The promise of artificial intelligence has always carried a second, less comfortable question: what happens when the same systems built to accelerate work are used to accelerate attacks? That question is no longer theoretical. Google, one of the companies shaping how AI is built, deployed, and secured, is now dealing with the same fast-moving security problem facing the rest of the industry.
The broader story is not that Google lacks security expertise. It is that AI has changed the rhythm of cybersecurity itself. Models can generate code, summarize technical documentation, scan systems, write convincing messages, and help users reason through complex tasks. Those same abilities are useful to defenders and attackers alike. Security teams are trying to harden AI systems while criminal and state-backed actors test how far those systems can be pushed.
Google’s own threat intelligence teams have reported that hackers are using AI models to write and modify malware, craft highly targeted phishing lures, and search for software weaknesses at scale. In May 2026, the company disclosed that it had disrupted a criminal group that used an AI model to help discover and exploit a previously unknown zero-day vulnerability, likely as part of a planned mass exploitation campaign.
That disclosure sharpened an uncomfortable reality for the AI industry. The companies building the most advanced systems are not simply defending traditional software anymore. They are defending AI products, AI infrastructure, and a new class of attackers using AI as part of the toolkit.
Google’s Gemini flaws show the new attack surface
The challenge is visible inside Google’s own ecosystem. In 2025, security researchers uncovered a set of vulnerabilities across parts of the Gemini environment, including Cloud Assist, search personalization, and a browsing-related tool. The flaws were described as a “Trifecta” because they showed how several AI-connected services could be manipulated through hidden instructions.
The core problem was prompt injection. In a conventional software attack, hackers usually exploit a coding bug, weak permission setting, or exposed system. In AI systems, attackers can sometimes hide instructions inside content that a model later reads, such as logs, browsing history, documents, emails, or web pages. If the model follows those instructions without enough filtering, it may reveal data, take unwanted actions, or interact with unsafe links.
That kind of vulnerability is especially difficult because it does not always look like a normal exploit. A malicious instruction can be embedded in ordinary-looking text. An AI assistant may process it as context rather than as an attack. The more AI tools are connected to email, cloud storage, browsers, calendars, developer tools, and company data, the more dangerous that design problem becomes.
Google patched the Gemini-related issues by blocking dangerous links, strengthening how prompts are handled, and tightening what data Gemini could access or send out. The fixes mattered, but the episode became a useful case study in the new security environment. Even a company with deep defensive resources can ship AI systems that behave unpredictably once they meet the open internet.
Attackers are starting to automate the hunt
The threat is not only that AI products can be attacked. It is also that AI can help attackers find weaknesses faster. Google’s Threat Intelligence Group has observed both criminal groups and state-backed actors using AI for reconnaissance, phishing, malware development, and vulnerability research.
The 2026 zero-day case made that concern more concrete. According to Google’s account, hackers used a large language model to help uncover a vulnerability that could bypass two-factor authentication on a widely used admin tool. The group appeared to be preparing for a broader exploitation event before Google intervened.
That is the scenario security leaders have warned about for years. AI does not need to make every attacker elite. It only needs to lower the time, cost, and skill required to perform parts of the attack chain. A weaker operator can use AI to draft better phishing emails. A more advanced group can use it to speed up code analysis. A criminal marketplace can package offensive AI services for others.
Underground tools and services are already emerging around vulnerability discovery and exploit development. Names such as OpenClaw have appeared in discussions about AI-assisted offensive security, signaling a growing gray and black market around automated hacking workflows. The danger is not that AI invents cybercrime from scratch. The danger is that it makes existing cybercrime faster, cheaper, and easier to scale.
Google wants AI to defend against AI
Google’s answer is not to slow down AI adoption. Instead, the company is trying to build a security framework around it. Its Secure AI Framework, known as SAIF, lays out a six-part model for organizations building and protecting AI systems. The framework focuses on understanding use cases, hardening models, securing infrastructure, monitoring abuse, protecting data, and applying red-team testing before and after deployment.
This reflects a major shift in how companies need to think about security. AI systems are not just another application layer. They involve training data, model behavior, prompts, inference systems, user permissions, third-party integrations, and output controls. A weakness can come from software code, but it can also come from how a model interprets language or how much authority an assistant is given inside a workflow.
Google is also selling AI as part of the defense. Its security and cloud teams are promoting Gemini-powered tools that can help detect threats, summarize incidents, analyze alerts, and speed up response work. For security teams overwhelmed by logs and attack volume, AI could become a useful assistant.
That creates the central tension of the moment. The same abilities that help defenders, including pattern recognition, code generation, automation, and rapid analysis, also help attackers. AI is not purely a shield or a weapon. It is both, depending on who is using it and what guardrails surround it.
No one has a finished blueprint yet
The phrase “everyone is navigating AI security in real time” captures the state of the industry with unusual accuracy. AI systems are being integrated into search, email, browsers, cloud platforms, productivity software, developer tools, and security products at a pace that traditional security playbooks were not designed to match.
Governments are trying to catch up. Agreements to test advanced models from major companies before release are beginning to form, but standards remain uneven. Regulators are still working out how to classify AI risks, what companies should disclose, and how much testing should be required before powerful systems reach the public.
For now, the burden remains largely on companies to test, patch, monitor, and adjust as new risks appear. Google’s experience shows why that is difficult. The company has the resources to publish frameworks, run red teams, monitor global threats, and patch major products quickly. Yet it is still discovering flaws after deployment and responding to attackers who are experimenting just as quickly.
That does not mean AI security is failing. It means the field is still being built while the technology is already in use. Every major AI rollout now carries two questions at once: what can this system do, and what can someone make it do that it was never meant to do?
Google’s position makes the story especially important. If even one of the world’s most capable technology companies is still learning where the weak points are, the rest of the market should not treat AI security as a solved problem. The race is active, uneven, and accelerating. Defenders are improving their tools. Attackers are doing the same. And for the moment, both sides are learning in public.
Post Comment
Be the first to post comment!
