Google Cloud executives acknowledge AI security gaps even as the company faces developer billing and API key revocation issues

Francis de Souza, COO of Google Cloud, advised companies that security must be built into AI strategies from the start, not added later, and warned specifically about 'shadow AI'—employees using consumer tools without organizational oversight. He emphasized that 'There's no such thing as an AI strategy without a data strategy and a security strategy.'

Google Cloud developers were hit with unexpected five-figure bills after attackers exploited compromised API keys to access Gemini models. Rod Danan's bill reached $10,138 in roughly 30 minutes; Isuru Fonseka woke to charges of roughly AUD $17,000 despite believing he had a $250 spending cap. Google had automatically upgraded their billing tiers to ceilings as high as $100,000 without explicit consent, and the company said it has no plans to change this automatic tier-upgrade policy.

Security research by Aikido found that deleted API keys may remain functional for up to 23 minutes because Google's revocation propagates gradually across its infrastructure, allowing attackers to exfiltrate files and cached conversation data from Gemini. Researcher Joseph Leon noted that Google's service account credentials revoke in about five seconds and Gemini's newer AQ-prefixed keys take about a minute, suggesting the delay is 'a matter of priorities for the company' rather than an engineering constraint.