Even Google Is Still Learning How To Secure Generative AI

Google’s cloud leaders say businesses must build security into AI systems from the start, even as platform makers work to close gaps in billing, credential revocation and oversight.

On the sidelines of a Los Angeles technology event, Google Cloud’s chief operating officer laid out a blunt message for companies adopting generative AI: security and data planning must be paired with any AI rollout, not tacked on later. He cautioned that employees will reach for consumer-grade AI tools unless firms put controls in place, and that organizations should demand governance, audit trails and built-in protections from the platforms they choose to run on.

He also tried to steer the conversation away from vendor marketing. The executive argued that most organizations already operate across multiple cloud providers whether they realize it or not, because they rely on software-as-a-service offerings and external partners. That reality, he said, makes it essential for companies to adopt a security stance that works the same way across different clouds and environments. Independent security advisers echoed that view, saying firms need a consistent policy that covers corporate apps, third-party services and developer tools.

The threat picture has shifted fast, the COO added, and older defensive approaches are proving too slow. In recent attacks the time between initial compromise and an attacker’s next move has shrunk from hours to seconds, and the assets at risk now include machine-learning models, the pipelines that feed them, automated agents and the prompts used to steer them. Those elements multiply where data can hide: automated processes can discover forgotten file stores and outdated collaboration servers that nobody currently monitors, then surface sensitive material that had previously been effectively invisible.

To keep pace, Google is experimenting with defensive systems that run at machine tempo: automated agents that hunt and respond, supervised rather than driven, by humans. That changes the job description for security leaders and elevates the issue to boards and executive teams, the company representative said. Independent observers warn, though, that the industry lacks enough people who can oversee these systems, and that vulnerabilities introduced by AI are multiplying faster than most security teams can patch them. One longtime security executive said the sector will need a sustained surge of expertise to manage what she described as an impending torrent of AI-related bugs.

Platform behavior has also raised alarms. Recent reporting documented multiple developers who received unexpectedly large charges after unauthorized calls to an advanced chatbot model. In many of those cases, API keys originally issued for mapping services and exposed publicly were suddenly able to invoke the chatbot after the provider broadened the keys’ permissions. Small companies and independent developers reported billing hits that reached into five-figure ranges within a short span of time, and a few people woke to sums far above the user-configured limits because accounts were automatically moved into higher billing tiers based on usage history. The cloud provider later issued refunds in several cases, but said it had no intention of abandoning automatic tier increases that it uses to avoid service interruptions.

There’s also the question of how quickly a compromised credential can be stopped. Security researchers testing the provider’s older API key format found attackers could keep using a revoked key for as long as about 23 minutes while revocation propagated across the service. During that window, more than nine out of 10 requests in some minutes still authenticated, the researchers reported, allowing time to pull files and cached conversation data from the chatbot. Newer credential types revoke much faster — service account keys in a few seconds and a newer model-specific key in roughly a minute — suggesting the delay is not purely a technical impossibility but a product-priority choice.

That gap between the protections platform vendors prescribe and the speed with which they themselves move to harden systems is a key takeaway, security professionals say. The guidance from cloud executives is practical and necessary, yet companies should audit their providers’ billing rules, credential lifecycles and disclosure practices as they build AI projects. Boards, executives and small business owners alike will need to treat AI security as part of product design, procurement and budget oversight, because until the platforms fully align their own practices with their recommendations, organizations must assume some risk and plan accordingly.