Aikido Security says Google API keys can continue authenticating after deletion, creating a short but meaningful gap for teams responding to leaked credentials in AI projects.

The company published research showing successful authentications for as long as 23 minutes after a Google API key was deleted, with a median window of about 16 minutes across its tests. Aikido framed the issue as especially relevant when a Google Cloud project has Gemini access enabled, because an exposed key can be used for billable model calls and, depending on the project setup, may expose uploaded files or cached conversation context.

The finding landed as Google Cloud executives are urging companies to treat AI security as a platform-level concern rather than something added after deployment. TechCrunch tied the research to a broader discussion with Google Cloud COO Francis de Souza, who warned that enterprises now need to protect models, prompts, data pipelines, and agents, not just conventional network assets.

The practical takeaway is narrower than a full Google Cloud breach: deleting a compromised key may not be an instant kill switch. Security teams using Google API keys around Gemini or other services should treat revocation as a process with a delay, watch logs after deletion, rotate affected credentials, and prefer credential patterns with tighter scope where possible.

This is another example of AI infrastructure turning familiar developer hygiene into higher-stakes incident response. Keys that once mostly controlled maps or backend API calls can now sit near models, files, prompts, and unexpected cloud spend.