Gemini Managed Agents Can Now Finish the Job After You Disconnect

Gemini Managed Agents now run in the background, connect to remote tools, call your functions, and refresh credentials without losing their workspace.

Friday, July 10, 2026Omid Saffari
Gemini Managed Agents Can Now Finish the Job After You Disconnect

You can now give a Gemini agent a multi-step job, disconnect, and let the work continue on Google's server while its code, files, installed packages, and remote tool connections stay in place. The July 2026 Managed Agents update adds the four pieces that make this practical: background execution, direct remote MCP connections, custom function calls, and credential refresh without rebuilding the workspace.

That changes the useful mental model. This is less like keeping a chatbot tab open and more like handing a job ticket to a cloud worker, then checking the result when it is ready.

What Gemini Managed Agents actually are

Gemini Managed Agents are temporary cloud workers with their own Linux workspace. One call through Google's Interactions API can provision the workspace, let the agent reason through a task, run Bash, Python, or Node.js, install packages, manage files, search the web, and repeat those steps until it reaches an outcome.

The default worker is Google's Antigravity agent, currently identified as antigravity-preview-05-2026 and powered by Gemini 3.5 Flash. The Interactions API itself became generally available in June 2026, but Managed Agents and their environments remain in public preview.

Two IDs carry two different kinds of memory:

  • previous_interaction_id is the job folder. It preserves the conversation, reasoning path, and tool history.
  • environment_id is the workshop key. It reopens the same filesystem, installed packages, and repository state.

You can keep one without the other. Reuse the environment ID alone for a fresh conversation inside the same workspace, or pass both IDs to continue the same job in the same place. Automatic context compaction begins around 135,000 tokens so a long session can shed old detail without immediately hitting its context ceiling.

The result sits between the consumer AI agents most teams know and infrastructure you would normally assemble yourself. Google operates the model loop and sandbox. You still own the product logic, permissions, approval rules, monitoring, and user experience.

How the workflow works, minus the jargon

The new flow has six moving parts:

  1. Start or reopen a workspace. Use environment: "remote" for a fresh sandbox, pass an environment ID to reuse one, or provide a full environment configuration with source repositories and network rules.
  2. Give it only the tools it needs. The agent has code execution, Google Search, URL reading, and filesystem access in its environment. A remote MCP server is a standard connector that exposes outside tools. It needs a lowercase name, a URL, and Streamable HTTP transport. You can also limit which of that server's tools the agent may call.
  3. Send the job into the background. Set background: true. The API returns an interaction ID immediately instead of forcing one fragile HTTP connection to survive the whole task. Background jobs require store: true, which is the default.
  4. Watch without holding the connection open. Poll the interaction or stream its events. If a stream drops, reconnect with the last event_id and continue from there. A job can be in progress, waiting for action, completed, failed, or cancelled.
  5. Handle sensitive business actions in your application. Built-in sandbox tools run on Google's side. A custom function pauses the interaction at requires_action, allowing your application to validate the request, ask for human approval, execute local business logic, and send the result back.
  6. Continue after completion. A follow-up can use the completed interaction ID plus its environment ID. If an access token expires, send that same environment ID with a new network configuration. The new rules replace the old ones, while the files, packages, and cloned repositories remain.

The workspace is durable, not permanent. It stops and snapshots after 15 idle minutes, stays resumable for seven days from its last activity, and is then deleted. Each environment currently provides four CPU cores and 16 GB of memory.

The seven use cases with the clearest payoff

These are ranked by how directly the new capabilities remove an expensive operational bottleneck.

1. Software teams reviewing AI-generated pull requests

A product team receiving a constant stream of machine-written code could start one background job for each pull request. The agent could open the repository, inspect the diff, install the project, run tests, trace a failure across files, and prepare a review with logs and a proposed patch. A GitHub or GitLab connection can arrive through remote MCP, while the final comment or code change can remain behind a custom approval function.

The payoff is not another generic review comment. It is a first pass backed by runtime evidence, ready before a senior engineer opens the pull request. That matters as async coding becomes a normal work pattern, a shift already visible in mobile and background coding agents.

2. Finance and data teams producing recurring operating reports

An operations analyst could launch a worker when the latest CSV exports land, connect it to a warehouse through MCP, and let it clean data, run Python analysis, create charts, and save the working files in one environment. If a short-lived warehouse token expires, the application can provide a fresh one without making the agent reinstall its stack or recreate intermediate files.

The payoff is continuity. The analyst reviews one assembled report and its supporting files instead of repeatedly moving data among a notebook, spreadsheet, charting tool, and chat window.

3. Reliability teams investigating incidents

An on-call engineer could give the agent access to an observability MCP server and a source-control connector, then ask it to correlate a latency spike with deployments, logs, and recent commits. The analysis can continue in the background while the engineer handles the live incident. The agent can produce a timeline, candidate causes, and diagnostic scripts in its workspace.

The payoff is faster evidence gathering under pressure. Production remediation should still sit behind an explicit human gate. A worker that can call tools is useful during an incident, but an unsupervised worker with broad production credentials is a new incident waiting to happen.

4. Security teams assembling audit evidence

A compliance lead preparing an access review could restrict the sandbox to approved domains, inject read-only credentials through Google's egress proxy, and let an agent collect policy records, repository settings, and change histories. Because credentials are added at the network boundary, they are not placed in sandbox files or environment variables.

The payoff is a repeatable evidence package rather than a week of screenshots and copy-paste. The application still needs its own audit trail and sign-off process because Managed Agents do not provide a finished compliance product.

5. Investors and procurement teams running diligence

A small investment team could assign a background worker a bounded research brief: map a market, compare vendor claims, inspect a repository, run calculations, and assemble a source-linked memo. Files and scripts remain available for follow-up questions, so the second pass can challenge assumptions rather than rebuild the research setup.

The payoff is depth without blocking an analyst's browser session. The limitation matters too: Antigravity currently accepts text and image inputs, not audio, video, or document inputs, so document-heavy workflows need an external extraction step.

6. Agencies running repeatable client audits

An analytics or development agency could create a separate environment for each client audit, connect only that client's approved systems, and queue lengthy checks independently. One workspace might hold a cloned site and performance scripts. Another might hold a campaign export and reporting code.

The payoff is isolation and repeatability. Teams can preserve the exact working state for a follow-up during the seven-day window without mixing one client's files or credentials with another's.

7. Back-office teams resolving complex cases

An insurance, logistics, or support operation could use a managed worker to gather the history of a case from several systems, check policy rules, calculate options, and prepare the next action. Remote MCP tools provide read access, while custom functions reserve refunds, account changes, or claim decisions for validated application logic and human approval.

The payoff is one continuous case workspace across many systems. This is especially useful when a case takes minutes to research and cannot be reduced to a simple trigger-and-action automation.

Three products worth building

The raw capability is broad. The sellable products are narrow, measurable, and wrapped in trust controls.

1. The strongest bet: a repository caretaker that proves every finding

Build a GitHub or GitLab app for teams that need more than diff commentary. For each pull request, it runs the project in an isolated workspace, reproduces suspected issues, attaches logs, drafts a fix, and waits for a human before changing code.

The demand is concrete. DataForSEO estimates about 1,300 US searches a month for “AI code review”, with a $46.65 CPC. “AI code review tools” adds about 590 monthly searches and shows an 85% yearly rise in the current keyword dataset. Buyers already pay: CodeRabbit lists plans from $24 to $48 per user per month when billed annually, while Greptile lists $30 per seat per month.

The smallest sellable version needs one source-control integration, one repository instruction file, a background test runner, a result page with raw evidence, and one approval action for posting a review or opening a patch. Do not start by supporting every language. Pick one ecosystem where tests are common and runtime setup is predictable.

The catch is a crowded market and a trust problem. The live search questions include “How does AI code review work?” and “Is the AI code safe?” Your defensibility will not be access to Gemini. It will be a growing evaluation set, repository-specific rules, low false-positive rates, and evidence that makes every finding inspectable.

2. A recurring data-close agent for one operating team

Build a worker that turns one company's weekly or monthly source data into a reconciled report, with the analysis code and intermediate files kept beside the output. Operations, revenue, and finance teams pay because the job repeats and errors are visible.

DataForSEO estimates 3,600 US searches a month for “AI for data analysis”, a commercial query with a $41.92 CPC. The narrower “AI agent for data analysis” gets about 320 monthly searches and has keyword difficulty 2 in the current dataset, which suggests an open acquisition wedge even though the broader market is competitive.

The MVP is an external scheduler or file-arrival trigger, one warehouse connector, one spreadsheet destination, a fixed report template, a run ledger, and a reconciliation screen. The honest catch is output reliability. Antigravity does not support structured outputs, so important tables and totals need deterministic validation before delivery.

3. A vertical workflow runner with real approval gates

Build for one case type, such as vendor onboarding, claims triage, or security evidence collection. The product pulls context through two or three MCP connections, does the long analysis in the background, and uses custom functions for the few actions that must be validated or approved.

DataForSEO estimates 1,000 US searches a month for “AI workflow automation”, with commercial intent and a $49.51 CPC. “AI workflow automation platform” adds about 260 monthly searches and shows a 320% yearly rise in the current keyword set. People are explicitly asking, “How can I automate my workflows using AI?”

The MVP is one queue, one tightly defined workflow, two integrations, an approval inbox, and a complete run record. The catch is the horizontal-platform trap. If the first version promises to automate any workflow, connector work and edge cases will swallow the product. Win one expensive process first.

What this does not solve

Managed execution removes infrastructure work, but it does not remove product or operational risk.

LimitWhat it means in practice
Public previewAgent behavior and schemas can change. Keep the integration replaceable and pin the preview agent version.
Seven-day workspace lifeThis is a resumable job environment, not permanent storage. Export outputs and durable records elsewhere.
Variable agent loopsOne interaction typically consumes 100,000 to 3 million tokens. Google estimates common tasks at roughly $0.25 to $3.25, while complex runs can reach about $5. Set termination rules and cost caps in your product.
No structured outputUse validators for fields, totals, and state transitions. Do not treat prose as an API contract.
Tool and input gapsFile Search, computer use, Google Maps, audio, video, and document inputs are not supported by Antigravity today.
Open networking by defaultAdd an allowlist. If allowed_tools is omitted from an MCP connection, every tool exposed by that server is available to the agent.
Stored background jobsBackground mode requires stored interactions. Teams with strict data policies need to review that requirement before adoption.

Credential refresh also needs a precise reading. Google preserves the environment when your application supplies new network rules and a fresh token. The agent does not mint or rotate that token for you.

My take: use this for bounded jobs with clear completion criteria, inspectable artifacts, narrow permissions, and approval gates. Do not use a preview agent as an open-ended production administrator. Google's own guidance is to review generated code, data transformations, configuration changes, and external actions before relying on them.

What is AI powered workflow automation?

It is a workflow in which a model interprets context and decides among tools instead of following only a fixed sequence of triggers. Gemini Managed Agents add a hosted workspace and background runtime, but your application still defines permissions, triggers, validation, and approvals.

How can I automate my workflows using AI?

Start with one bounded job that has a clear input, a verifiable output, and no more than a few tool connections. Run the analysis in the background, keep read access narrow, and place every irreversible action behind a custom function or human approval.

What is an example of an AI automation workflow?

A pull-request caretaker is a strong example: receive a new pull request, open the repository in a sandbox, install dependencies, run tests, inspect failures, draft a review, then wait for approval before posting or changing code.

How does AI code review work?

The reviewer reads a code change with repository context, looks for defects or policy violations, and proposes findings. A managed agent can go further by running the project and attaching logs or test results, but a human should still judge whether the finding fits the product's real intent.

Is the AI code safe?

Not by default. A sandbox limits where code runs, but safety also depends on the code, tool permissions, network rules, credentials, tests, and human review. Treat agent output as an untrusted contribution until your normal checks pass.

If you want one of these workers designed around your systems, permissions, and approval rules, see AI agent development.

Last Updated

Jul 10, 2026

CategoryAI
Newsletter

One letter, every Sunday. Working systems, not hot takes.

Build logs, working systems, and field notes from running a portfolio of AI ventures.

Weekly. No spam. Unsubscribe anytime.