I recently had the opportunity to sit down with Francis de Souza, COO of Google Cloud, backstage at a event in Los Angeles. Amid the noise around us, de Souza, who speaks with the calm and restraint of a university professor, offered helpful advice for companies navigating the AI security moment we’re all experiencing, noting that “there will be a transition period, and then I think we’ll get to this place better.”
I wasn’t talking about Google at the time, but it’s clear that even Google is still figuring things out.
De Souza’s central message was one that security professionals have been trying to get executives to internalize for years, and that now AI has become urgent: security cannot be an afterthought. “As companies embark on this journey towards AI, they must take a platform approach,” he said. “Security is not something you can implement later, and it is not something you can leave employees to do on their own.” He specifically warned about “shadow AI” (employees seeking consumer tools without organizational oversight) and argued that companies should require security, governance and auditability of their platforms from the beginning. “There is no AI strategy without a data strategy and a security strategy. They must go hand in hand.”
It’s worth noting: I wasn’t launching Google Cloud alone. When I noted that his advice sounded like a Google ad, he backed off. Google, he said, is committed to a multi-cloud approach, and argued that companies that think they are operating on a single cloud almost certainly are not. “Even if they choose a single cloud and rely on SaaS applications, there are business partners who may be using different clouds,” he said. “It is important for enterprises to have a security posture that is consistent across all clouds and across all models.”
He also argued that the threat landscape has changed so fundamentally that old defensive models are too slow. He noted that the average time between an initial breach and moving on to the next stage of an attack has been reduced from eight hours to 22 seconds, and that the attack surface has expanded far beyond the traditional network perimeter. “In addition to your usual assets, you now have models. You have data pipelines that are used to train the models. You have agents, you have prompts. All of this needs to be protected.”
One threat de Souza pointed out that doesn’t get enough attention: Agents moving through a company’s internal systems can uncover forgotten data repositories that no one has thought about in years. “Many organizations have old SharePoint servers (and access controls) that they haven’t really updated, but it didn’t matter because no one really knew where they were. But agents wandering around your company will find those data assets and expose them.”
The answer, in his opinion, is to match the speed of the machine with the speed of the machine. “We are now seeing the emergence of a fully agentic, AI-native defense, where organizations can run agents that drive their defense,” he said. “Instead of having a human-led defense or even a human in the know, you can now have humans overseeing a fully agentic defense.” He added that this has become a leadership issue, not just a technological one. “This is a board and executive team issue. It’s not just a security team issue.”
But even as AI takes on a greater defensive workload, people qualified to oversee it are scarce, and the vulnerabilities that AI itself is introducing are multiplying faster than security teams can address them. “We’re going to need people to deal with the bug apocalypse,” said Lea Kissner, LinkedIn’s chief information security officer. told the New York Times this week, adding that he doesn’t expect the industry to understand AI safety in a long-term, sustainable way for at least several years.
Which brings us back to the platform providers themselves. The Register has published a series of reports over the past few weeks documenting a wave of Google Cloud developers hit with five-figure bills following unauthorized API calls to Gemini models, services many of them had never used or intentionally enabled. The cases followed a familiar pattern: API keys originally implemented for Google Maps, placed publicly under Google’s own instructions, quietly became capable of accessing Gemini after Google expanded its reach without clearly disclosing the change.
Rod Danan, CEO of interview preparation platform Prentus, said his bill came $10,138 in approximately 30 minutes after attackers exploited its compromised API key. Isuru Fonseka, a Sydney-based developer whose account was similarly compromised, found himself facing charges of approximately A$17,000 despite believing he had a spending limit of $250. What neither of them knew was that Google’s automated systems had increased their billing levels based on account history, raising their effective limits up to $100,000 without explicit consent.
Google refunded both after The Register published its initial report. Still, Google told The Register that it has no plans to change its automatic tier upgrade policy, saying it prioritizes preventing service disruptions over enforcing users’ stated budget preferences.
Meanwhile, there’s the separate question of what happens when a developer tries to shut things down. The Registry reported this week According to research by security firm Aikido, it was found that even developers who detect a compromised key and delete it immediately may not be safe. According to Aikido’s findings, attackers can apparently continue using that key for up to 23 minutes because Google’s revocation gradually spreads through its infrastructure. Aikido researcher Joseph Leon told The Register that during that window, success rates are unpredictable (in some minutes, more than 90% of requests are still authenticated) and attackers can take advantage of that time to extract cached files and conversation data from Gemini.
Leon also noted that Google’s newer credential formats don’t seem to have the same problem: Service account API credentials are revoked in about five seconds, and Gemini’s new AQ prefix key format takes about a minute. “Both work at Google scale,” he wrote in an Aikido-related article. “Both suggest that this can also be technically solved for Google API keys.” In summary, according to León, the 23-minute window is not an engineering limitation but a matter of priorities for the company.
It is worth considering when reading De Souza’s advice, which is sensible and should be taken very seriously. You’re not wrong, but there is currently a gap between the platforms they prescribe and how quickly they adapt, and it’s good to be aware of this too.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
