Google Cloud COO says AI security belongs in the boardroom, not just the server room

Google Cloud COO Francis de Souza is urging companies to build security into their AI strategy from day one. "There's no such thing as an AI strategy without a data strategy and a security strategy," he said at an event in Los Angeles. According to TechCrunch, he also warned about "shadow "AI"—employees using AI tools without company oversight—and about AI agents that dig up forgotten data sources like old SharePoint servers buried inside organizations.

The attack surface has grown well beyond the traditional network perimeter. "In addition to your usual estate, you have models now. You have data pipelines used to train the models. You have agents, you have prompts. All of this needs to be protected." The time between an initial breach and the next stage of an attack has dropped from eight hours to 22 seconds. De Souza is pushing for agent-based defense: "Instead of having a human-led defense or even a human in the loop, you can now have humans overseeing a fully agentic defense." AI security is a boardroom issue, he argued, not just an IT department problem.

"Security is not something you can bolt on later, and it's not something you can leave up to employees to do on their own," de Souza said. According to him, companies need a unified security strategy across all clouds and models, even if they think they're only using one provider. SaaS apps and business partners almost always bring multiple clouds into the mix.