Everyone is navigating real-time AI security — even Google

I recently had the opportunity to sit down with Francis de Souza, COO of Google Cloud, backstage at an event in Los Angeles. Amidst the chaos around us, de Souza, who speaks with the calm, measured manner of a university professor, offered some helpful advice for companies navigating the AI ​​security era we’re all living in, noting that “there will be a transition period, and then I think we’ll get to this better place.”

He wasn’t talking about Google at the time, but it’s clear that Google is still working things out.

De Souza’s main message was to security experts who have been trying to get managers to go inside for years, now made faster by AI: security cannot be taken for granted. “As companies embark on this AI journey, they need to take a platform approach,” he said. “Safety is not something you can turn off later, and it’s not something you can leave to the employees to do themselves.” He specifically warned against “shadow AI” – employees accessing consumer devices without organizational oversight – and argued that companies need to seek security, governance, and auditability in their platforms from the start. “There is no such thing as an AI strategy without a data strategy and a security strategy. They must go hand in hand.”

It should be noted: he was not installing Google Cloud alone. When I realized that his advice sounded like a Google ad, he backed off. Google, he said, is committed to multicloud operations, and he made the case that companies that think they’re working on a single cloud probably aren’t. “Even if they choose one cloud, rely on SaaS applications, there are business partners who may be using different clouds,” he said. “It’s important for companies to have a consistent security posture across the cloud, across all models.”

He also made the case that the threat landscape has changed so much that old defense models are too slow. He noted that the average time between the first breach and submission to the next stage of the attack has decreased from eight hours to 22 seconds, and that the attack surface has expanded significantly over the normal network cycle. “In addition to your common heritage, you have models now. You have data pipelines used to train models. You have agents, you have data. All of this needs to be protected.”

One threat de Souza flagged doesn’t get enough attention: agents going through a company’s internal systems can reveal troves of forgotten data that no one has thought about in years. “Many organizations have old SharePoint servers [and access controls] they haven’t really updated, but it didn’t matter because no one really knew where they were. But agents roaming around your business will find those data assets and will expose the data in them.”

The answer, in his view, is to meet the speed of the machine with the speed of the machine. “Now we’re seeing the emergence of AI-native, fully self-defense where organizations can use agents that drive defense,” he said. “Instead of having a defense led by a person or even a person in the loop, now you can have people overseeing the entire defense.” He went on to say that this is a leadership issue, not just a technical issue. “This is a board and executive level issue. It’s not just a security team issue.”

But as AI takes over more of the defense work, people qualified to oversee it are in short supply — and the risks posed by AI itself are growing faster than security teams can handle. “We’re going to need people to deal with the bug-pocalypse,” LinkedIn chief security officer Lea Kissner told the New York Times this week, adding that she doesn’t expect the industry to understand AI security in any sustainable way for at least several years.

Which brings us back to the platform providers themselves. The Register has published a series of reports over the past few weeks documenting a wave of Google Cloud developers racking up five-figure bills following unauthorized API calls to Gemini models – services most of them never used or intentionally enabled. The circumstances followed a common pattern: API keys originally used in Google Maps, made public according to Google’s instructions, have gained access to Gemini after Google expanded the scope without publicly disclosing the change.

Rod Danan, CEO of interview preparation platform Prentus, said his bill hit $10,138 in about 30 minutes after the attackers used his compromised API key. Isuru Fonseka, a Sydney-based developer whose account was similarly compromised, was charged nearly AUD$17,000 despite believing he had a $250 spending cap. What you both don’t know is that Google’s automated systems have developed their payment tiers based on account history, raising their active ceiling to $100,000 without express permission.

Google retracted both after the Register published its initial report. However, Google told the Register that it has no plans to change its tier-automatic upgrade policy, saying it prioritizes preventing service outages over enforcing user-specified budget preferences.

Meanwhile, there is a separate question of what happens when a developer tries to disable things. The Register reported this week that research by security firm Aikido found that even developers who catch a vulnerable key and quickly delete it may not be safe. According to Aikido’s findings, attackers can apparently continue to use that key for up to 23 minutes because Google’s withdrawal is slowly spreading throughout its infrastructure. Aikido researcher Joseph Leon told the Register that during that window, the success rate is unpredictable – in some minutes more than 90% of requests are still confirmed – and attackers can use the time to extract files and cached chat data from Gemini.

Leon also noted that Google’s new authentication formats don’t seem to have the same problem: API credentials for a service account are withdrawn in about five seconds, and Gemini’s new AQ-prefixed key format takes about a minute. “Both run on Google’s scale,” he wrote in a paper related to Aikido. “Both suggest that this is technically solvable with Google API keys.” In short, according to Leon, the 23-minute window is not an engineering hurdle but a matter of company priorities.

That’s worth considering when reading de Souza’s advice, which is sound and should be taken very seriously. He is not wrong, but at the moment there is a gap between the foundations defined and how quickly they themselves adapt, and it is good to be aware of this, too.