Google Cloud’s own COO admits the AI security playbook is being written in real time, and his company isn’t immune to the same growing pains it’s warning customers about. In a backstage conversation with TechCrunch AI, Francis de Souza laid out what enterprises need to fix before AI agents start roaming their networks. The timing is awkward: while he was preaching platform-level security, Google was refunding developers hit with five-figure surprise bills from compromised API keys.
The 22-second problem
De Souza’s headline stat should make every CISO sit up. The average time between an initial breach and the next stage of attack has collapsed from eight hours to 22 seconds. Human-in-the-loop defense isn’t slow, it’s obsolete at that speed.
His prescription, per TechCrunch AI: meet machine speed with machine speed. “We’re now seeing the emergence of an AI-native, fully agentic defense where organizations can run agents driving their defense,” he said. Humans oversee. Agents act.
That’s a real shift. For two decades, the security industry sold “human in the loop” as the gold standard. De Souza is arguing the loop itself is the bottleneck.
What’s actually new on the attack surface
De Souza named the pieces most security teams haven’t fully mapped yet:
- Models themselves
- Data pipelines used to train them
- Agents operating inside the enterprise
- Prompts flowing through every workflow
The sleeper threat he flagged: agents will find data nobody remembers exists. “A lot of organizations have old SharePoint servers they haven’t really updated, but it didn’t matter because nobody really knew where they were. But agents roaming your enterprise will find those data assets and will expose the data on them.”
That’s a quiet revolution in how breaches will unfold. Obscurity stops being a defense the moment a competent agent has read access.
Google’s own mess
Here’s where the analysis turns uncomfortable for Mountain View. TechCrunch AI cites The Register’s reporting on Google Cloud developers hit with massive bills after unauthorized Gemini API calls.
The pattern repeats:
- Rod Danan of Prentus: $10,138 in 30 minutes
- Isuru Fonseka in Sydney: roughly AUD $17,000, despite a stated $250 cap
- API keys originally scoped for Google Maps silently gained Gemini access after Google expanded their scope
- Google’s automated systems quietly raised billing ceilings as high as $100,000 without explicit consent
Google refunded both developers after The Register reported the cases. The company told The Register it has no plans to change the automatic tier-upgrade policy, citing service continuity over user-set budgets.
And revocation isn’t instant. Security firm Aikido found that compromised keys can keep working for up to 23 minutes after deletion because Google’s revocation propagates gradually. In some windows, over 90% of requests still authenticated. Plenty of time to exfiltrate cached Gemini conversations.
Why this matters now
LinkedIn CISO Lea Kissner told the New York Times this week she doesn’t expect the industry to understand AI security in any durable way for at least several years. “We’re going to need people to deal with the bug-pocalypse,” she said.
Translation: the vulnerabilities AI introduces are multiplying faster than defenders can catalog them. Even hyperscalers are improvising.
Practical takeaways
If you’re running AI in production, three moves matter this quarter:
- Audit shadow AI. Employees pasting company data into consumer chatbots is the new shadow IT. Build the approved alternative before banning the workaround.
- Treat API keys as live ammunition. Assume any key in a public repo or client-side bundle is already compromised. Scope tightly. Set hard billing caps and verify your provider actually honors them.
- Inventory your forgotten data. Before you deploy internal agents, run access-control audits on every legacy SharePoint, S3 bucket, and shared drive. Agents will find what humans forgot.
De Souza’s broader point holds: there’s no AI strategy without a data strategy and a security strategy. The catch is that nobody, not even the platforms selling you the AI, has fully figured out what that looks like yet.
Full details at the original TechCrunch AI report.