Thursday, Jul 16, 2026
Newstrackertoday
  • News
  • About us
  • Team
  • Contact
Reading: Google’s Security Advice Is Sound. Its Own API Keys Tell a Different Story
Share
NewstrackertodayNewstrackertoday
Font ResizerAa
  • News
Search
Follow US
© 2022 Foxiz News Network. Ruby Design Company. All Rights Reserved.
News

Google’s Security Advice Is Sound. Its Own API Keys Tell a Different Story

Anderson Liam
SHARE

Francis de Souza, COO of Google Cloud, offered a calm and genuinely useful message at a tech event in Los Angeles this week: security cannot be bolted on after the fact. Companies adopting AI need a platform approach from day one, with governance and auditability built into the architecture. He warned about ‘shadow AI’ – employees reaching for consumer tools outside organizational oversight – and put the threat landscape in sharp terms: the average time between an initial breach and its escalation has dropped from eight hours to 22 seconds. The advice is sound. The platform delivering it is, at the same moment, under scrutiny for a billing scandal that tests almost every principle de Souza articulated.

Security firm Aikido published research this week finding that even developers who catch a compromised API key and delete it immediately may not be safe. According to Aikido researcher Joseph Leon, attackers can continue using deleted Google Cloud API keys for up to 23 minutes because Google’s revocation system propagates gradually across its infrastructure. During that window, success rates are unpredictable. In some minutes, over 90% of requests still authenticate. Attackers can use the time to exfiltrate files and cached conversation data from Gemini. Leon noted that Google’s newer service account credentials revoke in about five seconds, and its AQ-prefixed Gemini key format revokes in about a minute. Both run at Google scale – meaning the 23-minute window is, in Leon’s framing, a matter of priorities. This is precisely the kind of gap NewsTrackerToday followed closely as de Souza’s interview circulated.

Sophie Leclerc, who covers the technology sector, draws a sharp line through the corporate logic here: “De Souza’s security-first message is consistent with what Google Cloud needs enterprise clients to believe about the platform. And honestly, the substance of what he’s saying about agentic threats and shadow AI is correct and important. But the API key billing cases represent a specific failure mode where Google’s own policies – automatic tier upgrades without explicit user consent, slow key revocation – created the vulnerability. You can’t build a security pitch on one hand and expand attack surface on the other without at least acknowledging the tension.”

Rod Danan, CEO of interview-prep platform Prentus, received a bill of roughly $10,138 in about 30 minutes after attackers exploited a compromised API key. Isuru Fonseka, a Sydney-based developer, woke to charges of approximately AUD $17,000 despite believing he had a $250 spending cap. What neither knew: Google’s automated systems had upgraded their billing tiers based on account history, raising effective ceilings to as high as $100,000 without explicit consent. Google refunded both after security researchers published findings, but confirmed it has no plans to change its automatic tier-upgrade policy, saying it prioritizes service continuity over users’ stated budget preferences. That decision and its justification is what NewsTrackerToday set against de Souza’s platform-trust argument.

Liam Anderson reads the investor angle without editorializing: “Google Cloud revenue is the growth story at Alphabet right now. Any policy that keeps enterprise clients on higher billing tiers without friction serves that story. Refunding a few developers is cheap. Changing the auto-upgrade policy costs recurring revenue. They made a choice.” De Souza himself raised the threat of AI agents surfacing forgotten data repositories inside enterprise systems – ‘old SharePoint servers nobody really knew where they were.’ His proposed solution was fully agentic defense at machine speed. Whether enterprises can implement that is a question that NewsTrackerToday pressed on: the companies most in need of AI-native security are also the ones least likely to have the architecture to run it.

De Souza described AI security as a board-level issue. That framing is right. But boards reading his advice this week also have access to the Aikido research and the billing case documentation. The uncomfortable conclusion News Tracker Today turned over is simply this: the company most vocally prescribing AI security discipline is currently operating a 23-minute revocation gap in its own infrastructure while defending an automatic billing escalation policy that affected customers describe as a trap. That is not hypocrisy. It is, as de Souza said himself, a transition period. The question nobody answered is: transition toward what, and on whose timeline.

Share This Article
Email Copy Link Print
Previous Article Samsung’s Near-Strike and the Question Seoul Can No Longer Avoid
Next Article Jardine Matheson Buys Into Radiology – and the AI Bet Hidden Inside the Deal

Opinion

Conagra Just Halved Its Dividend and Took a $2 Billion Writedown. Store Brands Are the Reason Why

Conagra Brands issued fiscal 2027 guidance Wednesday projecting adjusted earnings…

15.07.2026

ASML Just Blew Past Its Own Guidance. The AI Chip Boom Isn’t Slowing Down Yet.

ASML, the sole global supplier of…

15.07.2026

Anthropic’s New Ad Shows a Graveyard and Asks If AI Can Be Trusted. People Are Not Loving It.

Anthropic released a new ad this…

15.07.2026

OpenAI’s Newest Model Keeps Deleting Files. The Company Warned About This Two Weeks Before Launch

Users of OpenAI's new coding-focused flagship…

15.07.2026

An OpenAI Researcher Is Leaving to Chase Drug Discovery. Investors Already Value It at $2 Billion

Miles Wang, an OpenAI researcher whose…

15.07.2026

You Might Also Like

News

AI That Builds Reality: Why Autodesk’s Bold Bet Could Reshape the Future of Engineering

Autodesk is moving beyond incremental AI features and positioning itself at the center of a broader shift toward spatially aware…

4 Min Read
News

Consumer-Goods Earthquake: Kimberly-Clark Swallows Kenvue in Mega Deal

At NewsTrackerToday, we note that in the global consumer goods arena, transformative deals that reshape market power for an entire…

5 Min Read
News

Truecaller’s Growth Cracks – Can It Survive The Platform Takeover?

Truecaller, once one of the fastest-growing communication utilities globally, is entering a more complex phase as user expansion slows and…

5 Min Read
News

India Blocked Telegram for Six Days. The Real Issue Is Structural, Not Temporary

India’s Ministry of Electronics and Information Technology issued a direction under Section 69A of the Information Technology Act on Monday,…

7 Min Read
Newstrackertoday
Yzfalu.com reviewsYzfalu.com отзывы
  • News
  • About us
  • Team
  • Contact
Reading: Google’s Security Advice Is Sound. Its Own API Keys Tell a Different Story
Share

© newstrackertoday.com

Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?