Google Cloud COO Francis De Souza told an audience in Los Angeles on May 26, 2026, that companies must build security

Francis de Souza, chief operating officer of Google Cloud, warned at an event in Los Angeles on May 26, 2026, that boards and executives must treat AI security as a core business responsibility rather than an IT-only concern. "There's no such thing as an AI strategy without a data strategy and a security strategy," he said, urging companies to bake protection into AI planning from day one.

De Souza spotlighted the rise of "shadow AI," where employees use AI tools without oversight, and described AI agents that can resurface forgotten data sources — citing old SharePoint servers as an example. He argued these trends widen the attack surface and demand that organizations protect not only traditional infrastructure but also models, training data pipelines, agents and prompts.

Noting a sharp acceleration in attacker timelines, de Souza said the gap between an initial breach and the next stage of an attack has fallen from eight hours to 22 seconds. To meet that pace, he proposed agent — based defenses in which humans oversee fully agentic systems, and stressed that security controls must be unified across clouds and models because SaaS apps and partners often introduce multiple cloud environments.

De Souza emphasized that security cannot be bolted on later or left to individual employees, and called for a single, unified security strategy even for companies that believe they operate with a single provider. His remarks frame AI security as both a governance and operational issue for boards and executives, with implications for how organizations structure data, model and cloud controls going forward.