Every enterprise leader thinks they’ve delegated AI security risks to the right team. The hard truth is that no one — not even the companies building the platforms — has it fully figured out yet.
That’s not a pessimistic take. It’s the honest starting point for any organization serious about protecting itself in an era where AI is accelerating everything, including the threats. When Google Cloud’s own COO Francis de Souza recently told TechCrunch that “there’ll be a transition period, and then I think we get to this better place,” he was describing a reality every enterprise security team is already living through. The question is how to navigate it without becoming a cautionary tale.
What “AI Security Risks” Actually Means in 2026
AI security risks refer to the vulnerabilities, attack vectors, and governance failures that emerge when organizations deploy artificial intelligence systems — including the risks introduced by AI tools themselves, not just risks to them.
This definition matters because most legacy security frameworks were built for a different era. They protected networks, endpoints, and databases. Today’s threat landscape includes AI models, the data pipelines used to train them, autonomous agents, API integrations, and the prompts that drive them. Every one of these components expands the attack surface.
The Expanded Attack Surface
Traditional cybersecurity drew a fairly clear perimeter: protect the network edge, secure the endpoints, monitor for intrusions. That model assumed a relatively stable set of assets to defend.
AI fundamentally breaks that assumption. As de Souza explained, organizations now have to protect:
- AI models themselves (including their weights and outputs)
- Training data pipelines
- Autonomous AI agents operating inside enterprise systems
- Prompt inputs and conversation histories
- API keys and credentials connecting AI services to broader infrastructure
- Third-party integrations and SaaS tools that may operate on different clouds
Each of these represents a distinct class of AI security risks that many organizations are only beginning to map, let alone defend.
The Speed Problem: 8 Hours to 22 Seconds
One of the most important data points to understand the current moment: the average time between an initial breach and the handoff to the next stage of an attack has dropped from eight hours to just 22 seconds. That figure, cited by de Souza, is not an anomaly. It reflects a structural shift in how attackers operate — increasingly automated, increasingly fast, and increasingly targeting the gaps that AI itself creates.
Human-led response processes are simply not built for this cadence. A threat that escalates in under half a minute cannot be contained by a team waiting for an analyst to triage an alert.
(Enterprise AI security Shadow AI risks AI agent security AI cybersecurity strategy)
Shadow AI — The Threat Already Inside Your Organization
Shadow AI is the use of consumer-grade or unsanctioned AI tools by employees without organizational oversight, governance, or security review.
It is, at this moment, one of the most underestimated AI security risks in enterprise environments.
The dynamic is familiar. Employees encounter a capable tool — a generative AI assistant, a code helper, an AI-powered research platform — and start using it to do their jobs better. From their perspective, it’s productivity. From a security perspective, it’s an uncontrolled data egress point with no audit trail and no accountability structure.
De Souza was direct on this point: security “is not something you can bolt on later, and it’s not something you can leave up to employees to do on their own.” Organizations need demand security, governance, and auditability from their AI platforms from the very beginning of deployment.
The phrase “there’s no such thing as an AI strategy without a data strategy and a security strategy” captures the core principle. They are not separate workstreams. They are the same workstream.
Why shadow AI is particularly dangerous:
- Sensitive internal data may be submitted to models with unclear data retention policies
- Employees have no mechanism to know when a tool’s terms of service change
- Organizations cannot audit what was shared, with whom, or when
- Shadow AI usage creates liability exposure that may not surface until after a breach
The fix is not to ban AI — it is to create a sanctioned, governed path that is easier than the unsanctioned alternative.
Agents Are Roaming Your Enterprise Right Now
AI agents represent a qualitatively different kind of AI security risk than passive AI tools. They don’t just respond to queries — they traverse systems, access resources, and take actions.
One specific threat flagged by de Souza deserves more attention than it typically receives: agents moving through internal enterprise systems will surface forgotten data repositories that nobody has thought about in years.
Consider what this means in practice. Many organizations have legacy SharePoint environments, file servers, internal wikis, or collaboration spaces where access controls were set up years ago and never updated. Under normal operations, these repositories are effectively invisible — nobody goes looking for them, so the stale permissions don’t matter.
An AI agent with broad access permissions will find those assets. It doesn’t know they were supposed to be forgotten. It will surface the data they contain, potentially exposing confidential records, personnel files, old contracts, or proprietary technical documentation.
This is an AI security risk that doesn’t require a malicious actor. It can emerge entirely from well-intentioned AI deployment and insufficiently maintained legacy infrastructure.
Practical implication: Before deploying AI agents at enterprise scale, organizations should audit their data estate with the assumption that an agent will eventually touch everything it has permission to access.
The Google API Incident: A Platform-Level Warning
Even the platforms advising enterprises on AI security strategy are themselves navigating these AI security risks in real time. The recent series of incidents involving Google Cloud API keys is instructive.
What Happened
A wave of Google Cloud developers received five-figure bills after unauthorized API calls to Gemini models — services many of them had never intentionally enabled. The pattern was consistent: API keys originally deployed for Google Maps, placed publicly according to Google’s own documentation, had quietly become capable of accessing Gemini after Google expanded their scope without clearly communicating the change.
One CEO saw his account bill reach over $10,000 in approximately 30 minutes after attackers exploited a compromised key. A developer in Sydney woke up to charges exceeding AUD $17,000 despite believing a $250 spending cap was in place. What neither knew was that Google’s automated systems had upgraded their billing tiers based on account history — raising their effective ceiling to as high as $100,000 without explicit consent.
Google refunded both after the incidents were reported publicly. However, the company stated it has no plans to change its automatic tier-upgrade policy, indicating that it prioritizes preventing service outages over enforcing users’ stated budget preferences.
(Enterprise AI security Shadow AI risks AI agent security AI cybersecurity strategy)
The 23-Minute Revocation Window
The second finding from this cluster of incidents is arguably more concerning from a security architecture perspective. Research by security firm Aikido found that even developers who immediately delete a compromised API key may not be safe. According to Aikido’s findings, attackers can continue using that key for up to 23 minutes because Google’s revocation propagates gradually across its infrastructure.
During that window, success rates for continued authentication are unpredictable — in some minutes, over 90% of requests still authenticate. Attackers can use this window to exfiltrate files and cached conversation data from Gemini.
The notable detail: Google’s own newer credential formats do not have this problem. Service account API credentials revoke in roughly five seconds. The newer AQ-prefixed key format takes about a minute. Aikido researcher Joseph Leon noted that both operate at Google scale, which suggests the 23-minute window is not an engineering constraint — it is a matter of prioritization.
The takeaway for enterprise security teams is not that Google’s platforms are uniquely flawed. It is that even the best-resourced platforms are still closing gaps in real time, and organizations cannot assume that platform defaults provide adequate protection.
(Enterprise AI security Shadow AI risks AI agent security AI cybersecurity strategy)
AI Security vs. Traditional Security: A Side-by-Side Comparison
Understanding where AI security risks diverge from traditional security priorities helps organizations allocate resources and attention more precisely.
| Dimension | Traditional Security | AI Security |
|---|---|---|
| Primary threat surface | Network perimeter, endpoints, databases | Models, agents, prompts, pipelines, API keys |
| Attack escalation speed | Hours to days | Seconds to minutes |
| Data exposure vectors | Unauthorized access, exfiltration | Shadow AI usage, agent traversal, prompt injection |
| Governance model | IT-owned policy enforcement | Requires cross-functional: IT, legal, business units |
| Credential risk | Static credentials and passwords | Dynamic API keys with inconsistent revocation |
| Defense posture | Reactive detection and response | Increasingly requires proactive, agentic defense |
| Board visibility | CISO-level reporting | Requires executive team and board-level engagement |
| Talent availability | Established professional pipeline | Severe shortage; skills still being defined |
This table is not meant to suggest that traditional security becomes irrelevant — it doesn’t. AI security risks layer on top of existing attack surfaces rather than replacing them. Organizations that haven’t addressed foundational security hygiene will find that AI deployment makes their existing exposures worse, not better.
The Agentic Defense Model — Fighting Machine Speed with Machine Speed
If the attack side is running at machine speed, the defense must do the same. This is the core argument for what de Souza called “AI-native, fully agentic defense.”
What is agentic defense?
Agentic defense is a security model in which AI agents drive the detection, triage, and response processes — with humans overseeing the system rather than managing each decision within it. Instead of a human analyst reviewing alerts and authorizing responses, the agents act and humans govern the system that acts.
This is a meaningful shift in how security operations are structured. The traditional model places humans in the loop for most decisions. The agentic model places humans above the loop — responsible for the policies and oversight frameworks, not the real-time execution.
This approach is becoming necessary because the volume and speed of AI-era threats exceed human-paced response capacity. An organization running human-led incident response against automated, 22-second escalation attacks is structurally disadvantaged.
(Enterprise AI security Shadow AI risks AI agent security AI cybersecurity strategy)
What agentic defense requires:
- Clear policy frameworks that agents can execute against reliably
- Human oversight systems capable of identifying when agent behavior deviates from intent
- Regular auditing of agent decisions, not just outcomes
- Integration across security tooling so agents have visibility into the full environment
Critically, de Souza framed this as a leadership issue, not just a technology one. The decisions about how agentic defense systems are authorized to act, and what they’re permitted to do autonomously, are not engineering decisions. They are governance decisions that belong at the executive and board level.
How to Build an AI Security Strategy That Actually Works
The core principle: AI security strategy is not a subset of your IT security strategy. It is a peer workstream that must be developed alongside your AI strategy and your data strategy from the beginning.
Here is a practical framework for organizations at any stage of AI deployment:
1. Inventory your AI exposure
Before you can secure your AI environment, you need to know what’s in it. This means cataloguing:
- All sanctioned AI tools and platforms in use across the organization
- All API keys and credentials with AI service access
- All AI agents deployed, their permissions, and the systems they can access
- All third-party integrations that may include AI components
2. Govern shadow AI proactively
Prohibition rarely works. Instead, create a sanctioned path for AI tool adoption that is faster and easier than the unsanctioned alternative. This means:
- Establishing an AI tool review and approval process with defined timelines
- Providing employees with approved tools that meet their needs
- Creating clear policy on what data categories may and may not be submitted to AI systems
- Building audit mechanisms into sanctioned platforms
3. Audit your data estate before deploying agents
As noted above, AI agents will surface forgotten data repositories. Conduct a data estate audit with the explicit goal of finding what an agent with broad permissions would find. Update access controls before deployment, not after.
4. Adopt a multicloud security posture
De Souza made a point that applies broadly: even organizations that believe they operate on a single cloud are almost certainly relying on SaaS applications and business partners using different cloud environments. A security posture must be consistent across clouds and across models.
5. Treat API key management as a first-class security concern
The Google incidents illustrate that API key exposure is one of the highest-impact AI security risks in current deployments. Implement:
- Automatic rotation schedules for all API credentials
- Spend alerts and hard caps at the platform level, not just account defaults
- Regular audits of which keys have access to which services
- Immediate revocation workflows — and verification that revocation has propagated before declaring a key inactive
6. Elevate this to board level
If AI security risks are being managed exclusively by a security team without executive visibility, the governance structure is misaligned. These risks carry financial, legal, reputational, and operational consequences that require board-level accountability.
The “Bug-Pocalypse” and the Talent Gap
LinkedIn’s chief information security officer Lea Kissner put it plainly: organizations will need people to deal with what she called the “bug-pocalypse” — the accelerating volume of AI-introduced vulnerabilities — and she does not expect the industry to understand AI security in any sustainable long-term way for at least several years.
This is a structural problem, not a temporary hiring shortage. The skills required to defend AI systems — understanding model behavior, prompt injection, agent permissions, pipeline integrity — are not widely distributed in the existing security workforce. They are being defined in real time, often by the same people experiencing the incidents.
What this means for organizations:
- Don’t wait for the talent to exist before building the strategy. Embed AI security thinking into your existing security team now through training, partnerships, and cross-functional collaboration with AI development teams.
- Prioritize platform governance over individual expertise. In a talent-scarce environment, the highest leverage is in building governance systems that structure decisions correctly, rather than relying on heroic individual judgment.
- Budget for security from the start of AI projects. The cost of retrofitting security into AI systems after deployment is significantly higher than building it in from the beginning — and the risk exposure in the interim is substantial.
The transition period that de Souza described is real. Everyone — enterprises, platform providers, regulators, and security professionals — is navigating AI security risks in real time. The organizations that will come out ahead are not those that achieve perfect security posture immediately. They are those that build the governance structures, the cross-functional accountability, and the technical foundations to learn and adapt faster than the threat landscape evolves.
Key Takeaways
- AI security risks in 2026 extend far beyond traditional network threats — they include models, agents, pipelines, prompts, and API credentials.
- Shadow AI is already inside most organizations and represents one of the highest-risk, lowest-visibility exposures.
- AI agents will surface forgotten data repositories; audit your data estate before deploying them at scale.
- Even major platform providers are still closing security gaps in real time — do not rely on platform defaults as a security posture.
- Agentic defense — AI-driven, human-governed security operations — is becoming a practical necessity as attack speeds outpace human response capacity.
- There is no AI strategy without a data strategy and a security strategy. They must be built together.
- This is a board-level issue, not only a security team issue.