Introduction: The Core Shift

Google Cloud's COO Francis de Souza recently advised enterprises that security must be foundational to AI strategy, not bolted on later. He's right. But a series of reports from The Register reveal that Google itself is still grappling with AI security gaps—most notably, a 23-minute window during which compromised API keys remain valid after deletion. This disconnect between prescription and practice is a strategic risk for any enterprise relying on Google Cloud for AI workloads.

Analysis: Strategic Consequences

The 23-Minute Vulnerability

According to security firm Aikido, Google's API key revocation can take up to 23 minutes to propagate, during which attackers can exfiltrate data and cached conversations from Gemini. Google's newer credential formats revoke in seconds, suggesting the delay is a matter of prioritization, not engineering. For enterprises, this means that even with best practices, a window of exposure exists—and in AI, that window can be catastrophic.

Multicloud Reality

De Souza emphasized that no enterprise operates on a single cloud. This is a strategic insight: security posture must be consistent across clouds and models. Yet Google's own security gaps highlight the challenge of achieving that consistency. Enterprises that assume a single-vendor approach simplifies security are misled; the attack surface now includes models, data pipelines, agents, and prompts across multiple environments.

Agentic Defense and the Talent Gap

De Souza advocates for AI-native, agentic defense—machines defending at machine speed. But the talent to oversee such systems is scarce. LinkedIn's CISO Lea Kissner warns of a 'bug-pocalypse' and expects it will take years to sustainably understand AI security. Enterprises must invest in both technology and human capital now, or risk being outpaced by threats.

Bottom Line: Impact for Executives

The gap between Google's advice and its own practices is a warning: no vendor is fully ready. Executives must demand transparency on security SLAs, enforce consistent policies across clouds, and prepare for a long transition period. The cost of inaction is not just financial—it's strategic obsolescence.



Source: TechCrunch AI

Rate the Intelligence Signal

Intelligence FAQ

Aikido Security found that Google API keys can remain valid for up to 23 minutes after deletion, allowing attackers to exfiltrate data. Newer credential formats revoke in seconds, indicating the delay is a prioritization issue.

Demand transparency on security SLAs, enforce multicloud security consistency, and invest in agentic defense oversight. Treat all cloud vendors as learning in real time.