In one heavily cited case, a Google Cloud customer's account saw an automatic capacity upgrade trigger $17,000 in charges within minutes . The Register detailed multiple customers whose leaked API keys led to five-figure bills for expensive AI inferencing workloads, noting that Google reimbursed victims only after the publication made inquiries
. One developer told The Register they were "blindsided" by Google's policy of automatically upgrading billing tiers without explicit consent
.
The scale of the problem extended well beyond a few anecdotes. Reports described accounts that previously generated small monthly charges suddenly hit with rapid spikes tied to high-cost AI models, with automated systems increasing spending limits to as much as $100,000 and allowing unauthorized usage to continue despite pre-set budget caps .
If an API key is compromised, the standard security response is to revoke it immediately. But security firm Aikido published research in May 2026 showing that even after a developer deletes a compromised Google API key, attackers can continue using it for up to 23 minutes . The researchers confirmed that authentication succeeded for that entire window after the deletion was initiated, with a median active time of approximately 16 minutes and a maximum observed window of 23 minutes
.
This gap exists because key deletion is not reflected across all of Google's infrastructure simultaneously but propagates in stages . For an automated attacker burning through paid API calls, 23 minutes is more than enough time to generate substantial financial damage. The finding directly contradicts the principle of security controls that work immediately when triggered—a basic expectation for any platform that processes billing events.
Perhaps the most structural issue is how Google's Gemini API billing tiers are designed. The system operates on usage tiers that escalate automatically based on payment history: Tier 1 caps at $250 per month, Tier 2 at $2,000, and Tier 3 ranges from $20,000 to over $100,000 . Users can be upgraded automatically as their cumulative spend and account age grow, with lower qualification thresholds introduced in 2026
.
Critically, The Register reported that even after reimbursing several high-profile victims, Google stated it would hold fast on its policy of automatically expanding users' spending limits . This means a user who signed up expecting a $250 cap could find themselves exposed to charges an order of magnitude higher without explicit consent or adequate warning.
Google did introduce Project Spend Caps in March 2026, a direct response to the public outcry. This feature lets developers set monthly dollar limits on Gemini API spending per project inside AI Studio . However, the fix comes with a significant caveat: a roughly 10-minute enforcement delay, during which users remain financially responsible for any charges incurred
. For applications processing thousands of API calls per minute, 10 minutes of uncapped billing represents material financial exposure.
The disconnect between de Souza's guidance and Google's own platform performance illustrates a broader challenge in enterprise AI. The executive's advice—embed security and governance from the start, avoid shadow AI, demand auditability—is sound and necessary. But as TechCrunch noted in its coverage of this exact contradiction, "Everyone is navigating AI security in real time—even Google" .
For organizations building on AI platforms, the Gemini API incidents offer several practical lessons. First, API key management and credential hygiene remain foundational: keys embedded in client-side code, auto-provisioned by services like Firebase without proper restrictions, or left unrestricted on projects will be found and exploited. Second, billing governance must be treated as a security function. A spending cap with a 10-minute enforcement delay or automatic upgrades that override user intent is not a real control. Third, auditability requires more than logging—it requires that security actions like credential revocation take effect instantly and universally across the provider's infrastructure.
De Souza's warning that the average time between an initial breach and the next stage of an attack has dropped to 22 seconds underscores the urgency . When the attack surface expands to include models, data pipelines, and agents, the margin for error shrinks. A 23-minute key revocation gap or an automatic tier upgrade that kicks in during an active compromise is not a marginal inconvenience—it is a security failure that directly enables financial harm.