gemini Enterprise apps page.

      Go to Apps

    2. Select the app.

    3. In the navigation menu, click Configurations.

    4. Turn off Enable user event collection.

    5. Click Save.

Turn off personalization and memory in Gemini Enterprise

Complete this task for each app that you deploy in Gemini Enterprise.

Ensure that you have one of the following roles:

  • Discovery Engine Admin (roles/discoveryengine.admin)
  • Gemini Enterprise Admin (roles/discoveryengine.agentspaceAdmin)

  • A custom role with the discoveryengine.engines.update permission

Console

For instructions, see Turn off personalization and memory.

REST

To update the feature control map of your app, use the engines.patch method on the discoveryengine.googleapis.com API endpoint.

Set the personalization-memory and personalization-suggested-highlights keys to FEATURE_STATE_OFF in your engine's features configuration.

Before using any of the request data, make the following replacements:

  • PROJECT_ID: the ID of your project
  • APP_ID: the ID of your app

HTTP method and URL: 

PATCH https://discoveryengine.googleapis.com/v1/projects/PROJECT_ID/locations/global/collections/default_collection/engines/APP_ID?updateMask=features

Request JSON body: 

{
  "features": {
    "personalization-memory": "FEATURE_STATE_OFF",
    "personalization-suggested-highlights": "FEATURE_STATE_OFF"
  }
}

To send your request, expand one of these options:

You should receive a JSON response similar to the following:

{
  "name": "projects/PROJECT_ID/locations/global/collections/default_collection/engines/APP_ID",
  "features": {
    "prompt-gallery": "FEATURE_STATE_OFF",
    "personalization-memory": "FEATURE_STATE_OFF",
    "personalization-suggested-highlights": "FEATURE_STATE_OFF"
  }
}

Turn off Private Knowledge Graph

To turn off the Private Knowledge Graph, you can use the console or the API.

Ensure that you have one of the following roles:

  • Discovery Engine Admin (roles/discoveryengine.admin)
  • Gemini Enterprise Admin (roles/discoveryengine.agentspaceAdmin)

  • A custom role with the discoveryengine.engines.update permission

Console

For instructions, see Manage Knowledge Graph configuration.

REST

To update your app configuration, use the engines.patch method on the discoveryengine.googleapis.com API endpoint.

Set enablePrivateKnowledgeGraph and enableCloudKnowledgeGraph to false inside the knowledgeGraphConfig parameter.

Before using any of the request data, make the following replacements:

  • PROJECT_ID: the ID of your project
  • APP_ID: the ID of your app

HTTP method and URL: 

PATCH https://discoveryengine.googleapis.com/v1/projects/PROJECT_ID/locations/global/collections/default_collection/engines/APP_ID?updateMask=knowledgeGraphConfig

Request JSON body: 

{
  "knowledgeGraphConfig": {
    "enableCloudKnowledgeGraph": false,
    "enablePrivateKnowledgeGraph": false
  }
}

To send your request, expand one of these options:

You should receive a JSON response similar to the following:

{
  "name": "projects/PROJECT_ID/locations/global/collections/default_collection/engines/APP_ID",
  "knowledgeGraphConfig": {
    "enableCloudKnowledgeGraph": false,
    "enablePrivateKnowledgeGraph": false
  }
}

Turn off Model Armor

To turn off Model Armor, remove its templates from your apps and then disable the API.

To remove the templates, see Remove the Model Armor templates from a Gemini Enterprise app.

To disable the Model Armor API (modelarmor.googleapis.com), use one of the following methods:

  • In the APIs & Services page on the console, locate Model Armor API (modelarmor.googleapis.com), and select Disable API. For more information, see Enable and disable services.

  • In Google Cloud CLI, run:

    gcloud services disable modelarmor.googleapis.com

Turn off NotebookLM Enterprise

Complete this task for each app that you deploy in Gemini Enterprise.

Ensure that you have one of the following roles:

  • Discovery Engine Admin (roles/discoveryengine.admin)
  • Gemini Enterprise Admin (roles/discoveryengine.agentspaceAdmin)

  • A custom role with the discoveryengine.engines.update permission

Console

  1. In the Google Cloud console, go to the Gemini Enterprise apps page.

    Go to Apps

  2. Select the app.

  3. In the navigation menu, click Configurations and then select the Feature Management tab.

  4. Turn off NotebookLM.

  5. Click Save.

REST

To update the feature control map of your app, use the engines.patch method on the discoveryengine.googleapis.com API endpoint. Set the notebook-lm key to FEATURE_STATE_OFF in your engine's features configuration.

Before using any of the request data, make the following replacements:

  • PROJECT_ID: the ID of your project
  • APP_ID: the ID of your app

HTTP method and URL: 

PATCH https://discoveryengine.googleapis.com/v1/projects/PROJECT_ID/locations/global/collections/default_collection/engines/APP_ID?updateMask=features

Request JSON body: 

{
  "features": {
    "notebook-lm": "FEATURE_STATE_OFF"
  }
}

To send your request, expand one of these options:

You should receive a JSON response similar to the following:

{
  "name": "projects/PROJECT_ID/locations/global/collections/default_collection/engines/APP_ID",
  "features": {
    "prompt-gallery": "FEATURE_STATE_OFF",
    "notebook-lm": "FEATURE_STATE_OFF"
  }
}

Turn off implicit context caching

To turn off implicit context caching, see Enabling and disabling data caching.