In a recent interview, Google Cloud COO Francis de Souza offered critical insights into navigating the complex landscape of AI security, stressing that security cannot be an afterthought for companies embarking on their AI journey. De Souza advocated for a comprehensive, platform-based approach to security, asserting that it is not something to be bolted on later or left to individual employees. He specifically warned against “shadow AI,” where employees utilize consumer tools without proper organizational oversight, and emphasized the necessity for platforms to provide security, governance, and auditability from the outset. De Souza underscored that a robust AI strategy is inseparable from a sound data strategy and a stringent security strategy, all of which must be integrated.

De Souza clarified that his advice was not a mere Google advertisement, highlighting Google’s commitment to a multicloud approach. He posited that most companies, even those believing they operate on a single cloud, are inherently multicloud due to reliance on SaaS applications and business partners using different cloud environments. Consequently, he argued for a consistent security posture across all clouds and models.

The threat landscape, according to de Souza, has fundamentally shifted, rendering traditional defensive models too slow. He noted a drastic reduction in the average time between an initial breach and the subsequent stage of an attack, plummeting from eight hours to a mere 22 seconds. Furthermore, the attack surface has expanded significantly beyond conventional network perimeters to include models, data pipelines used for training, agents, and prompts, all of which require protection. A particularly overlooked threat he flagged is the potential for agents traversing internal company systems to uncover forgotten data repositories, such as old SharePoint servers with outdated access controls, which could expose sensitive data.

To combat these advanced threats, de Souza proposed meeting machine speed with machine speed through an AI-native, fully agentic defense. In this model, organizations can deploy agents to drive their defense, with humans overseeing the automated system rather than being directly involved in every defensive action. He also elevated AI security to a board-level and executive team issue, moving it beyond the sole purview of security teams.

Despite the promise of AI-driven defense, challenges remain. The industry faces a shortage of qualified personnel to oversee these advanced systems, and AI itself introduces vulnerabilities at a rate faster than security teams can address them, leading some experts to anticipate a “bug-pocalypse.”

This backdrop provides a crucial context for recent incidents involving Google Cloud developers, who have faced substantial bills due to unauthorized API calls to Gemini models. Reports from The Register documented cases where API keys, initially deployed for Google Maps and publicly placed according to Google’s instructions, silently gained the ability to access Gemini after Google expanded their scope without clear disclosure. For instance, Rod Danan, CEO of Prentus, incurred a $10,138 bill in approximately 30 minutes, while Sydney-based developer Isuru Fonseka woke up to charges of around AUD $17,000, despite believing he had a $250 spending cap. Google’s automated systems had upgraded their billing tiers, raising effective ceilings to as high as $100,000 without explicit user consent. While Google refunded these developers after The Register’s initial report, the company stated it has no plans to alter its automatic tier-upgrade policy, prioritizing service uptime over user budget preferences.

Further compounding these concerns, research by security firm Aikido revealed that deleting a compromised API key on Google Cloud may not immediately secure systems. Attackers can reportedly continue using a revoked key for up to 23 minutes due to gradual propagation across Google’s infrastructure. Aikido researcher Joseph Leon noted that during this window, requests could still authenticate with over 90% success rates in some minutes, allowing attackers to exfiltrate files and cached data. Leon pointed out that newer Google credential formats, such as service account API credentials and Gemini’s AQ-prefixed keys, revoke significantly faster (around five seconds and one minute, respectively), suggesting the 23-minute delay for older API keys is a matter of company priorities rather than a technical constraint. This highlights a significant gap between the security prescriptions offered by platform providers like Google Cloud and the speed at which their own platforms adapt to critical security needs.