Google Cloud COO on AI Security: 'We're All Navigating This in Real Time'

In a recent interview backstage at an event in Los Angeles, Francis de Souza, COO of Google Cloud, offered valuable advice for companies navigating the complex landscape of AI security. With his calm and measured demeanor, de Souza emphasized that security cannot be an afterthought, particularly in the age of AI. "There'll be a transition period, and then I think we get to this better place," he noted, highlighting the importance of integrating security into AI strategies from the outset.

De Souza stressed that companies need to adopt a platform approach to security, warning against "shadow AI" - employees using consumer tools without organizational oversight. "Security is not something you can bolt on later, and it's not something you can leave up to employees to do on their own," he said. "There's no such thing as an AI strategy without a data strategy and a security strategy.

They need to go hand in hand." He also advocated for a multicloud approach, arguing that companies need a consistent security posture across clouds and models. The threat landscape has undergone a significant shift, de Souza noted, with the average time between an initial breach and the next stage of an attack dropping from eight hours to 22 seconds. The attack surface has expanded beyond traditional network perimeters, encompassing models, data pipelines, agents, and prompts.

One often-overlooked threat is that of agents surfacing forgotten data repositories, potentially exposing sensitive information. De Souza believes that the solution lies in meeting machine speed with machine speed, citing the emergence of AI-native, fully agentic defense. "We're now seeing the emergence of an AI-native, fully agentic defense where organizations can run agents driving their defense," he said.

However, he acknowledged that this is a leadership issue, not just a technology one, and that the industry is still grappling with the challenges of AI security. The urgency of the issue was highlighted by a recent series of reports on Google Cloud developers facing five-figure bills due to unauthorized API calls to Gemini models. The cases exposed a gap between the platform providers' advice and their own adaptation to the rapidly evolving threat landscape.

As the industry continues to navigate this complex landscape, de Souza's advice serves as a timely reminder of the need for a proactive and integrated approach to AI security.