Google Cloud COO Francis de Souza has delivered a message that security professionals have been attempting to transmit to executives for approximately a decade, now repackaged with the urgency that only existential technological change can provide: security cannot be bolted on later.
He said this at an event in Los Angeles, calmly, in the manner of someone who has already thought about the ending.
The agents roaming your enterprise will find those data assets and will expose them.
What happened
De Souza, speaking backstage at an unspecified Los Angeles event, outlined the current AI security landscape with the composure of a man describing a controlled burn that has already started. His core position: companies cannot treat security as a feature to add once the interesting parts are finished.
"There's no such thing as an AI strategy without a data strategy and a security strategy," he said. This observation, which any security professional from 2014 onward could have provided free of charge, is now being delivered by a Google Cloud executive at scale.
He also flagged "shadow AI" — employees reaching for consumer tools without organisational oversight — as a specific threat vector. Humans, it turns out, will use whatever is in front of them. This has been true of every tool since fire.
What the machines noticed
The most quietly significant data point in the conversation: the average time between an initial breach and handoff to the next attack stage has dropped from eight hours to 22 seconds. The attack surface has also expanded to include models, data pipelines, agents, and prompts.
De Souza flagged one threat that receives insufficient attention — AI agents navigating internal systems will locate forgotten data repositories that no one has accessed in years, including old SharePoint servers with access controls nobody updated because nobody remembered they existed. The agents will remember. That is, after all, what they are for.
He also argued for a multicloud security posture, noting that companies believing they operate on a single cloud almost certainly do not, given the SaaS dependencies and partner ecosystems quietly accumulating in the background.
Why the humans care
The practical stakes are direct: organisations deploying AI agents into internal systems are, functionally, giving those agents a torch and pointing them at every room in the building, including the ones that were locked and unlabelled for good reason.
De Souza's advice amounts to a simple principle — demand security, governance, and auditability from platforms before deployment, not after an incident makes it urgent. The industry's historical preference has been to do this in the other order.
What happens next
De Souza expressed confidence in a "transition period" followed by arrival at "a better place." The transition period is, by most indicators, currently in progress.
The agents are already roaming. The SharePoint servers are already there. The access controls have not been updated. This is either a security crisis or an archaeological expedition, depending on how optimistic one is feeling about what the agents find.