Google Cloud COO Francis deSouza admits what the entire AI industry is discovering: nobody has AI security figured out yet. In a backstage interview at a Los Angeles event, deSouza said the industry is in a transition period — all of it — and that even Google is learning as it goes. His core message: security cannot be an afterthought. Companies that bolt it on later or leave it to employees will pay the price.
Shadow AI Is the Biggest Threat
DeSouza's most urgent warning was about shadow AI — employees using unauthorized AI tools without their employer's knowledge. Workers are connecting personal ChatGPT accounts to corporate data. They are feeding sensitive documents into AI assistants that their IT teams do not control. And they are granting OAuth permissions to AI apps that create security vulnerabilities their companies cannot monitor.
The Vercel breach earlier this year started exactly this way. An employee connected a consumer AI app to their corporate Google account. Hackers who had compromised the AI app used that connection to access Vercel's internal systems and steal customer data including API keys and source code.
DeSouza said companies need a platform approach to AI security. That means providing approved AI tools, monitoring which tools employees actually use, and ensuring that every AI connection to corporate data passes through managed infrastructure.
The Attack Surface Has Exploded
The traditional security perimeter — protect the network, secure the endpoints — no longer works. DeSouza noted that the average time between an initial breach and the next stage of an attack has dropped from eight hours to 22 seconds. Defenders who take hours to respond are already too late.
The attack surface now includes AI models, data pipelines used to train those models, AI agents that act autonomously, and prompts that can be manipulated to extract sensitive information. Every new AI capability creates new vectors for attack. The Vulnpocalypse — the growing imbalance between AI-powered attacks and traditional defenses — is accelerating.
Compounding the problem, security firm Aikido found that even developers who catch a compromised Google API key and immediately delete it may not be safe. Attackers can continue using the revoked key for up to 23 minutes because Google's revocation propagates gradually across its infrastructure. During that window, over 90 percent of requests still authenticate in some minutes.
Agentic AI Makes Everything Harder
The rise of agentic AI — autonomous systems that take actions on behalf of users — creates security challenges that the industry has barely begun to address. An AI agent that can browse the web, execute code, and interact with enterprise systems on your behalf can also be hijacked to do the same things for an attacker.
Red Hat's Tank OS addresses agent security by running OpenClaw inside rootless containers. SAP blocked all unauthorized agents from its platform. And OpenAI added hardware security keys to ChatGPT accounts. But these are individual solutions to a systemic problem.
DeSouza's prescription is agentic defense — using AI-driven agents to automatically detect and respond to threats at machine speed. Humans oversee the process rather than being directly in the loop. When attacks happen in 22 seconds, human response times are not fast enough.
Google Is Not Immune
The interview was notable for its honesty. DeSouza was not just offering advice to others. He was acknowledging that Google — a company that operates one of the world's largest cloud platforms and has deployed Gemini across billions of devices — is still figuring out how to secure its own AI systems.
Google has created dedicated AI security teams. It is developing adversarial training techniques. It is building monitoring systems to detect unusual model behavior. But these efforts are experimental. There are no established best practices yet. The regulatory landscape — the EU's AI Act, proposed US legislation — is chasing a moving target.
The admission connects to a broader industry reality. Anthropic's Mythos was accessed by an unauthorized group through a vendor breach. OpenAI's developer ecosystem was hit by supply chain attacks. And Cloudflare, one of the internet's largest security companies, is itself using AI to replace security roles while simultaneously defending against AI-powered attacks.
What It Means
DeSouza's message is the most important one a security executive has delivered this year. The AI revolution is not waiting for security to catch up. Companies are deploying AI at scale. Employees are using AI without permission. Attackers are using AI to probe defenses at machine speed. And even Google — with all its resources — does not have the answers yet.
The transition period deSouza described is real. Everyone is in it. And the companies that treat AI security as a priority rather than an afterthought will be the ones standing when it ends.
