Everyone is navigating AI security in real time — even Google

I recently had the chance to sit backstage with Francis de Souza, COO of Google Cloud, at an event in Los Angeles. Amid the noise around us, De Souza, who speaks in the calm, measured manner of a college professor, offered helpful advice to companies navigating the AI ​​security moment we’re all living through, noting that “there will be a transition period, and then I think we’ll end up in this better place.”

He wasn’t talking about Google at the time, but it’s clear that even Google is still figuring things out.

De Souza’s core message was one that security professionals have been trying to internalize for years, and which has now been made urgent by AI: security should not be an afterthought. “As companies embark on this AI journey, they must take a platform approach,” he said. “Security is not something you can put in place later, and it is not something you can leave to your employees.” He specifically warned about “shadow AI” – employees reaching for consumer tools without organizational oversight – and argued that companies must demand security, governance and auditability of their platforms from the start. “There is no such thing as an AI strategy without a data strategy and a security strategy. They have to go hand in hand.”

Worth noting: He didn’t pitch Google Cloud alone. When I noticed his advice sounded like a Google ad, he pushed back. Google, he said, is committed to a multi-cloud approach, and he argued that companies that think they’re operating on a single cloud almost certainly aren’t. “Even if they choose a single cloud, they rely on SaaS applications. There are business partners who may use different clouds,” he said. “It’s important that companies have a security posture that is consistent across all clouds and across all models.”

He also stated that the threat landscape has changed so fundamentally that old defensive models are too slow. He noted that the average time between an initial breach and the handoff to the next phase of an attack has dropped from eight hours to 22 seconds, and the attack surface has expanded far beyond the traditional network perimeter. “In addition to your usual assets, you now have models. You have data pipelines that are used to train the models. You have agents, you have leads. All of this needs to be protected.”

One threat De Souza identified isn’t getting enough attention: Agents moving through a company’s internal systems can unearth forgotten data repositories that no one has thought of in years. “Many organizations have old SharePoint servers [and access controls] they haven’t really been updated, but that didn’t matter because no one really knew where they were. But agents wandering through your enterprise will find those data assets and expose the data on them.”

The answer, he believes, is meeting machine speed with machine speed. “We are now seeing the emergence of an AI-native, fully agentic defense where organizations can control agents that drive their defenses,” he said. “Instead of a human-led defense or even a human in the loop, you can now have people overseeing a fully agentic defense.” He added that this has become a leadership issue, not just a technology issue. “This is a board-level issue and a management team issue. It’s not just a security team issue.”

But even as AI takes on a larger share of the defensive workload, there is a shortage of people qualified to oversee it – and the vulnerabilities that AI itself introduces are multiplying faster than security teams can address them. “We need people to tackle the bugpocalypse,” said Lea Kissner, LinkedIn’s Chief Information Security Officer. told the New York Times this week, adding that she doesn’t expect the industry to understand AI security in a sustainable way for years to come.

That brings us back to the platform providers themselves. The Register has published a series of reports in recent weeks documenting a wave of Google Cloud developers hit with five-figure bills after unauthorized API calls to Gemini models – services many of them had never used or deliberately enabled. The cases followed a familiar pattern: API keys originally deployed for Google Maps and posted publicly according to Google’s own instructions had quietly become able to access Gemini after Google expanded their scope without clearly disclosing the change.

Rod Danan, CEO of interview preparation platform Prentus, said his bill was a hit $10,138 in about 30 minutes after attackers exploited its compromised API key. Isuru Fonseka, a Sydney-based developer whose account was similarly compromised, woke up to charges of around AUD$17,000, despite thinking he had set a spending limit of $250. What neither knew was that Google’s automated systems had upgraded their billing levels based on account history, raising their effective caps to as much as $100,000 without explicit permission.

Google refunded both after The Register published its initial report. Still, Google told The Register that it has no plans to change its automatic tier upgrade policy, saying it prioritizes preventing service outages over enforcing users’ stated budget preferences.

In the meantime, there’s the separate question of what happens when a developer tries to shut things down. The Register reported this week Research from security firm Aikido shows that even developers who intercept a compromised key and immediately delete it may not be safe. According to Aikido’s findings, attackers can apparently continue using that key for up to 23 minutes as Google’s revocation gradually spreads through the infrastructure. Aikido researcher Joseph Leon told The Register that during that period, success rates are unpredictable — within minutes, more than 90% of requests are still verified — and attackers can use the time to exfiltrate files and cached call data from Gemini.

Leon also noted that Google’s newer credentials don’t seem to have the same problem: API credentials for service accounts are revoked in about five seconds, and Gemini’s newer AQ prefix key format takes about a minute. “Both run at Google scale,” he wrote in Aikido’s related article. “Both suggest this is technically solvable for Google API keys as well.” In short, according to Leon, the 23-minute period is not a technical limitation, but a matter of priorities for the company.

That’s worth considering when reading De Souza’s advice, which is sound and should be taken very seriously. He’s not wrong, but there is currently a gap between the platforms they prescribe and the speed at which they adapt. It is also good to be aware of this.