Google Cloud chief urges AI security integration as billing and API delays spark scrutiny
As Google Cloud executives call for security to be embedded in AI strategies from the outset, independent research highlights a 23-minute window for data exfiltration following key compromise, coinciding with developer complaints over unexpected billing spikes.
Francis de Souza, chief operating officer of Google Cloud, has urged enterprises to embed security protocols within their artificial intelligence strategies from the initial design phase. Speaking at an event in Los Angeles, de Souza cautioned against treating security as an afterthought or leaving it to individual employees, warning specifically against "shadow AI"—the unauthorised use of consumer AI tools by staff. He argued that security, data governance, and auditability must be integrated into platform strategies from the start, advocating for a multicloud security posture that remains consistent across different models and environments.
The guidance comes as reports highlight significant billing issues for Google Cloud developers, including unauthorised API usage resulting in thousands of dollars in charges. The Register has documented cases where API keys, originally deployed for Google Maps, were quietly expanded to access Gemini models, leading to unexpected costs. Rod Danan, CEO of Prentus, reported a bill of $10,138 in roughly 30 minutes, while Sydney-based developer Isuru Fonseka faced charges of approximately AUD $17,000. Both incidents occurred despite developers believing they had spending caps in place, as Google’s automated systems had raised their effective ceilings based on account history without explicit consent.
Compounding these financial concerns is research from security firm Aikido indicating a 23-minute delay in revoking compromised Google API keys. This latency allows attackers to continue using the keys to exfiltrate data even after a developer attempts to delete them. Aikido researcher Joseph Leon noted that during this window, success rates for authentication requests can exceed 90 per cent in some minutes. Leon stated that the delay is attributed to operational prioritisation rather than technical constraints, pointing out that newer credential formats used by Google revoke in seconds or minutes, suggesting the issue is solvable.
De Souza acknowledged that the threat landscape has shifted dramatically, with the average time between an initial breach and the next stage of an attack dropping from eight hours to 22 seconds. He warned that AI agents can surface forgotten data repositories, such as outdated SharePoint servers, which traditional security models might miss. To counter this, he suggested the emergence of AI-native, fully agentic defence systems where machines drive the response under human oversight, rather than relying solely on human-led security teams.
Despite the executive advice, the gap between prescribed security practices and platform implementation remains a point of contention. While Google has refunded the developers affected by the billing controversies, the company has stated it has no plans to change its automatic tier-upgrade policy, prioritising service continuity over enforcing stated budget preferences. As the industry navigates this transition, the combination of rapid attack vectors, billing ambiguities, and revocation delays underscores the complexity of securing AI infrastructure in real time.
