Google security still playing catch-up with AI

Google Cloud’s COO Francis de Souza tells companies to treat AI security as a platform problem from day one. But recent reports of five-figure Gemini bills after compromised API keys—and delays in key revocation—show how quickly reality is moving, even for the

Backstage in Los Angeles, Francis de Souza spoke in a calm, measured tone as the event noise swirled around him. The message he delivered wasn’t about marketing. It sounded like a warning meant for executives who still think security can be handled later—especially as companies rush into AI.

“there’ll be a transition period, and then I think we get to this better place,” de Souza said. He framed that “better place” as something organizations reach only if security stops being treated as an afterthought.

“As companies embark on this AI journey, they need to take a platform approach,” de Souza said. “Security is not something you can bolt on later. and it’s not something you can leave up to employees to do on their own.” He cautioned against what he called “shadow AI”—employees reaching for consumer tools without organizational oversight—and argued that companies should demand security. governance. and auditability from their platforms from the start.

He tied AI strategy directly to data and security strategy. “There’s no such thing as an AI strategy without a data strategy and a security strategy. They need to go hand in hand.”

When the guidance began to sound like a Google Cloud pitch, de Souza pushed back. Google, he said, is committed to a multicloud approach. Companies that think they’re operating on a single cloud. he argued. almost certainly aren’t—because even if they choose a single cloud. they still rely on SaaS applications and partners that may be operating elsewhere. “It’s important for companies to have a security posture that is consistent across clouds, across models.”.

He also described why the old pace of defense no longer fits the AI era. The time between an initial breach and the handoff to the next stage of an attack has dropped from eight hours to 22 seconds. he said. And with AI, the threat surface expands beyond the traditional network perimeter. “In addition to your usual estate, you have models now. You have data pipelines used to train the models. You have agents, you have prompts. All of this needs to be protected.”.

One risk he flagged is especially unnerving: agents moving through internal systems can stumble into forgotten data repositories. “A lot of organizations have old SharePoint servers [and access controls] they haven’t really updated. but it didn’t matter because nobody really knew where they were. But agents roaming your enterprise will find those data assets and will expose the data on them.”.

De Souza’s answer leaned toward the future of defense itself. “We’re now seeing the emergence of an AI-native. fully agentic defense where organizations can run agents driving their defense. ” he said. In that model, defense doesn’t necessarily wait for a human to respond in the moment. “Instead of having a human-led defense or even a human in the loop. you can now have humans overseeing a fully agentic defense.”.

He made it clear that he thinks this is not only a technology shift. “This is a board-level issue and an executive team issue. It’s not just a security team’s issue.”

But even as AI takes on more defensive work, the people needed to oversee it may not be keeping up. “We’re going to need people to deal with the bug-pocalypse. ” Lea Kissner. LinkedIn’s chief information security officer. said in an interview published this week. Kissner added that she doesn’t expect the industry to understand AI security in any sustainable long-term way for at least several years.

That gap—between what platforms recommend and how quickly they themselves adapt—became harder to ignore as new reporting surfaced.

Over the past several weeks. The Register published a series of reports documenting a wave of Google Cloud developers hit with five-figure bills after unauthorized API calls to Gemini models—services some of them had never used or intentionally enabled. The pattern described is familiar. even if the scale is jarring: API keys originally deployed for Google Maps had been publicly placed per Google’s own instructions. and they had quietly become capable of accessing Gemini after Google expanded their scope without clearly disclosing the change.

Rod Danan. CEO of interview-prep platform Prentus. said his bill hit $10. 138 in roughly 30 minutes after attackers exploited his compromised API key. Isuru Fonseka. a Sydney-based developer. said he woke up to charges of roughly AUD $17. 000 despite believing he had a $250 spending cap in place. Neither Danan nor Fonseka knew that Google’s automated systems could upgrade their billing tiers based on account history. raising effective ceilings to as high as $100. 000 without explicit consent.

Google refunded both after The Register published its initial report. Google also told The Register it has no plans to change its automatic tier-upgrade policy, saying it prioritizes preventing service outages over enforcing users’ stated budget preferences.

The billing story didn’t end with key compromise—another report raised questions about what happens after developers try to stop an incident. The Register reported research by security firm Aikido finding that even developers who catch a compromised key and immediately delete it may not be safe. According to Aikido’s findings. attackers can continue using that key for up to 23 minutes because Google’s revocation propagates gradually across its infrastructure.

Aikido researcher Joseph Leon told The Register that during that window, success rates are unpredictable: in some minutes over 90% of requests still authenticated. Leon said attackers can use that time to exfiltrate files and cached conversation data from Gemini.

Leon also pointed out differences in newer credentials. Google’s newer service account API credentials revoke in about five seconds. while Gemini’s newer AQ-prefixed key format takes about a minute. “Both run at Google scale,” Leon wrote in Aikido’s related paper. “Both suggest this is technically solvable for Google API keys. too.” In his view. the 23-minute window isn’t an engineering limitation—it’s a matter of priorities for the company.

Put together. the facts land uncomfortably close to de Souza’s own message: security can’t wait. and platform design determines outcomes. His advice is meant for companies navigating AI in the real world. And the reports show the world is still moving faster than even the platform providers can fully close the loop.

Google Cloud Francis de Souza Gemini AI security API keys compromised credentials revocation delay multicloud shadow AI agentic defense Lea Kissner