Insights from Francis de Souza on Navigating AI Security
I recently had the opportunity to sit with Francis de Souza, COO of Google Cloud, backstage at an event in Los Angeles. Amid the noise around us, de Souza, who speaks with the calm, measured manner of a university professor, offered useful advice for companies navigating the AI security situation we are all living through, noting: “There will be a transition period, and then I think we’ll get to a better place.”
A Comprehensive Approach to AI Security
De Souza’s core message was that security experts have been trying to make it clear to executives for years what is now made urgent by AI: Security cannot be an afterthought. “As companies embark on this AI journey, they need to take a platform approach,” he said. “Security isn’t something you can take on as an afterthought, and you can’t leave it up to your employees to deal with it.” He particularly warned against “shadow AI” – employees using consumer tools without organizational oversight – and argued that companies must require security, governance and auditability from their platforms from the start. “There is no AI strategy without a data strategy and a security strategy. They have to go hand in hand.”
Beyond a Single Cloud
Remarkable: He didn’t just introduce Google Cloud. When I realized his advice sounded like a Google ad, he declined. Google is committed to a multi-cloud approach, he said, and he argued that companies that think they’re operating on a single cloud almost certainly aren’t. “Even if they choose a single cloud, they rely on SaaS applications, there are business partners who may use different clouds,” he said. “It is important for companies to have a consistent security posture across all clouds and models.”
Adapting to New Threats
He also argued that the threat landscape has changed so fundamentally that old defense models are too slow. He found that the average time between an initial breach and transition to the next phase of an attack has dropped from eight hours to 22 seconds, and that the attack surface has expanded far beyond the traditional network perimeter. “In addition to your usual inventory, you now have models. You have data pipelines that train the models. You have agents, you have prompts. All of this needs to be protected.”
Machine Speed Defense
In his view, the answer is to meet machine speed with machine speed. “We are now seeing the emergence of AI-native, fully agent-based defense, where organizations can deploy agents to power their defense,” he said. “Instead of having a human-led defense, or even a human in the loop, you can now have people overseeing a completely agent-based defense.” He added that this has become a leadership issue, not just a technology issue. “This is a board-level issue and a leadership team issue. It’s not just a security team issue.”
Challenges in AI Security
But even as AI takes on more of the defensive workload, the people qualified to monitor it are in short supply—and the vulnerabilities that AI itself introduces are multiplying faster than security teams can fix them. “We’re going to need people to deal with the bugpocalypse,” Lea Kissner, LinkedIn’s chief information security officer, told The New York Times this week, adding that she doesn’t expect the industry to have a sustained understanding of AI security for the next few years.
The Role of Platform Providers
Which brings us back to the platform providers themselves. The Register has published a series of reports in recent weeks documenting a wave of Google Cloud developers being hit with five-figure bills after making unauthorized API calls to Gemini models – services that many of them had never used or intentionally enabled. The cases followed a familiar pattern: API keys originally provided to Google Maps and made publicly available according to Google’s own instructions were quietly accessible to Gemini after Google expanded their scope without clearly disclosing the change.
Rod Danan, CEO of interview prep platform Prentus, said his bill reached $10,138 in about 30 minutes after attackers exploited his compromised API key. Isuru Fonseka, a Sydney-based developer whose account was also compromised, was hit with around A$17,000 in charges despite believing he had a $250 spending cap. What no one knew was that Google’s automated systems had been updating their billing tiers based on account history, raising their effective caps up to $100,000 without explicit consent.
Google filed both charges after The Register published its initial report. Still, Google told The Register that it has no plans to change its automatic tier upgrade policy, saying that preventing service outages takes priority over enforcing user-specified budget preferences.
Mitigating Risks with API Keys
In the meantime, the question is what happens when a developer tries to shut things down? The Register reported this week on an investigation by security firm Aikido that found that even developers who intercept a compromised key and immediately delete it may not be safe. According to Aikido’s findings, attackers can apparently continue to use this key for up to 23 minutes as Google’s revocation gradually spreads throughout the infrastructure. Aikido researcher Joseph Leon told The Register that success rates during this window are unpredictable – in some minutes over 90% of requests are still authenticated – and attackers could use the time to exfiltrate files and cached conversation data from Gemini.
Leon also noted that Google’s own newer credential formats don’t appear to have the same problem: API credentials for service accounts are revoked in about five seconds, and Gemini’s newer AQ-prefixed key format takes about a minute. “Both are running at Google scale,” he wrote in a related essay on Aikido. “Both suggest that this is also technically solvable for Google API keys.” In short, according to Leon, the 23-minute window is not a technical limitation, but a matter of the company’s priorities.
This is worth considering when reading de Souza’s advice, which is sound and should be taken very seriously. He’s not wrong, but there is currently a gap between the platforms they dictate and the speed at which they adapt themselves, and it’s good to be aware of that too.
“`
