Google’s Gemini Spark is moving from chat into the systems where work gets done: files, apps, and connected services.
The June 30 update adds third-party integrations, Model Context Protocol support, macOS automation, and real-time topic tracking. The concern for IT teams is whether a personal AI agent that can connect to external apps, local files, and custom MCP servers can be governed with the visibility, access controls, and audit trails companies expect.
Spark moves into apps, files, and MCP servers
In its June 30 update, Google said Spark now works with Google Keep and Google Tasks, along with Canva, Dropbox, Instacart, OpenTable, and Zillow Rentals. Those integrations can turn Keep notes into tasks, create flyers, share files, reserve tables, order groceries, and reserve apartment tours.
The connected apps are rolling out on Spark for web and mobile, with macOS support expected in the coming weeks. Spark for macOS is available in beta to Google AI Ultra subscribers age 18 and older, starting in the U.S.
The macOS beta brings Spark closer to endpoint-level automation. Google says Spark can sort PDFs into folders, build a budget from local invoices, and connect desktop files with Google Workspace.
Remote Mac task execution is still pending. Google says the feature is “coming soon” and will let users assign a multi-step task from a phone and have Spark run it on a Mac while they are away. Spark can also track blogs, news, social media, finance, shopping, weather, sports, and email.
Enterprise controls lag behind the integrations
Custom MCP support is the main IT risk. Google’s help documentation says users can connect a custom app by entering its MCP server URL in Gemini’s Connected Apps settings, allowing Spark to work with apps beyond Google’s named partners.
That makes MCP configuration part of the AI agent security review, especially as researchers and vendors flag MCP tool descriptions as a hidden attack path. Custom Connected Apps require a personal Google Account, are not available for work or school accounts, require Keep Activity to be on, and are limited to English in Spark on web and mobile.
Google’s documentation warns that the company does not control, monitor, or secure third-party MCP servers. It also says custom apps may request more data than needed and Gemini may share information from chats and other available sources, including Connected Apps, Personal Intelligence, skills, tasks, and logged-in websites.
Custom MCP connections fit into a broader enterprise security gap around AI agent permissions, especially when agents act across tools built for human users. If employees use personal Gemini accounts on work devices or company files, admins may have limited visibility into which servers are connected, what data is shared, or whether those connections follow internal rules.
A June 1 hands-on review from The Verge illustrates the permissions concern. The reviewer declined a contacts-access request, but Spark still found family members’ email addresses from other available context and placed them in a draft email. Google has described Spark as operating under user direction and designed to ask before high-stakes actions such as sending emails or spending money.
For now, Spark’s custom app support is consumer-facing, not a managed enterprise feature. It adds another access-control question as AI-driven identity risks grow across business systems. Until Google publishes enterprise admin controls, logs, and data-access limits, custom MCP connections and local file access belong on the watch list, not the rollout plan.
Read more about how agentic browsing can create new credential risks when AI browsers leak sensitive data.