I recently had the opportunity to sit down with Francis de Souza, COO of Google Cloud, backstage at an event in Los Angeles. De Souza, who speaks with the calmness and thoughtfulness of a college professor despite the noise around us, offered useful advice to companies navigating the AI security moment we are all experiencing, noting that “there will be a transition and then we will get to a better situation.”
He didn’t mention Google at the time, but it’s clear that even Google is still figuring things out.
De Souza’s key message, which security professionals have been trying to get executives to internalize for years and now becomes urgent due to AI, is that security cannot be an afterthought. “As companies begin their AI journey, they need to take a platform approach,” he said. “Security is not something you can add on later, nor is it something you can leave to employees to do themselves.” He specifically warned against “shadow AI,” where employees access consumer tools without organizational oversight, and argued that companies should require security, governance and auditability from their platforms from the beginning. “There is no such thing as an AI strategy without a data strategy and a security strategy. These strategies must go hand in hand.”
What’s notable is that he didn’t just introduce Google Cloud. He backed off because his advice sounded like a Google ad. He argued that Google is committed to a multicloud approach and almost certainly no business thinks it’s operating in a single cloud. “Even if you choose a single cloud, you are relying on SaaS applications and may have business partners who use different clouds,” he said. “It is important for enterprises to have a consistent security posture across clouds and models.”
He also argued that the threat landscape has changed so fundamentally that existing defense models are too slow. He noted that the average time from initial compromise to transition to the next stage of an attack has decreased from 8 hours to 22 seconds, and the attack surface has expanded far beyond traditional network boundaries. “In addition to the usual assets, we now have a model. We have a data pipeline that is used to train the model. We have agents and prompts. All of this needs to be secured.”
One of de Souza’s threats that doesn’t get enough attention is that agents moving through a company’s internal systems could surface forgotten repositories of data that no one had thought about for years. “A lot of organizations have old SharePoint servers (and access controls) that haven’t really been updated, but that doesn’t matter because no one really knows where it is. But agents roaming the enterprise will find those data assets and expose the data that’s there.”
In his view, the answer is to match machine speed to machine speed. “Now we are seeing the emergence of AI-based, full-agent defense where organizations can run agents that drive their defense,” he said. “Rather than having human-led defenses or people in the loop, we can now have humans overseeing full agent defenses.” He added that this has become a leadership issue rather than just a technology issue. “It’s a board-level issue, a management issue. It’s not just a security team issue.”
But even as AI takes on more defensive tasks, there are fewer qualified personnel to oversee them, and the vulnerabilities created by AI itself are growing faster than security teams can address them. “We need people to deal with the bug apocalypse,” Lea Kissner, LinkedIn’s chief information security officer, told the New York Times this week, adding that she doesn’t expect the industry to understand AI security in a sustainable long-term way for at least a few years.
Back to the platform providers themselves. The Register has published a series of reports over the past few weeks documenting many Google Cloud developers being hit with five-figure bills due to unauthorized API calls to Gemini models. Many of these are services you have never used or have intentionally enabled. The case followed a familiar pattern. API keys, originally distributed for Google Maps and placed publicly under Google’s own guidelines, quietly became accessible to Gemini after Google expanded its scope without clearly disclosing the changes.
Rod Danan, CEO of interview preparation platform Prentus, said the bill reached $10,138 in about 30 minutes after attackers exploited the compromised API key. Similarly, Sydney-based developer Isuru Fonseka, whose account was compromised, discovered charges of approximately $17,000 AUD, despite believing his spending limit was $250. Neither of them knew that Google’s automated system had upgraded their billing tiers based on their account history, raising the effective limit up to $100,000 without their explicit consent.
Google refunded both after The Register published its initial report. Nonetheless, Google said it has no plans to change its automatic tier upgrade policy and prioritizes preventing service disruptions over enforcing users’ stated budget preferences.
In the meantime, there’s a separate question about what happens if a developer tries to shut down the system. The Register reported this week on an investigation by security firm Aikido that found that even developers who discover compromised keys and immediately delete them may not be safe. Aikido’s findings suggest that attackers could continue to use the keys for up to 23 minutes as Google’s revocation propagates gradually throughout the infrastructure. Aikido researcher Joseph Leon told The Register that the success rate during that period is unpredictable (more than 90% of requests are authenticated within a few minutes) and that attackers could use that time to extract files and cached conversation data from Gemini.
Leon also pointed out that Google’s newer credential format doesn’t seem to have the same problem. Service account API credentials are revoked in about 5 seconds, and Gemini’s latest AQ prefix key format takes about 1 minute. “Both run at Google scale,” he wrote in a paper on Aikido. “I suggest that both are technically solvable for Google API keys as well.” Simply put, according to Leon, the 23-minute time frame is a matter of company priorities, not an engineering constraint.
This is worth considering when reading de Souza’s advice, it is sound and should be taken very seriously. He’s not wrong, but there is a gap between what current platforms prescribe and how quickly they adapt, and it’s good to be aware of that as well.
If you purchase through links in our articles, we may receive a small commission. This does not affect our editorial independence.
