I came across this article:
https://thehackernews.com/2026/02/thousands-of-public-google-cloud-api.html
Short version:
Teams had API keys in their code. Mostly for simple things like billing or basic services .Then they enabled Gemini API.
Using the same keys.
But now they could:
Access new endpoints
Interact with AI services
Reach data they were not meant to
Generate unexpected costs
No exploit.
No code broken. Just a change in behavior.
What’s interesting here is not the AI itself.
It’s the assumption: “this key is not sensitive”
That assumption changed.
But the controls didn’t.
This is very close to what we see in application logic issues:
permissions that grow over time
APIs that behave differently after changes
things that are “technically allowed” but shouldn’t happen
We put together a quick poll to understand how people handle this in real environments:
👉 [Link to poll]
We’ll share the results here once we collect enough responses.
Curious to hear how you approach this today.
Stay safe and proactive