Google Cloud is telling companies to secure AI from the start while recent reports show Google itself is still tightening the machinery underneath that advice.
That tension is the useful part of the story. Francis de Souza, COO of Google Cloud, told TechCrunch that companies are living through a transition period in AI security, and his prescription was blunt: AI strategy, data strategy, and security strategy now move as one. The harder lesson is that even the platform companies selling the control plane are learning in public.
“There’s no such thing as an AI strategy without a data strategy and a security strategy. They need to go hand in hand.”
AI security has moved from policy document to live-fire exercise
The old enterprise pattern was simple enough: business teams adopted a tool, security teams reviewed it, IT wrapped controls around it, and executives asked for a dashboard. Generative AI breaks that rhythm because the tool does not just store, process, or transmit information. It can retrieve it, summarize it, transform it, expose it, and act on it through agents and APIs.
De Souza’s core warning was aimed at that sequencing problem. Companies cannot treat AI security as a cleanup project after deployment.
“As companies embark on this AI journey, they need to take a platform approach,” he said. “Security is not something you can bolt on later, and it’s not something you can leave up to employees to do on their own.”
The phrase that matters is “shadow AI.” De Souza used it to describe employees reaching for consumer tools without organizational oversight. MLXIO analysis: that makes AI risk less like a single procurement decision and more like a live inventory problem. A company may think it has approved one model or one vendor, while employees are feeding sensitive work into tools the security team cannot see.
This is why adjacent enterprise security failures still matter. AI does not erase phishing, credential abuse, or misconfigured access; it adds new paths on top. For related MLXIO coverage on how trusted infrastructure can be abused, see Scammers Abuse Real Microsoft Address to Push Phishing.
The new attack surface now includes prompts, agents, models, and forgotten data
De Souza framed the AI attack surface as something much wider than the traditional network perimeter. His list was specific: models, data pipelines used to train models, agents, and prompts.
“In addition to your usual estate, you have models now. You have data pipelines used to train the models. You have agents, you have prompts. All of this needs to be protected.”
That is not a cosmetic expansion. A prompt can become an input channel. A model can become a decision layer. A data pipeline can become a route into sensitive training or retrieval material. An agent can move through systems that were never designed for autonomous software behavior.
The most revealing example in the TechCrunch interview was not futuristic. It was stale SharePoint data.
“A lot of organizations have old SharePoint servers [and access controls] they haven’t really updated, but it didn’t matter because nobody really knew where they were. But agents roaming your enterprise will find those data assets and will expose the data on them.”
MLXIO analysis: that is the central enterprise AI risk in one sentence. AI does not only create new data. It changes the discoverability of old data. Repositories that were functionally buried can become visible again when agents start searching, summarizing, and connecting internal systems.
The security implication is uncomfortable. Access controls that were “good enough” because nobody used the system may fail once software starts exploring it at scale.
The speed gap is now measured in seconds, not response meetings
The strongest data point in the source is the compression of attack timing. De Souza said the average time between an initial breach and the handoff to the next stage of an attack has dropped from eight hours to 22 seconds.
That number supports his argument for machine-speed defense.
“We’re now seeing the emergence of an AI-native, fully agentic defense where organizations can run agents driving their defense,” he said. “Instead of having a human-led defense or even a human in the loop, you can now have humans overseeing a fully agentic defense.”
Here is the trade-off:
| Security model | Human role | Source-supported problem |
|---|---|---|
| Human-led defense | Analyst investigates and responds | Too slow if attack handoff happens in 22 seconds |
| Human in the loop | Analyst approves key steps | Still may lag machine-speed attacks |
| Fully agentic defense | Humans oversee defensive agents | Requires trust, governance, and auditability |
De Souza also pushed the accountability point upward.
“This is a board-level issue and an executive team issue. It’s not just a security team’s issue.”
That matters because AI security decisions now touch budget limits, vendor architecture, data governance, employee behavior, and incident response. A CISO cannot fix those alone after deployment. The board has to decide what level of automated action is acceptable, what data agents can reach, and what evidence executives need before scaling AI into core workflows.
Google’s own API billing cases show the platform gap
The sharpest counterweight to Google Cloud’s message comes from reports cited by TechCrunch. The Register documented Google Cloud developers hit with five-figure bills after unauthorized API calls to Gemini models. According to the source, the cases involved API keys originally deployed for Google Maps, placed publicly per Google’s own instructions, that later became capable of accessing Gemini after Google expanded their scope without clearly disclosing the change.
Two cases stand out:
- Rod Danan, CEO of interview-prep platform Prentus, said his bill hit $10,138 in roughly 30 minutes after attackers exploited a compromised API key.
- Isuru Fonseka, a Sydney-based developer, woke up to charges of roughly AUD $17,000 despite believing he had a $250 spending cap.
TechCrunch reports that Google’s automated systems had upgraded their billing tiers based on account history, raising effective ceilings to as high as $100,000 without explicit consent. Google refunded both after The Register’s initial report.
But the policy issue remains. Google told The Register it has no plans to change its automatic tier-upgrade policy, saying it prioritizes preventing service outages over enforcing users’ stated budget preferences.
MLXIO analysis: this is the gap enterprises should study. Platform providers are telling customers to demand governance, auditability, and control. Yet the same platform layer can make invisible changes to scope, billing exposure, or credential behavior. That does not make de Souza’s advice wrong. It makes the execution standard higher.
Revoked keys that still work turn minutes into exposure
The second technical issue is more direct. TechCrunch cites research by security firm Aikido finding that developers who delete a compromised key may still face risk because Google’s revocation propagates gradually across its infrastructure.
According to Aikido’s findings, attackers can apparently keep using that key for up to 23 minutes. Aikido researcher Joseph Leon told The Register that success rates during that window are unpredictable; in some minutes, over 90% of requests still authenticated. Attackers could use that period to exfiltrate files and cached conversation data from Gemini, according to the cited report.
Leon also compared older Google API keys with newer credential formats. Service account API credentials revoke in about five seconds, and Gemini’s newer AQ-prefixed key format takes about a minute.
“Both run at Google scale,” he wrote in Aikido’s related paper. “Both suggest this is technically solvable for Google API keys, too.”
That quote is the crux. If similar systems can revoke faster, then slow revocation is not just a physics problem. It becomes a product-priority question.
This is where AI security starts to resemble other high-stakes technology transitions: real-world testing exposes gaps that planning documents miss. MLXIO has seen the same broad principle in non-AI coverage, where staged validation matters before scale, including €35K Audi A2 e-tron Hits Snow as Cheap EV Bet Gets Real. The sector differs, but the lesson is familiar: promises become meaningful only when the system behaves under pressure.
Talent shortages make “agentic defense” harder to supervise
The source also adds a human constraint. LinkedIn’s chief information security officer Lea Kissner told the New York Times, “We’re going to need people to deal with the bug-pocalypse,” and said she does not expect the industry to understand AI security in any sustainable long-term way for at least several years.
That complicates the shift toward automated defense. If organizations move from human-led response to humans overseeing defensive agents, they still need people who can judge whether those agents are behaving correctly. Oversight is not passive. It requires model understanding, security judgment, and authority to stop unsafe automation.
The near-term prescription is therefore practical, not glamorous:
- Inventory: Know which AI tools, models, agents, APIs, and keys exist.
- Access: Limit what agents and models can reach, especially stale repositories.
- Logging: Preserve enough prompt, output, API, and access records to investigate incidents.
- Budgets: Treat billing ceilings and usage alerts as security controls, not finance-only settings.
- Revocation: Test how fast credentials actually die across infrastructure.
- Governance: Make AI deployment a board and executive issue before it becomes an incident report.
The next phase depends on defaults that fail safer
The companies that handle this transition best will not be the ones with the longest AI policy. They will be the ones whose defaults reduce blast radius when employees, agents, APIs, and vendors behave unexpectedly.
Evidence that would strengthen de Souza’s thesis: faster credential revocation, clearer API scope changes, enforceable spending limits, multicloud security controls that work across models, and audit trails that executives can actually use. Evidence that would weaken it: more cases where platform defaults expand exposure faster than customers can detect it.
The watch item is not whether AI security becomes important. Google Cloud’s own COO is already saying it belongs at board level. The real test is whether platform providers and their customers can make security controls move at the same speed as the AI systems they are now deploying.
Impact Analysis
- AI security is becoming a core part of enterprise strategy rather than a post-deployment IT task.
- Shadow AI can expose sensitive company data through tools security teams cannot monitor.
- Even major cloud providers are still adapting their own AI security controls in real time.
