Google Cloud leaders warn AI security must be built in from the start

In short: Companies are rushing to use AI, and security leaders say the safest approach is to plan for protection upfront, even as real-world gaps keep showing up.

What's going on

Francis de Souza, the COO of Google Cloud, said companies cannot treat security as something to add later when they adopt AI tools. He warned about “shadow AI,” which is when employees use consumer AI tools at work without company approval or oversight.

De Souza also said most companies are not truly on one cloud provider. Even if they pick one main provider, they still rely on other online software services and partners. That makes it important to have consistent security rules across different systems and AI models.

He argued that attacks are moving faster than before. He cited a drop in the average time between an initial break-in and the next stage of an attack, from eight hours to 22 seconds. He also said the “attack surface” is bigger now, meaning there are more places attackers can target, including AI models, the data used to train them, and AI “agents” (software helpers that can move through systems like a fast intern with access).

What to watch

Recent reports suggest the platforms themselves are still adjusting. The Register described cases where Google Cloud developers received large bills after attackers used exposed API keys, which are like passwords for software access. Some developers said their Google billing limits were automatically raised, and a security firm, Aikido, reported that deleted Google API keys could keep working for up to 23 minutes in some cases. Google reportedly issued refunds in some cases, but said it would keep its automatic tier upgrade policy.

Source: TechCrunch AI