No One's Mastered AI Security – Not Even Google

During a recent event in Los Angeles, I had the opportunity to speak with Francis de Souza, COO of Google Cloud. With the calm and measured demeanor of a university professor, de Souza offered valuable insights for companies navigating the current landscape of AI security. He remarked, “there’ll be a transition period, and then I think we get to this better place.”

While his comments were not specifically about Google at that moment, it is evident that even major players like Google are actively working through these evolving challenges.

De Souza's central message, now amplified by the urgency of AI, echoed a long-standing plea from security professionals: security cannot be an afterthought. He emphasized, “As companies embark on this AI journey, they need to take a platform approach.” He clarified that “Security is not something you can bolt on later, and it’s not something you can leave up to employees to do on their own.” He specifically cautioned against “shadow AI,” where employees use consumer tools without organizational oversight, advocating that companies must demand security, governance, and auditability from their platforms from the outset. De Souza firmly stated, “There’s no such thing as an AI strategy without a data strategy and a security strategy. They need to go hand in hand.”

Notably, de Souza was not exclusively promoting Google Cloud. When I suggested his advice sounded like a Google advertisement, he quickly countered, asserting Google's commitment to a multicloud approach. He argued that companies believing they operate on a single cloud are almost certainly mistaken. He explained, “Even if they pick a single cloud, they’re relying on SaaS applications, there are business partners that may be using different clouds.” Therefore, he concluded, “It’s important for companies to have a security posture that is consistent across clouds, across models.”

He further elaborated that the threat landscape has undergone such fundamental shifts that traditional defensive strategies are now too slow. De Souza highlighted that the average time between an initial breach and the subsequent stage of an attack has dramatically shrunk from eight hours to a mere 22 seconds. Moreover, the attack surface has expanded significantly beyond the conventional network perimeter. He warned, “In addition to your usual estate, you have models now. You have data pipelines used to train the models. You have agents, you have prompts. All of this needs to be protected.”

One particular threat de Souza identified as receiving insufficient attention involves autonomous agents navigating a company's internal systems. These agents can unearth forgotten data repositories that have been overlooked for years. He explained, “A lot of organizations have old SharePoint servers [and access controls] they haven’t really updated, but it didn’t matter because nobody really knew where they were. But agents roaming your enterprise will find those data assets and will expose the data on them.”

In his view, the appropriate response is to counter machine speed with machine speed. “We’re now seeing the emergence of an AI-native, fully agentic defense where organizations can run agents driving their defense,” he stated. This paradigm shift means that “Instead of having a human-led defense or even a human in the loop, you can now have humans overseeing a fully agentic defense.” He stressed that this is no longer solely a technological concern but a leadership imperative, emphasizing, “This is a board-level issue and an executive team issue. It’s not just a security team’s issue.”

However, even as AI increasingly handles defensive workloads, the availability of qualified personnel to oversee it remains scarce. Concurrently, the vulnerabilities introduced by AI itself are multiplying faster than security teams can manage. Lea Kissner, LinkedIn’s chief information security officer, recently told The New York Times, “We’re going to need people to deal with the bug-pocalypse,” expressing her expectation that the industry will not achieve a sustainable, long-term understanding of AI security for several more years.

This brings the focus back to the platform providers themselves. The Register has recently published a series of reports detailing instances where Google Cloud developers faced five-figure bills due to unauthorized API calls to Gemini models—services many had never used or intentionally enabled. These cases frequently followed a pattern: API keys originally deployed for Google Maps, publicly placed according to Google's own guidelines, silently gained access capabilities to Gemini after Google expanded their scope without clear disclosure.

Rod Danan, CEO of the interview-prep platform Prentus, reported a bill of $10,138 accumulated in approximately 30 minutes. Similarly, Sydney-based developer Isuru Fonseka awoke to charges of approximately AUD $17,000, despite believing he had a $250 spending cap. Both were unaware that Google’s automated systems had upgraded their billing tiers based on account history, silently raising their effective spending limits to as high as $100,000 without explicit consent.

Google refunded both developers after The Register published its initial report. Nevertheless, Google informed The Register that it has no plans to alter its automatic tier-upgrade policy, citing a priority on preventing service outages over enforcing users’ stated budget preferences.

Separately, there's the question of what happens when a developer attempts to deactivate compromised credentials. The Register recently reported on research by security firm Aikido, which revealed that even developers who quickly identify and delete a compromised key may not be safe. Aikido's findings indicate that attackers can potentially continue using such a key for up to 23 minutes, as Google's revocation process propagates gradually across its vast infrastructure. Aikido researcher Joseph Leon informed The Register that during this window, success rates are unpredictable, with some minutes showing over 90% of requests still authenticating, allowing attackers to exfiltrate files and cached conversation data from Gemini.

Leon further pointed out that Google’s newer credential formats do not exhibit this problem: service account API credentials revoke in about five seconds, and Gemini’s newer AQ-prefixed key format takes approximately a minute. He noted in Aikido’s corresponding paper, “Both run at Google scale,” and “Both suggest this is technically solvable for Google API keys, too.” In essence, Leon concluded that the 23-minute window is not an engineering constraint but rather a reflection of the company's priorities.

This context is crucial when considering de Souza’s advice, which is undeniably sound and warrants serious attention. While his observations are accurate, there currently exists a discernible gap between the security prescriptions offered by platforms and the speed at which these same platforms are adapting their own practices. Remaining aware of this disparity is essential.