Even Google Navigates AI Security Challenges in Real Time
Google Cloud COO Francis de Souza advises companies to adopt a proactive, platform-centric approach to AI security, emphasizing integration from the start and defense at machine speed. However, Google itself has recently faced significant security challenges, including developers incurring five-figure bills from unauthorized Gemini API usage due to silent key scope expansions and delayed key revocation times.

The burgeoning field of AI security presents a complex, evolving landscape that even tech giants like Google are navigating in real time. While Google Cloud COO Francis de Souza emphasizes the critical need for a proactive, integrated security approach, recent reports highlight significant vulnerabilities and billing issues impacting Google Cloud developers utilizing AI services.
De Souza, speaking backstage at a Los Angeles event, stressed that security must be an inherent part of a company's AI journey, not an afterthought. He advocated for a "platform approach" where security, governance, and auditability are foundational, warning against "shadow AI" – employees using consumer tools without organizational oversight. According to de Souza, an AI strategy is incomplete without a robust data and security strategy to match.
He underscored that the modern threat landscape has fundamentally shifted. The average time from initial breach to the next stage of an attack has plummeted to just 22 seconds, and the attack surface now includes AI models, data pipelines, agents, and prompts, far beyond traditional network perimeters. De Souza also pointed to the often-overlooked danger of AI agents surfacing forgotten, insecure data repositories within enterprise systems, exposing old data assets.
To counter machine-speed attacks, de Souza proposed an "AI-native, fully agentic defense" where AI agents manage most defensive operations, overseen by humans. He positioned this not merely as a technology issue but a crucial board-level and executive team responsibility, asserting, "This is a board-level issue and an executive team issue. It’s not just a security team’s issue."
Despite this forward-looking advice from a Google executive, the company itself has faced scrutiny over its AI security practices. The Register recently documented multiple instances of Google Cloud developers hit with five-figure bills due to unauthorized API calls to Gemini models. These attacks exploited API keys originally deployed for Google Maps that had quietly gained access to Gemini after Google expanded their scope without clear disclosure.
Developers like Rod Danan and Isuru Fonseka incurred substantial charges – over $10,000 in minutes for Danan, and around AUD $17,000 for Fonseka – despite believing they had spending caps. Google’s automated systems had reportedly upgraded their billing tiers to as high as $100,000 based on account history, without explicit user consent. While Google refunded these developers after The Register's reports, the company stated it has no plans to alter its automatic tier-upgrade policy, prioritizing service outage prevention over enforcing user budget preferences.
Further compounding these concerns, security firm Aikido's research, also reported by The Register, found that even after developers delete a compromised API key, attackers can continue using it for up to 23 minutes. This delay occurs because Google's revocation process propagates gradually across its infrastructure, allowing attackers a window to exfiltrate files and cached conversation data from Gemini. Aikido researcher Joseph Leon noted that newer Google credential formats, such as service account API credentials and Gemini's AQ-prefixed keys, revoke significantly faster (around five seconds and one minute, respectively), suggesting the 23-minute delay for older API keys is a matter of company priority rather than a technical constraint.
This discrepancy highlights a critical gap: while platform providers like Google offer essential advice for securing AI, their own adaptation to these evolving threats may not be keeping pace. LinkedIn's chief information security officer, Lea Kissner, echoed the industry's struggle, telling The New York Times that she anticipates a "bug-pocalypse" and believes it will take several years for the industry to achieve a sustainable understanding of AI security.
The current environment underscores that every organization, from startups to global tech leaders like Google, is navigating this complex AI security terrain in real time, with an ongoing need for both internal vigilance and rapid platform adaptation.
FAQ
Q: What is "shadow AI" and why is it a security concern?
A: "Shadow AI" refers to employees using consumer-grade AI tools without their organization's knowledge or oversight. This poses a security risk because these tools may not meet corporate security standards, potentially exposing sensitive company data or creating unmanaged vulnerabilities.
Q: What specific security issues did Google Cloud developers face?
A: Developers encountered unexpected five-figure bills due to unauthorized API calls to Google's Gemini models. This was caused by older API keys (e.g., for Google Maps) being silently updated to also grant Gemini access. Additionally, Google's automatic billing tier upgrades, made without explicit user consent, allowed these unauthorized charges to escalate significantly.
Q: What is the problem with Google's API key revocation process?
A: Research found that even after developers delete a compromised API key, attackers can continue using it for up to 23 minutes. This delay allows attackers to potentially exfiltrate data, contrasting sharply with much faster revocation times for Google's newer credential formats, suggesting it's a priority issue rather than a technical limitation.
Related articles
DeepMind CEO calls for independent body to regulate frontier AI
DeepMind CEO Demis Hassabis has proposed an independent standards body, modeled after FINRA, to regulate frontier AI models. The body would test advanced AI systems and develop best practices for their release, initially on a voluntary basis before potentially becoming mandatory. This initiative aims to provide technically focused, adaptable oversight to the rapidly evolving field of AI.
Unpacking the 'No Spanish Reading Crisis': Lessons for Developers
The Perceived Crisis of Attention in the Digital Age As software developers, we operate in an ecosystem defined by constant information flow and rapid technological shifts. We're acutely aware of the challenges posed by
Google Maps 3D Immersive View: A Game-Changer for Android Auto
Google Maps 3D Immersive View: A Game-Changer for Android Auto Navigation Verdict: Google Maps' new 3D Immersive View on Android Auto isn't just a visual upgrade; it's a transformative leap in navigation that genuinely
OnePlus is reportedly bailing on the US: Oppo — Key Details
OnePlus, and parent company Oppo, are reportedly exiting the US and European markets, with an announcement due shortly. This follows months of rumors and signals a major shift in the Western smartphone landscape.
startups: The web is now mostly bots. Cloudflare is rebuilding its
Cloudflare has launched Precursor, a new defense system, in response to bots now generating over 57% of all web traffic. Precursor monitors entire user sessions to distinguish humans from sophisticated bots, moving beyond traditional single-check methods. This initiative is part of a broader strategy to classify and manage AI agents, control content reuse, and rebuild the web's foundational infrastructure for a machine-dominated internet.
OpenClaw Machines: Scaling Enterprise AI Agents with Bare Metal
OpenClaw Machines offers an open-source, self-hosted platform for running AI agents with enterprise-grade security and cost efficiency. It utilizes Firecracker microVMs for hardware isolation on your own Linux servers, providing full data sovereignty and predictable costs, especially at scale. The platform includes a control plane for orchestration, a Cloudflare data plane for secure access, and integrated LLM proxying.





