I recently had the opportunity to sit backstage with Google Cloud CEO Francis de Souza. event in Los Angeles. Amidst the noise around us, speaking in the calm, measured manner of a university professor, de Souza offered some helpful advice for companies navigating the AI security moment we’re all living in, noting that “there will be a transition period and then I think we’ll get to a better place.”
He wasn’t talking about Google at the time, but it’s clear that even Google still understands things.
De Souza’s main message was what security experts have been trying to internalize for executives for years, and now AI is making it urgent: security cannot be an afterthought. “As companies embark on this AI journey, they need to require a platform approach,” he said. “Safety isn’t something you can lock in later, and it’s not something you can leave employees alone.” He specifically warned about “shadow AI” — employees tapping into consumer tools without organizational oversight — and argued that companies should require security, governance and auditability from their platforms from the start. “There is no such thing as an AI strategy without a data strategy and a security strategy. They have to go hand in hand.”
It’s worth noting: it wasn’t just introducing Google Cloud. He backed off when he noticed that his advice sounded like a Google ad. Google is committed to a multi-cloud approach, he said, and he said companies that think they’re running on a single cloud almost certainly aren’t. “Even if they choose one cloud, they rely on SaaS applications, they have business partners that can use different clouds,” he said. “It’s important for companies to have a security posture that’s consistent across clouds, across models.”
He also argued that the threat landscape has changed so radically that old defense models are too slow. He noted that the average time between an initial breach and handover to the next stage of an attack has dropped from eight hours to 22 seconds, and the attack surface has expanded far beyond the traditional network perimeter. “In addition to your regular property, you now have models. You have data belts used to train the models. You have agents, you have instructions. All of that needs to be protected.”
De Souza pointed out a danger that doesn’t get enough attention: Agents navigating a company’s internal systems can uncover troves of forgotten information that no one has thought about for years. “Many organizations have legacy SharePoint servers (and access controls) that they haven’t really updated, but it didn’t matter because no one knew where they were. But agents roaming your enterprise will find those data assets and expose the information they contain.”
The answer, he says, is to meet machine speed with machine speed. “Now we’re seeing the emergence of AI-native, fully agent defense, where organizations can control the agents that run their defenses,” he said. “Instead of having a human-driven defense or even a human being in the loop, you can now have people control full agent defense.” He added that it has become a matter of leadership, not just technology. “It’s a board-level issue and it’s an executive team issue. It’s not just a security team issue.”
But while AI is taking over more of the defense workload, there are fewer people qualified to oversee it — and the vulnerabilities introduced by AI itself are growing faster than security teams can address them. Lea Kissner, chief information security officer at LinkedIn: He informed the New York Times about it added this week that it doesn’t expect the industry to understand AI security in any sustainable long-term way for at least several years.
This brings us back to the platform providers themselves. The Register has published a series of reports over the past few weeks documenting that Google Cloud developers have been hit with five-figure bills after making unauthorized API calls to Gemini models — services many of them never use or intentionally enable. The cases followed a familiar pattern: API keys for Google Maps that were originally deployed publicly under Google’s own guidelines were quietly able to get into Gemini after Google expanded its scope without clearly disclosing the change.
In an interview, Rod Danan, CEO of the Prentus platform, said the bill was shot down $10,138 in about 30 minutes after attackers used its compromised API key. Isuru Fonseka, a Sydney-based developer whose account was similarly compromised, woke up to a charge of around AUD 17,000 despite believing he had a $250 spending limit. What no one knows is that Google’s automated systems have improved their billing levels based on account history, raising their effective ceiling to $100,000 without explicit consent.
Google retracted both after The Register published its initial report. Still, Google told The Register that it has no plans to change its automatic tiered upgrade policy, saying it prefers preventing service outages over users’ stated budget choices.
Meanwhile, there’s a separate question about what happens when a developer tries to lock things down. Registration reported this week Even developers who catch a stolen key and immediately delete it may not be safe, according to a study by security firm Aikido. According to Aikido’s findings, attackers can continue to use this key for up to 23 minutes as Google’s takedown gradually spreads across its infrastructure. Aikido researcher Joseph Leon told The Register that success rates during this window are unpredictable — more than 90% of requests are still approved within minutes — and attackers can use this time to extract files and cached chat data from Gemini.
Leon also noted that Google’s own newer credential formats don’t have the same problem: service account API credentials are invalidated in about five seconds, and Gemini’s newer AQ-prefixed key format takes about a minute. “Both work on a Google scale,” he said in an article related to Aikido. “Both suggest this is technically solvable for Google API keys.” In short, according to Leon, the 23-minute window is not an engineering limitation, but a priority for the company.
It’s worth keeping this in mind when reading de Souza’s sound advice, which should be taken very seriously. He’s not wrong, but there’s a gap between the platforms he’s currently targeting and how fast they’re adapting themselves, and that’s good to know.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
