I recently had the opportunity to sit down with Francis de Sousa, COO of Google Cloud, backstage at an event in Los Angeles. Speaking in the calm, measured tone of a university professor despite the din, De Souza offered some useful advice for companies trying to navigate the AI security era we’re all experiencing. “There’s going to be a transition period, but I think we’ll be in a better place after that,” he said.
He wasn’t talking about Google at the time, but it’s clear that even Google is still figuring things out.
De Souza’s central message was one that security experts have been urging executives to internalize for years, and one now made more urgent by AI: “Security can’t be an afterthought.” “As companies embark on this AI journey, they need to take a platform approach,” he said. “Security is not something that can be added as an afterthought, and it cannot be left to employees to do whatever they want.” He specifically warned about “shadow AI” (employees reaching out to consumer tools without organizational oversight) and argued that companies need to demand security, governance, and auditability from their platforms from the start. “There is no such thing as an AI strategy without a data strategy and a security strategy. They need to work together.”
It’s worth noting that he wasn’t promoting Google Cloud alone. When he realized that his advice sounded like a Google ad, he rebelled. He said Google is committed to a multi-cloud approach, and argued that companies that think they operate on a single cloud almost certainly aren’t. “Even if they choose a single cloud, they rely on SaaS applications and may have business partners who use different clouds,” he said. “It is important for enterprises to have a consistent security posture across clouds and models.”
He also argued that the old defense model is too slow because the threat landscape has fundamentally changed. He noted that the average time from initial compromise to handover to the next stage of an attack has decreased from 8 hours to 22 seconds, and the attack surface has expanded far beyond traditional network boundaries. “In addition to the usual assets, there is a model. There is a data pipeline that is used to train the model. There are agents. There are prompts. All of this needs to be secured.”
One of the threats de Souza warned about is not getting enough attention. That means agents moving through a company’s internal systems can surface forgotten data repositories that no one has thought about in years. “A lot of organizations have old SharePoint servers (and access controls) that haven’t really been updated, which wasn’t a problem because no one really knew where the servers were. But agents walking around the enterprise would find those data assets and expose the data that was there.”
In his mind, the answer is to meet the speed of the machine to match the speed of the machine. “We are now seeing the emergence of AI-native, complete agent defense where organizations can run agents that drive defense,” he said. “Instead of having a human-led defense, or having a human involved, humans can now oversee a fully agent-based defense,” he said, adding that this is no longer just a technology issue, but a leadership issue. “This is a board-level issue and a management issue. It’s not just a security team issue.”
But while AI is taking on more defense workloads, there is a shortage of qualified talent to oversee it. Additionally, the vulnerabilities that AI itself introduces are proliferating faster than security teams can address them. “We’re going to need people to deal with bug catastrophes,” Lee Kisner, LinkedIn’s chief information security officer, told the New York Times this week, adding that he doesn’t expect the industry to understand AI security in a sustainable long-term way for at least a few years.
Now back to the platform provider itself. Over the past few weeks, The Register has published a series of reports documenting how a series of Google Cloud developers were hit with five-figure bills due to fraudulent API calls against Gemini models. Many of the developers had never used that service or intentionally enabled it. The incident followed a familiar pattern. API keys originally deployed for Google Maps and made public at Google’s own direction secretly gained access to Gemini after Google expanded its scope without explicitly disclosing the changes.
Rod Dunnan, CEO of interview preparation platform Prentus, said his bill reached $10,138 in about 30 minutes after the compromised API key was put into use by the attackers. Isuru Fonseka, a Sydney-based developer whose account was also compromised, noticed a charge of approximately AU$17,000, despite believing there was a spending limit of $250. What neither of them knew was that Google’s automated systems were upgrading their billing tiers based on their account history, effectively raising the limit to $100,000 without their explicit consent.
Google refunded both after The Register published its initial report. Still, Google told The Register that it has no plans to change its automatic tier upgrade policy, preferring to prevent outages over enforcing user-specified budget settings.
In the meantime, another question is what happens when developers try to shut things down. The Register reported this week that an investigation by security firm Aikido found that even developers who discover and quickly remove compromised keys may not be safe. According to Aikido’s findings, Google’s revocation propagates gradually throughout the infrastructure, allowing an attacker to keep the key in use for up to 23 minutes. The success rate during this period is unpredictable, with more than 90% of requests still authenticated within minutes, and attackers could use that time to steal files and cached conversation data from Gemini, Aikido researcher Joseph Leong told The Register.
Leon also pointed out that Google’s own new credential format doesn’t seem to have the same issue. Service account API credentials are revoked in approximately 5 seconds, while Gemini’s new AQ-prefixed key format takes approximately 1 minute. “Both are being executed at Google scale,” he writes in a related Aikido paper. “Both suggest that this is technically solvable with a Google API key as well.” So, according to Leon, the 23-minute window is a matter of company priorities, not engineering constraints.
It is worth considering this when reading Mr de Souza’s advice, which is sound and should be taken very seriously. He’s not wrong, but there is a gap between what the platforms are currently prescribing and how quickly the platforms themselves are adapting, and this is also a good thing to recognize.
If you buy through links in our articles, we may earn a small commission. This does not affect editorial independence.
