Admin & Governance for Gemini Enterprise

Mandatory primer bundled with every track. Sourced from Google Skills #1674 (AI Boost Bootcamp) + #1401. Covers what Gemini Enterprise is (vs Gemini for Workspace vs the Gemini Enterprise Agent Platform, the platform formerly known as Vertex AI); GCP basics for non-technical tracks; the agentic lifecycle (Build → Scale → Govern → Optimize); and terminology alignment (agents, RAG, grounding, ADK, GEAR). Completion check before Day 1.

Google Cloud project setup; enabling Discovery Engine, Gemini Enterprise Agent Platform, Cloud Storage, and IAM APIs. License assignment via Workforce Identity (lowercase email mapping). Group-based rollout: pilot → expand → GA. Single-email identifier requirement; alias handling. Quotas: 3,000 readers per document.

Identity provider choice: Google Identity vs 3rd-party (Entra ID, Okta, AD FS) via OIDC / SAML 2.0. Workforce Pool creation. Attribute mapping (google.subject = assertion.email.lowerAscii()). License assignment via google.subject. IAM roles. Caveats: one IdP per location; provider type changes require data-store recreation.

Hands-on configuration for SharePoint, OneDrive, Outlook, ServiceNow (and 14 more: Jira Cloud, Confluence Cloud, Dropbox, Drive, Calendar, GCS, BigQuery, Looker, GitHub, Salesforce, HubSpot, SAP, Adobe AEM, EntraID). Indexed vs federated sync. Gemini Enterprise Assist for guided setup. Structured vs unstructured data, one type per source.

Agent Gallery vs Agent Garden vs Agent Finder. Enable pre-built Google agents (Deep Research, Idea Generation, NotebookLM Enterprise, Data Insights). Agent Garden templates (code modernisation, financial analysis, invoice processing). Org-default agents. Discovering 3rd-party partner agents.

Group-based ACLs and document-level permissions preserved from source systems (SharePoint, OneDrive, Drive). Per-data-store visibility scoping. Role isolation patterns for multi-faculty / multi-department tenants. Service-account vs human-identity separation. Per-app data-store membership. Quota math for the 3,000-readers-per-document limit. Audit the access surface before go-live.

VPC Service Controls perimeters. Private Service Connect for hybrid / on-prem. Firewall egress controls. Model Armor for prompt + response screening. CMEK in Cloud KMS. Compliance posture (HIPAA, FedRAMP High, SOC 2). Agent Anomaly + Threat Detection (Security Command Center). Audit logging strategy.

License activation tracking: target 85% within 3 months. Agent creation analytics. Token / API usage tracking (millions to billions scale). Per-team cost attribution + budget allocation. Alert thresholds (80% / 100%). Real-time dashboards. Discovery Workshops as an adoption driver (4 to 10 sessions per persona).

Common admin ticket patterns and runbooks. The IT Resolution Hub example uses ServiceNow + Jira + technical docs as 3 data stores in one App. User permission troubleshooting (esp. for Microsoft data via Entra ID groups). Data-store sync failure diagnosis. Decommissioning behaviour.

Optional Day 4 module for CX-facing orgs. Conversational Agents + Agent Assist + CX Agent Studio + CX Insights + Search for CX, all configured under the same Gemini Enterprise Agent Platform admin plane. Virtual-agent workflows, real-time knowledge surfacing for human agents, post-call analytics. Skip if your org has no customer-contact-centre footprint.

Synthesis. Working in small groups, produce two deliverables for your own org,(1) a Gemini Enterprise governance policy covering identity, ACLs, network controls, model-armor rules, audit logging, and decommissioning; and (2) a 90-day rollout plan with discovery workshops, champion programme, activation targets, and budget guardrails. Peer review + instructor critique. Take it back to your CISO and CIO the same week.

Reference architecture for rolling out Gemini Enterprise across the org: tenant topology, connector mesh (M365 + ServiceNow + Google data), Workforce Identity Federation, agent runtime surfaces, and consumption endpoints. Phased rollout patterns (pilot → department → enterprise), environment promotion (dev → stage → prod), DR + multi-region posture, and the decision tree for landing-zone choices. Walk away with an architecture diagram you can hand to a CIO.

Cloud Logging for the Gemini Enterprise stack. Admin Activity logs, Data Access logs, System Event logs, and Policy Denied logs, what each captures, retention defaults, and how to enable the noisy ones safely. Log sinks to BigQuery + GCS for long-term audit. Log-based metrics for alerting on access anomalies. PII-aware log scrubbing. The exact log queries SREs and security reviewers will ask you for.

Cloud Trace + OpenTelemetry for end-to-end request tracing across connectors, identity, retrieval, and agent calls. Reproducing a failed user query from trace ID to root cause. Common failure modes: ACL propagation delay, connector throttling, identity assertion mismatch, grounding miss. Live debugging walkthrough using real (sanitised) production traces. When to escalate to Google support and what to attach.

FinOps for Gemini Enterprise. Pricing model breakdown (per-seat + per-call + storage + connector sync). Cost-attribution patterns by department / project / use case using labels and folders. Budget alerts and auto-actions. Quota strategy: protective quotas vs growth quotas. Caching, model routing, and prompt-size discipline as the three biggest cost levers. The 5 reports every FinOps lead wants monthly.

End-to-end LLM Ops lifecycle on the platform you administer. Prompt versioning and A/B rollout via Prompt Management. Eval pipelines with Agent Evaluation (autoraters, golden datasets, regression gates). Shadow traffic + canary releases for new model versions or system-prompt changes. Drift detection on inputs, outputs, and tool-call patterns. Governance hooks: who can promote a prompt to prod, audit trail of model-version changes, rollback path. The platform-side controls that make agent CI/CD safe.

The Day-2 playbook. Top 20 production failures we see across engagements, each with symptom, root cause, and the exact fix: connector sync stuck, ACL drift, identity federation 401s, data-store recreation traps, model-armor false positives, quota exhaustion under bursty load, audit-log gaps, decommissioning leftovers. Reference card you'll keep open during the first 90 days of rollout.