Francis de Souza, COO of Google Cloud, offered a calm and genuinely useful message at a tech event in Los Angeles this week: security cannot be bolted on after the fact. Companies adopting AI need a platform approach from day one, with governance and auditability built into the architecture. He warned about ‘shadow AI’ – employees reaching for consumer tools outside organizational oversight – and put the threat landscape in sharp terms: the average time between an initial breach and its escalation has dropped from eight hours to 22 seconds. The advice is sound. The platform delivering it is, at the same moment, under scrutiny for a billing scandal that tests almost every principle de Souza articulated.
Security firm Aikido published research this week finding that even developers who catch a compromised API key and delete it immediately may not be safe. According to Aikido researcher Joseph Leon, attackers can continue using deleted Google Cloud API keys for up to 23 minutes because Google’s revocation system propagates gradually across its infrastructure. During that window, success rates are unpredictable. In some minutes, over 90% of requests still authenticate. Attackers can use the time to exfiltrate files and cached conversation data from Gemini. Leon noted that Google’s newer service account credentials revoke in about five seconds, and its AQ-prefixed Gemini key format revokes in about a minute. Both run at Google scale – meaning the 23-minute window is, in Leon’s framing, a matter of priorities. This is precisely the kind of gap NewsTrackerToday followed closely as de Souza’s interview circulated.
Sophie Leclerc, who covers the technology sector, draws a sharp line through the corporate logic here: “De Souza’s security-first message is consistent with what Google Cloud needs enterprise clients to believe about the platform. And honestly, the substance of what he’s saying about agentic threats and shadow AI is correct and important. But the API key billing cases represent a specific failure mode where Google’s own policies – automatic tier upgrades without explicit user consent, slow key revocation – created the vulnerability. You can’t build a security pitch on one hand and expand attack surface on the other without at least acknowledging the tension.”
Rod Danan, CEO of interview-prep platform Prentus, received a bill of roughly $10,138 in about 30 minutes after attackers exploited a compromised API key. Isuru Fonseka, a Sydney-based developer, woke to charges of approximately AUD $17,000 despite believing he had a $250 spending cap. What neither knew: Google’s automated systems had upgraded their billing tiers based on account history, raising effective ceilings to as high as $100,000 without explicit consent. Google refunded both after security researchers published findings, but confirmed it has no plans to change its automatic tier-upgrade policy, saying it prioritizes service continuity over users’ stated budget preferences. That decision and its justification is what NewsTrackerToday set against de Souza’s platform-trust argument.
Liam Anderson reads the investor angle without editorializing: “Google Cloud revenue is the growth story at Alphabet right now. Any policy that keeps enterprise clients on higher billing tiers without friction serves that story. Refunding a few developers is cheap. Changing the auto-upgrade policy costs recurring revenue. They made a choice.” De Souza himself raised the threat of AI agents surfacing forgotten data repositories inside enterprise systems – ‘old SharePoint servers nobody really knew where they were.’ His proposed solution was fully agentic defense at machine speed. Whether enterprises can implement that is a question that NewsTrackerToday pressed on: the companies most in need of AI-native security are also the ones least likely to have the architecture to run it.
De Souza described AI security as a board-level issue. That framing is right. But boards reading his advice this week also have access to the Aikido research and the billing case documentation. The uncomfortable conclusion News Tracker Today turned over is simply this: the company most vocally prescribing AI security discipline is currently operating a 23-minute revocation gap in its own infrastructure while defending an automatic billing escalation policy that affected customers describe as a trap. That is not hypocrisy. It is, as de Souza said himself, a transition period. The question nobody answered is: transition toward what, and on whose timeline.
