I recently had the opportunity to sit down with Francis de Souza, COO of Google Cloud, backstage at an event in Los Angeles. Amidst the noise around us, de Souza, who speaks in the calm, measured manner of a university professor, offered helpful advice for companies navigating the AI security moment we’re all living in, noting that “there’s going to be a transition period and then I think we’ll get to that best place.”
He wasn’t talking about Google at the time, but it’s clear that even Google is still figuring things out.
De Souza’s key message was that security professionals have been trying to get executives to internalize for years, something now made urgent by AI: security cannot be an afterthought. “As companies embark on this AI journey, they need to take a platform approach,” he said. “Safety is not something you can put in later and it’s not something you can leave employees to do on their own.” He specifically warned about “shadow AI” – workers accessing consumer tools without organizational oversight – and argued that companies should require security, governance and controllability from their platforms from the start. “There is no AI strategy without a data strategy and a security strategy. They have to keep up.”
It’s worth noting: he wasn’t pitching Google Cloud himself. When I noticed that his advice sounded like a Google ad, he pushed back. Google, he said, is committed to a multicloud approach, and argued that companies that think they’re running on a single cloud almost certainly aren’t. “Even if they choose a single cloud, they rely on SaaS applications, there are business partners who may be using different clouds,” he said. “It’s important for companies to have a security posture that is consistent across clouds, across models.”
He also argued that the threat landscape has changed so fundamentally that the old defense models are too late. He noted that the average time between an initial breach and the transition to the next stage of an attack has decreased from eight hours to 22 seconds, and that the attack surface has expanded far beyond the traditional network perimeter. “In addition to your usual property, you have models now. You have data pipelines that are used to train the models. You have agents, you have prompts. All of that needs to be protected.”
One threat de Souza highlighted that doesn’t get enough attention: agents moving through a company’s internal systems can turn up forgotten repositories of data that no one has thought about in years. “Many organizations have legacy SharePoint servers [and access controls] they haven’t really been informed, but it didn’t matter because no one really knew where they were. However, agents roaming your business will find these data items and expose the data to them.”
The answer, in his view, is to meet machine speed with machine speed. “We’re now seeing the emergence of a native AI, fully representative defense, where organizations can direct agents that drive their defenses,” he said. “Instead of having a human-centric defense or even a human in the loop, you can now have people overseeing a fully representative defense.” He added that this has become a leadership issue, not just a technology one. “This is a board-level issue and an executive team issue. It’s not just a security team issue.”
But even as AI takes over more of the defense workload, people qualified to oversee it are in short supply – and vulnerabilities introduced by AI itself are multiplying faster than security teams can deal with. “We’re going to need people to deal with the bug-pocalypse,” LinkedIn chief information security officer Lea Kissner. he told the New York Times this week, adding that he doesn’t expect the industry to understand AI security in any sustainable long-term way for at least several years.
Which brings us back to the platform providers themselves. The Register has published a series of reports in recent weeks documenting a wave of Google Cloud developers who were hit with five-figure bills after making unauthorized API calls to Gemini models — services many of them had never used or intentionally enabled. The cases followed a familiar pattern: API keys originally developed for Google Maps, placed publicly under Google’s instructions, were quietly made accessible to Gemini after Google expanded their scope without clearly disclosing the change.
Rod Danan, CEO of interview preparation platform Prentis, said his bill dropped $10,138 in about 30 minutes after attackers exploited its compromised API key. Isuru Fonseka, a Sydney-based developer whose account was similarly hacked, woke up to around AUD$17,000 in charges despite believing he had a $250 spending limit. What no one knew was that Google’s automated systems had upgraded billing levels based on account history, raising the effective caps by as much as $100,000 without express consent.
Google returned both monies after The Register’s original report was published. However, Google told The Register that it has no plans to change its automatic tier upgrade policy, saying it prioritizes preventing service outages over enforcing users’ stated budget preferences.
Meanwhile, there’s the separate question of what happens when a developer tries to shut things down. The Registry reported this week about security firm Aikido’s research that found that even developers who catch a compromised key and immediately delete it may not be safe. According to Aikido’s findings, attackers can apparently continue to use this key for up to 23 minutes because Google’s revocation is gradually spreading throughout its infrastructure. Aikido researcher Joseph Leon told The Register that during this window, success rates are unpredictable—in a few minutes more than 90% of requests are still validated—and attackers can use the time to extract files and saved chat data from Gemini.
Leon also noted that Google’s newer credential formats don’t seem to have the same problem: service account API credentials are revoked in about five seconds, and Gemini’s newer AQ-prefixed key format takes about a minute. “Both run on Google scale,” he wrote in the relevant Aikido Journal. “Both suggest that this is technically solvable for Google API keys as well.” In short, according to Leon, the 23-minute window is not a mechanical limitation, but a matter of priorities for the company.
This is worth bearing in mind when reading de Souza’s advice, which is sound and should be taken very seriously. He’s not wrong, but there’s currently a gap between the platforms they prescribe and how quickly they adapt themselves, and it’s good to know that too.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
