Google Cloud COO urges urgent AI security overhaul as API key and billing flaws expose customers
Google Cloud COO Francis de Souza calls for a platform-first AI security strategy, warning that security must be built in from the start to protect data, models and infrastructure.
Opening summary
Francis de Souza, chief operating officer of Google Cloud, told reporters backstage at a Los Angeles event that AI security must be treated as a platform-level priority rather than an afterthought. He warned that companies face an expanded attack surface — from models and data pipelines to agents and prompts — and urged organizations to adopt consistent governance, auditability and security across clouds. The remarks coincided with reports of developers hit by large unauthorized charges after API keys were abused to access generative AI services.
Google Cloud COO calls for platform approach to AI security
De Souza argued that organizations embarking on AI deployments need to think in terms of platforms, not isolated tools, and that security should be integrated from project inception. He said leaving protection to individual employees or retrofitting controls later creates dangerous gaps, especially as AI workflows proliferate across SaaS and partner systems.
He emphasized that the rise of multicloud and third-party services means a single-cloud assumption is often wrong, and security postures must be consistent across environments. That consistency, he said, should include governance, logging and mechanisms that make AI actions auditable to reduce the risk of uncontrolled or shadow AI activity.
Executives face board-level responsibilities for AI security
De Souza framed AI security as a leadership challenge, telling executives that defenses now require board- and C-suite attention rather than being delegated solely to security teams. He predicted a transition toward defenses driven by agents and automation, where humans oversee machine-speed responses instead of manually conducting every investigation or mitigation.
Industry observers echoed the leadership concern, warning of a talent gap that will complicate adoption. LinkedIn’s chief information security officer has predicted an uptick in specialized security work to address AI-introduced vulnerabilities, and company leaders will need to rethink hiring and governance to keep pace.
API key abuse and surprise bills hit individual developers
Recent reports detailed cases in which compromised API keys were used to call large language models, producing five-figure bills for developers who had not intentionally enabled those services. One platform CEO faced more than $10,000 in charges in roughly 30 minutes after attackers leveraged a compromised key, while another developer in Australia woke to bills far exceeding an assumed spending cap.
Both account holders later received refunds after public reporting, but the incidents underscored practical harms when credentials are exposed and billing tiers are adjusted automatically. The pattern highlights how seemingly routine keys issued for mapping or other services can acquire broader scopes as platforms evolve.
Delayed credential revocation widens window for attackers
Security research by an outside firm found that API keys deleted by developers could remain usable for minutes, in some cases up to about 23 minutes, while revocation propagates across a provider’s global infrastructure. During that window, attackers were able to continue authenticated requests and access cached model conversation data in certain scenarios.
The researchers noted that newer credential formats and service-account keys appeared to revoke far faster, suggesting the longer propagation time for older API keys is an architectural or policy choice rather than a technical impossibility. That disparity raises questions about provider priorities when balancing service continuity against rapid compromise mitigation.
Agents, forgotten repositories and an enlarged attack surface
De Souza warned that autonomous agents and other AI components can traverse internal systems and surface data repositories long neglected by IT teams. He cited examples of legacy SharePoint servers and stale access controls that went unnoticed because people stopped using or indexing them, but which automated agents can rediscover and expose.
That dynamic transforms what was once a contained discovery problem into an active threat vector, because agents operating at machine speed can find and exploit data stores before teams react. Organizations that do not inventory and remediate dormant assets risk accidental leaks or model poisoning incidents stemming from overlooked content.
AI-native defenses are emerging but platform gaps remain
In response to faster attacker tactics, De Souza advocated matching machine speed with machine defenses: agentic, AI-native systems that operate under human oversight to detect, respond and remediate threats. He positioned such defenses as complementary to human analysts and as necessary to counter the rapid handoffs attackers now use.
Yet he acknowledged a tension between that prescription and current platform behavior, citing recent cases where automatic billing tier changes and credential propagation delays undermined customer protections. The contrast suggests a need for platform providers to align operational practices with the security posture they promote to customers.
Companies must plan for technical fixes and governance changes to close that gap, including clearer credential life-cycle management, stronger defaults on API scopes, and more transparent communication when service capabilities are altered. Without those measures, enterprises risk adopting AI systems whose operational realities do not match advertised safeguards.
The combination of widened attack surfaces, credential management weaknesses and resource constraints means organizations should prioritize an integrated AI security strategy now, not later. Leaders should inventory data assets, enforce consistent controls across clouds, upgrade credential practices, and invest in human and automated defenses to protect models, pipelines and the people who oversee them.
