Google Cloud’s top executive is warning companies to treat AI security as a foundation, not an afterthought. But a wave of billing incidents at Google itself shows that even industry leaders are still catching up.
Google Cloud COO Francis de Souza delivered a pointed message at a recent event in Los Angeles: companies embracing AI cannot afford to treat security as something to figure out later.Speaking in measured, direct terms, de Souza argued that organizations embarking on an AI journey need to take what he called a platform approach — one where security, governance, and accountability are built in from the start, not patched on after problems emerge.
“Security is not something you can bolt on later,” he said, “and it’s not something you can leave up to employees to do on their own.”
The Shadow AI Problem
One of de Souza’s sharpest warnings was about shadow AI — employees reaching for consumer AI tools on their own, without company oversight or approval. While it may seem harmless, the practice creates serious blind spots around what data is being shared, with whom, and under what terms.
His position was clear: an AI strategy that does not include a data strategy and a security strategy is not a real strategy at all. The three must be built together.
Notably, de Souza was not simply making a case for Google’s own products. He pushed back on that framing directly, arguing that most companies are already operating across multiple clouds whether they realize it or not — through SaaS applications, third-party business partners, and integrated services. Security posture, he said, needs to be consistent across all of them.
Attacks Are Moving Faster Than Defenses
The urgency behind de Souza’s message becomes clearer when the numbers are laid out. The average time between an initial breach and the next stage of an attack has dropped from eight hours to just 22 seconds.
At the same time, the attack surface has expanded well beyond traditional networks. AI models, the data pipelines used to train them, autonomous agents, and even the prompts users type into systems — all of it now needs to be protected.
De Souza also flagged a threat that rarely gets attention: AI agents moving through a company’s internal systems will inevitably surface old, forgotten data repositories that nobody has actively managed in years. Old SharePoint servers with outdated access controls, for example, were never a visible risk because nobody knew where they were. An AI agent will find them — and so will an attacker.
Defending at Machine Speed
The solution, in de Souza’s view, is to match the speed of attacks with the speed of defense. He pointed to the emergence of what he described as fully agentic defense — AI-driven security systems that can respond in real time, with human teams overseeing operations rather than manually reacting to every threat.
He was equally clear that this is no longer just a technology problem. “This is a board-level issue and an executive team issue,” he said. “It’s not just a security team’s issue.”
The Talent Gap Is Real
Even as AI takes on more of the defensive workload, the people qualified to oversee it remain in short supply. LinkedIn’s Chief Information Security Officer, Lea Kissner, this week described the coming wave of AI-related vulnerabilities as a “bug-pocalypse” — and said she does not expect the industry to have a sustainable grasp on AI security for at least several more years.
Google’s Own Security Gap
De Souza’s advice carries weight. But recent reporting on Google Cloud itself highlights the gap between what platforms prescribe and how quickly they adapt.
Over the past several weeks, a number of Google Cloud developers have been hit with unexpected five-figure bills following unauthorized access to Gemini AI models — services many of them had never used or knowingly enabled.
The pattern was consistent across cases. API keys originally set up for Google Maps — placed publicly according to Google’s own instructions — had quietly been granted access to Gemini after Google expanded their permissions without clearly communicating the change to developers.
Rod Danan, CEO of interview preparation platform Prentus, received a bill of $10,138 in approximately 30 minutes after attackers exploited his compromised key. Isuru Fonseka, a developer based in Sydney, woke up to charges of roughly $17,000 AUD — despite believing a $250 spending cap was in place.
What neither developer knew was that Google’s automated systems had upgraded their billing tiers based on account history, raising effective spending ceilings to as high as $100,000 — without their explicit consent.
Google refunded both developers after the incidents were reported publicly. However, the company stated it has no plans to change its automatic tier-upgrade policy, explaining that it prioritizes preventing service disruptions over enforcing the spending limits users believe they have set.
Deleting a Key Does Not Immediately Stop the Damage
A separate investigation by security firm Aikido added another layer to the concern. Researchers found that developers who catch a compromised API key and delete it immediately are not necessarily safe.
According to Aikido’s findings, attackers can continue using a deleted key for up to 23 minutes while Google’s revocation process propagates gradually across its infrastructure. During that window, success rates were unpredictable — in some minutes, over 90% of requests using the deleted key still authenticated successfully. That is enough time to exfiltrate files and cached conversation data from Gemini.
Aikido researcher Joseph Leon noted that the problem does not appear to be a technical limitation. Google’s own newer credential formats revoke in seconds — service account credentials in about five seconds, and Gemini’s newer key format in roughly one minute.
“Both run at Google scale,” Leon wrote. “Both suggest this is technically solvable for Google API keys, too.”
In other words, the 23-minute window exists not because it cannot be fixed, but because it has not yet been made a priority.
The Honest Picture
De Souza’s advice is sound and worth taking seriously by any organization building with AI. Security must be foundational. Threats are moving faster than traditional defenses can handle. Leadership — not just IT — must own the problem.
But the incidents at Google Cloud are a useful reminder that no platform, however large, has fully solved what it is asking its customers to solve. The reality is that the entire industry — enterprises, developers, and cloud providers alike — is working through the AI security challenge in real time.
The organizations that will fare best are those that treat security as urgent today, even as the rules are still being written.
