AI Security Is a Work in Progress — Even for Tech Giants Like Google

Nobody Has AI Security Fully Figured Out — Not Even Google

We are all operating in uncharted territory when it comes to artificial intelligence security. That includes the biggest technology companies on the planet.

During a recent backstage conversation at a Los Angeles event, Francis de Souza, Chief Operating Officer of Google Cloud, offered a grounded perspective on the AI security challenges facing organizations today. Speaking with the calm, deliberate clarity of an academic, de Souza acknowledged that businesses are currently in the middle of a difficult transition — but expressed confidence that things will improve. "There'll be a transition period, and then I think we get to this better place," he said.

While his remarks weren't specifically directed at Google's own situation, recent events make it clear that even Google itself is still working through significant security challenges.

Security Must Be Built In From the Start

The central point de Souza pressed was one that cybersecurity professionals have long been urging business leaders to take seriously — and that AI has now made impossible to ignore: security cannot be treated as an optional add-on.

"As companies embark on this AI journey, they need to take a platform approach," he said. "Security is not something you can bolt on later, and it's not something you can leave up to employees to do on their own."

One specific concern he raised was the rise of so-called shadow AI — employees independently turning to consumer-grade AI tools without any oversight or approval from their organizations. De Souza argued that businesses must demand security, governance, and accountability from their AI platforms right from day one. "There's no such thing as an AI strategy without a data strategy and a security strategy. They need to go hand in hand."

The Threat Landscape Has Fundamentally Changed

Beyond internal governance, de Souza painted a stark picture of just how dramatically the external threat environment has evolved. The average time between an initial security breach and the escalation to the next phase of an attack has collapsed — dropping from eight hours down to just 22 seconds. Meanwhile, the attack surface companies must defend has expanded well beyond traditional network boundaries.

"In addition to your usual estate, you have models now. You have data pipelines used to train the models. You have agents, you have prompts. All of this needs to be protected," he noted.

The Hidden Danger of AI Agents Inside Your Organization

One underappreciated risk de Souza highlighted involves AI agents operating within a company's internal systems. These agents can inadvertently expose long-forgotten data repositories that haven't received a security review in years.

"A lot of organizations have old SharePoint servers and access controls they haven't really updated, but it didn't matter because nobody really knew where they were," he explained. "But agents roaming your enterprise will find those data assets and will expose the data on them."

This is a particularly subtle threat — not a sophisticated external hack, but the unintended consequence of deploying powerful tools inside environments that were never fully secured to begin with.

Fighting Machine-Speed Attacks With Machine-Speed Defenses

De Souza's prescription for dealing with these accelerated threats is to match them with equally fast, AI-powered defenses. He described the emergence of fully agentic security systems — where AI agents drive the defensive response autonomously, with human professionals overseeing rather than directly executing every action.

"Instead of having a human-led defense or even a human in the loop, you can now have humans overseeing a fully agentic defense," he said.

He also made clear that this is no longer purely a technical matter. "This is a board-level issue and an executive team issue. It's not just a security team's issue."

The Talent Gap Is Real — And Growing

Even as AI takes on a greater share of defensive responsibilities, the human expertise needed to manage and oversee these systems remains scarce. At the same time, AI is introducing new vulnerabilities faster than security teams can realistically address them.

LinkedIn's Chief Information Security Officer, Lea Kissner, captured the scale of the challenge bluntly in comments to The New York Times, warning that the industry should brace for a "bug-pocalypse" and suggesting that a sustainable, long-term understanding of AI security is still several years away.

Google's Own Security Gaps Come Into Focus

The gap between the advice being offered by platform providers and their own current practices is worth examining closely — and Google provides an instructive case study.

Investigative reporting by The Register revealed a troubling pattern affecting Google Cloud developers over recent weeks. A number of developers found themselves hit with unexpected bills in the tens of thousands of dollars following unauthorized API calls to Google's Gemini AI models — services many had never intentionally activated.

The root cause traced back to API keys that developers had originally set up for Google Maps — deployed publicly, as Google's own documentation instructs. Without clear disclosure, Google had quietly expanded the scope of those keys to include access to Gemini services.

Real Developers, Real Financial Damage

The human cost was significant. Rod Danan, CEO of the interview preparation platform Prentus, saw his account generate a bill of over $10,000 in approximately 30 minutes after attackers exploited a compromised API key. Isuru Fonseka, a developer based in Sydney, woke to charges of roughly AUD $17,000 — despite believing a $250 spending cap was protecting him.

What neither developer had been clearly informed of was that Google's automated systems had upgraded their billing tiers based on account history, quietly raising their effective spending ceilings to as high as $100,000 without obtaining their explicit consent.

Google refunded both developers after The Register published its initial coverage. However, the company stated it has no intention of changing its automatic tier-upgrade policy, indicating that preventing service interruptions takes priority over enforcing users' stated budget limits.

Deleting a Compromised Key May Not Be Enough

A separate investigation added another layer of concern. Research conducted by security firm Aikido found that even developers who act quickly to delete a compromised API key may still be at risk. According to Aikido's findings, attackers can continue using a revoked key for up to 23 minutes, because Google's revocation process propagates gradually across its infrastructure rather than taking effect immediately.

Aikido researcher Joseph Leon reported that during this window, attack success rates are highly variable — in some instances, over 90% of requests using the supposedly revoked key still authenticated successfully. During that time, bad actors can exfiltrate files and cached conversation data from Gemini.

Leon also pointed out that this delay does not appear to be an unavoidable engineering limitation. Google's newer service account API credentials revoke in approximately five seconds, while the company's newer AQ-prefixed key format takes about one minute. "Both run at Google scale," Leon wrote. "Both suggest this is technically solvable for Google API keys, too." In other words, the 23-minute revocation window reflects a matter of organizational priorities — not technical impossibility.

The Bottom Line: Sound Advice, But Mind the Gap

De Souza's guidance on AI security strategy is both thoughtful and timely. The principles he outlined — treating security as foundational, adopting a platform-wide approach, matching AI-powered threats with AI-powered defenses, and elevating security to the boardroom — represent exactly the kind of strategic thinking organizations need right now.

But the situation at Google itself serves as a useful reminder that even the most sophisticated players in the industry are still catching up. There is currently a meaningful gap between what platform providers are recommending and how quickly they are adapting their own systems and policies. For any organization navigating the AI security landscape today, that context is just as important to keep in mind as the advice itself.