Everyone Is Navigating AI Security in Real Time — Even Google

BitcoinWorld

Everyone Is Navigating AI Security in Real Time — Even Google

In a candid conversation backstage at an event in Los Angeles, Francis de Souza, COO of Google Cloud, offered a sobering assessment of the current state of AI security. Speaking with the measured tone of a university professor, de Souza acknowledged that the industry is in a transition period, noting that “there’ll be a transition period, and then I think we get to this better place.” His remarks come at a time when even Google itself is grappling with security gaps exposed by its own AI products.

The Platform Approach to Security

De Souza’s core message was one security professionals have been urging executives to adopt for years, now made urgent by AI: security cannot be an afterthought. “As companies embark on this AI journey, they need to take a platform approach,” he said. “Security is not something you can bolt on later, and it’s not something you can leave up to employees to do on their own.” He specifically warned about “shadow AI” — employees using consumer AI tools without organizational oversight — and argued that companies must demand security, governance, and auditability from their platforms from the start. “There’s no such thing as an AI strategy without a data strategy and a security strategy. They need to go hand in hand,” he added.

Multicloud Reality and the Expanding Attack Surface

When asked whether his advice amounted to a sales pitch for Google Cloud, de Souza pushed back, emphasizing Google’s commitment to a multicloud approach. “Even if they pick a single cloud, they’re relying on SaaS applications, there are business partners that may be using different clouds,” he said. “It’s important for companies to have a security posture that is consistent across clouds, across models.” He also highlighted how fundamentally the threat landscape has changed. The average time between an initial breach and the handoff to the next stage of an attack has dropped from eight hours to 22 seconds, he noted, while the attack surface has expanded beyond the traditional network perimeter. “In addition to your usual estate, you have models now. You have data pipelines used to train the models. You have agents, you have prompts. All of this needs to be protected.”

The Hidden Danger of AI Agents

One threat de Souza flagged that often goes unnoticed: AI agents moving through a company’s internal systems can surface forgotten data repositories. “A lot of organizations have old SharePoint servers [and access controls] they haven’t really updated, but it didn’t matter because nobody really knew where they were. But agents roaming your enterprise will find those data assets and will expose the data on them.” His recommended solution is to meet machine speed with machine speed. “We’re now seeing the emergence of an AI-native, fully agentic defense where organizations can run agents driving their defense,” he said. “Instead of having a human-led defense or even a human in the loop, you can now have humans overseeing a fully agentic defense.” He stressed that this is a board-level and executive team issue, not just a security team’s concern.

Google’s Own Security Gaps

While de Souza’s advice is sound, recent reports reveal a gap between what Google Cloud prescribes and how quickly it adapts. The Register has documented a wave of Google Cloud developers hit with five-figure bills after unauthorized API calls to Gemini models — services many had never used or intentionally enabled. The pattern: API keys originally deployed for Google Maps, placed publicly per Google’s own instructions, had quietly become capable of accessing Gemini after Google expanded their scope without clearly disclosing the change. Rod Danan, CEO of interview-prep platform Prentus, reported a $10,138 bill in roughly 30 minutes after attackers exploited his compromised API key. Isuru Fonseka, a Sydney-based developer, woke up to charges of roughly AUD $17,000 despite believing he had a $250 spending cap in place. Google refunded both after The Register published its initial report, but told the publication it has no plans to change its automatic tier-upgrade policy, prioritizing preventing service outages over enforcing users’ stated budget preferences.

The 23-Minute Revocation Window

Further complicating matters, security firm Aikido found that even developers who catch a compromised key and immediately delete it may not be safe. Attackers can apparently continue using that key for up to 23 minutes because Google’s revocation propagates gradually across its infrastructure. Aikido researcher Joseph Leon told The Register that during that window, success rates are unpredictable — in some minutes over 90% of requests still authenticated — and attackers can use the time to exfiltrate files and cached conversation data from Gemini. Leon noted that Google’s own newer credential formats don’t have the same problem: service account API credentials revoke in about five seconds, and Gemini’s newer AQ-prefixed key format takes about a minute. “Both run at Google scale,” he wrote in Aikido’s related paper. “Both suggest this is technically solvable for Google API keys, too.” In short, the 23-minute window isn’t an engineering constraint but a matter of priorities.

Conclusion

De Souza’s advice — that security must be foundational, not bolted on — is sound and should be taken seriously by every organization deploying AI. However, the recent incidents at Google Cloud itself highlight that even the platforms prescribing best practices are still adapting. As the industry moves toward AI-native defenses and agentic security, the gap between prescription and practice remains a critical concern for boards, executives, and security teams alike.

FAQs

Q1: What is “shadow AI” and why is it a security risk?
Shadow AI refers to employees using consumer AI tools without organizational oversight. This creates risks because such tools may not have enterprise-grade security, governance, or auditability, potentially exposing sensitive data.

Q2: How quickly can attackers exploit a compromised API key on Google Cloud?
According to recent research, even after a key is deleted, attackers can continue using it for up to 23 minutes due to gradual revocation propagation. Google’s newer credential formats revoke much faster, in seconds to a minute.

Q3: What is an “agentic defense” in AI security?
An agentic defense uses AI-driven agents to automatically detect and respond to threats at machine speed, with humans overseeing the process rather than being directly in the loop. This approach is designed to counter the speed of modern AI-powered attacks.

This post Everyone Is Navigating AI Security in Real Time — Even Google first appeared on BitcoinWorld.