Two parallel developments this week are shining a harsh light on the state of AI security — one from a tech giant acknowledging its own shortcomings, the other from a blockchain security firm racing to defend DeFi against increasingly automated attacks.
Google’s Candid Confession
Speaking backstage at a Los Angeles event, Google Cloud COO Francis de Souza delivered a sobering message: the industry is in a transitional period where AI security is still being figured out in real time. “There’ll be a transition period, and then I think we get to this better place,” he said, urging companies to adopt a platform approach where security is foundational, not bolted on. He specifically warned about “shadow AI” — employees using consumer AI tools without oversight — and stressed that “there’s no such thing as an AI strategy without a data strategy and a security strategy.”
The urgency is underscored by a Register investigation revealing that Google Cloud developers were hit with five-figure bills after attackers exploited compromised API keys. These keys, originally scoped for Google Maps, had silently gained access to Gemini models when Google expanded their capabilities without clear disclosure. Worse, security firm Aikido found that even after a key is deleted, it can remain active for up to 23 minutes due to gradual revocation — a window in which attackers can drain resources and exfiltrate data. Google has no plans to change its automatic tier-upgrade policy, prioritizing uptime over user budgets.
DeFi’s $635 Million Wake-Up Call
The AI security crisis extends far beyond cloud platforms. April 2026 saw a record 28 DeFi exploits totaling $635 million stolen — roughly four times the entire Q1 loss. AI tools have made finding smart contract vulnerabilities 100x cheaper, while writing secure code remains expensive. Even long-tenured contracts are no longer safe: KelpDAO lost $293 million through a forged cross-chain message, and Drift Protocol lost $285 million after a months-long social engineering campaign.
In response, ConsenSys Diligence has built Chonky, a continuous, AI-powered smart contract auditing agent. Deployed on STRATO — a real-world-asset platform built around tokenized gold and silver — Chonky performs ongoing audits that evolve with the codebase, scanning repositories and learning from human security engineers. “Each scan feeds the next,” said lead researcher Sergii Kravchenko. “Instead of starting fresh every audit, the context compounds.” STRATO reports that successive passes have surfaced higher-impact issues with fewer false positives.
Ready (formerly Argent), whose smart contract wallet is integrated into the Starknet flows of Binance, Kraken, and OKX, is also testing the agent. The company has maintained a zero-hack record since 2017. “Static audits made sense when DeFi was experimental and code rarely changed,” said STRATO CEO Kieren James-Lubin. “The market has moved on. Code ships faster, attackers move faster, and defenders need AI in the loop.”
As Google grapples with its own API key vulnerabilities and ConsenSys pushes toward agentic defense, the broader message is clear: security in the age of AI requires continuous, automated vigilance — or DeFi risks stalling under the weight of underwriting costs and eroding trust.
