I recently had the opportunity to sit down with Francis D’Souza, COO of Google Cloud, backstage at an event in Los Angeles. Amidst the commotion around us, D’Souza, who speaks with the calm manner of a university professor, offered helpful advice for companies exploring the AI ​​security moment we’re all living through, noting that “there will be a transition period, and then I think we’ll get to a better place.”

He wasn’t talking about Google at the time, but it’s clear that Google is still figuring things out, too.

D’Souza’s core message was what security professionals have been trying to internalize for years by executives, now instantiated by AI: Security can’t be thought about. “When companies embark on this AI journey, they need to take a platform approach,” he said. “Security is not something you can put off later, and it’s not something you can leave to employees to do on their own.” He specifically warned about “shadow AI” — employees accessing consumer tools without organizational oversight — and argued that companies need to demand security, governance, and auditability from their platforms from the start. “There is no such thing as an AI strategy without a data strategy and a security strategy. They need to go hand in hand.”

Worth noting: He wasn’t pitching Google Cloud alone. When I saw that his advice sounded like a Google ad, he backed off. Google, he said, is committed to a multi-cloud approach, and he made the case that companies that think they’re operating on a single cloud almost certainly aren’t. “If they choose a single cloud, they’re relying on SaaS applications, there are business partners that are using different clouds,” he said. “It’s important for companies to have a security currency that’s consistent across clouds, across models.”

He also made the case that the threat landscape has changed so fundamentally that old defense models are too slow. He noted that the average time between the initial breach and the handoff to the next stage of the attack has decreased from eight hours to 22 seconds, and that the attack surface has moved beyond the traditional network perimeter. “In addition to your usual real estate, you now have models. You have data pipelines that are used to train the models. You have agents, you have prompts. All of that needs to be stored.”

One risk D’Souza flags that doesn’t get enough attention: Agents traversing a company’s internal systems can uncover troves of forgotten data that no one has thought about in years. “Many organizations have old SharePoint servers. [and access controls] They haven’t really updated, but it didn’t matter because no one knew where they were. But agents roaming your enterprise will find these data assets and expose the data on them.

The answer, he thought, was to match the speed of the machine with the speed of the machine. “We are now seeing the emergence of an AI-native, fully agentic defense where organizations can deploy agents to defend themselves,” he said. “Instead of having a human-led defense or even having a human in the loop, you can now have humans oversee a fully agentic defense.” He added that it has become a leadership issue and not just a technology issue. “This is a board-level issue and an executive team issue. It’s not just a security team issue.”

But even as AI takes on more and more defense workloads, qualified people to oversee it are in short supply — and the vulnerabilities that AI itself is introducing are growing faster than security teams can handle. “We’re going to need people to deal with the Big Pocalypse,” said Leah Kisner, LinkedIn’s chief information security officer. told the New York Times This week, she added that she doesn’t expect the industry to understand AI security in any sustainable long-term way for at least several years.

Which brings us back to the platform providers themselves. The Register has published a series of reports over the past several weeks documenting a wave of Google Cloud developers running up five-figure bills after making unauthorized API calls to Gemini models — many of which were never used or intentionally enabled by the service. The cases followed a familiar pattern: API keys originally deployed for Google Maps, held publicly in accordance with Google’s own guidelines, were quietly able to access Gemini after Google expanded its scope without explicitly disclosing the change.

Rod Dennon, CEO of interview prep platform Prints, said he was impressed by the bill. $10,138 in about 30 minutes After attackers exploited its compromised API key. Isuru Fonseka, a Sydney-based developer whose account was similarly compromised, woke up to around AUD 17,000 in charges despite believing he had a $250 spending limit. What most didn’t know was that Google’s automated systems had upgraded their billing tiers based on account history, effectively pushing their limits up to $100,000 without express consent.

Google retracted both after The Register published its initial report. Still, Google told The Register that it has no plans to change its automatic tier upgrade policy, saying it prefers to prevent service outages over enforcing users’ stated budget preferences.

Meanwhile, it’s a separate question what happens when a developer tries to lock things down. Register Reported this week Research by security firm Aikido found that even developers who get hold of a compromised key can quickly delete it. According to Aikido’s findings, attackers can apparently continue to use this key for up to 23 minutes as Google’s revocation slowly propagates through its infrastructure. During this window, the success rate is unpredictable — more than 90% of requests are still authenticated in a few minutes — and attackers can use the time to extract files and cached conversation data from Gemini, Aikido researcher Joseph Levin told The Register.

Levin also noted that Google’s new credential formats don’t seem to have the same problem: Service Account API credentials are revoked in about five seconds, and Gemini’s new AQ-prefixed key format takes about a minute. “Both run on Google’s scale,” he wrote in a related Aikido paper. “Both suggest it’s technically solvable for Google API keys as well.” In short, according to Levin, the 23-minute window is not an engineering constraint but a matter of preference for the company.

This is worth considering when reading D’Souza’s advice, which is sound and should be taken very seriously. He’s not wrong, but there’s a gap between what platforms are currently proposing and how quickly they’re adapting themselves, and it’s good to be aware of that.