The COO of Google Cloud spent part of last week telling executives that security cannot be bolted onto AI strategies after the fact. The same week, security researchers published findings showing that deleted Google API keys remain usable by attackers for up to 23 minutes, and Google Cloud developers continued seeking refunds for five-figure bills triggered by API calls they never authorized. The gap between the advice and the practice is the story.
The prescription
Francis de Souza, Google Cloud’s COO, shared at a recent Los Angeles event that companies need to demand security, governance, and auditability from their platforms from the start, and warned specifically about “shadow AI” — employees reaching for consumer tools without organisational oversight. His framing: “There’s no such thing as an AI strategy without a data strategy and a security strategy. They need to go hand in hand.”
The framing of the threat landscape is equally striking. Google’s own Mandiant M-Trends 2026 report, presented at RSAC, found that adversary coordination has driven the time between initial access and hand-off to a follow-on attacker down to 22 seconds. The implication: human-led defence is structurally too slow. Google Cloud’s proposed answer, articulated at Cloud Next 2026, is a shift from human-in-the-loop to AI-led defence, with humans overseeing rather than operating in the loop.
The practice
While that case was being made, The Register was documenting a different story about the same platform. Prentus CEO Rod Danan watched his Google Cloud bill hit $10,138 in about 30 minutes after attackers used a compromised API key. Sydney-based developer Isuru Fonseka woke up to charges of roughly AUD $17,000 despite believing he had a $250 spending cap in place. Google later reimbursed both after the reporting appeared but said it would not change the underlying policy.
The mechanism is worth pausing on. A February analysis by Truffle Security researcher Joe Leon documented that API keys originally deployed for Google Maps — keys Google’s own documentation told developers to paste publicly into HTML — quietly became capable of accessing Gemini models after Google expanded their scope. Truffle’s scan of public web sources turned up 2,863 live Google API keys exposed to this vector. Separately, Google’s automated systems upgraded users’ billing tiers based on account history, raising effective ceilings as high as $100,000 without explicit consent. Google has indicated it will continue that automatic tier-upgrade policy, citing a preference for preventing service outages over enforcing user-stated budget caps.
The 23-minute window
The credential-revocation issue is the more revealing of the two. Researchers at Aikido Security, led by Joe Leon, found that even developers who catch a compromised key and immediately delete it may not be safe. Across ten controlled trials, the revocation window ranged from about eight minutes to nearly 23, with a median around 16. During that window, success rates are unpredictable — in some minutes, over 90% of requests still authenticated; in others, fewer than 1%. Attackers can use the time to exfiltrate files and cached Gemini conversation data.
Aikido’s analysis indicates that Google’s newer credential formats don’t have the same problem: service account API credentials revoke in about five seconds, and Gemini’s AQ-prefixed key format takes about a minute. Both run at Google scale, suggesting this is technically solvable for standard Google API keys too. Google told Aikido it has no plans to address the gap, closing the report as “Won’t Fix (Infeasible)” and describing the propagation delay as working as intended. The 23-minute window, in other words, is a question of priorities rather than engineering constraint.
Why this matters structurally
The standard reading of incidents like these is that they reflect implementation gaps a large platform will eventually close. The institutional reading is harder. Cloud platforms are simultaneously selling AI infrastructure, AI security tooling, and the analytical frameworks customers use to think about AI risk. The same company that prescribes the standard also defines what counts as meeting it, and operates with internal incentives — uptime, billing continuity, default expansion of API scope — that don’t always align with the customer’s stated security posture.
De Souza himself has been candid that the industry is still figuring this out, telling TechCrunch that everyone is “navigating AI security in real time” and that a sustainable long-term understanding of AI security remains several years away. That is a candid assessment from someone whose job is to have answers.
Silicon Canals has previously examined how the AI industry’s confidence in its own architecture is being quietly walked back in private even as it’s marketed in public. The security layer is following a similar pattern. The advice from platform leaders is sound. The practice on the same platforms is several steps behind the advice. Both things are true, and customers are being asked to act on the prescription while absorbing the cost of the gap.
