By NHI Mgmt Group Editorial TeamPublished 2026-03-06Domain: Workload IdentitySource: Swarmnetics

TL;DR: Exposed Google API keys that were once treated as low risk can now be abused for Gemini AI usage and data access, with scanned code repositories and webpages revealing thousands of visible keys and potential surprise bills in the thousands within a day, according to Swarmnetics. The control failure is not the key itself but the lack of inventory, review, and rotation after its authorisation scope changed.


At a glance

What this is: This article argues that older exposed Google API keys can now become Gemini AI access paths, turning routine code leakage into billing abuse and possible data exposure.

Why it matters: IAM and NHI teams need to reassess long-lived API keys because authorisation changes can transform previously tolerated exposure into active identity risk.

👉 Read Swarmnetics's analysis of exposed Google API keys and Gemini AI abuse risk


Context

Google API keys were often treated as low-concern credentials when they only enabled routine service access, but Gemini AI authorization changes that assumption. Once the same key can invoke generative language features or reach stored content, public exposure becomes a direct identity and cost-control problem rather than a minor hygiene issue.

For IAM and NHI programmes, the problem is lifecycle drift. A key created years ago can quietly gain a new blast radius without a corresponding governance reset, which means inventory, entitlement review, and rotation have to follow the scope change, not just the original issuance date.


Key questions

Q: What breaks when an old API key gains new AI permissions?

A: A previously tolerated exposed key can become an active access path the moment it is authorised for AI services. The failure is governance drift, not just leakage. That means inventory, ownership, and revocation processes must be tied to current entitlements, because the same credential may now create spend, data exposure, or both.

Q: Why do exposed service keys become more dangerous when AI features are added?

A: Because the key remains easy to reuse while the service it unlocks becomes more valuable and more expensive to abuse. A public key that once meant routine API access can now trigger metered AI usage or content retrieval. That turns a simple secret into a combined identity, cost, and confidentiality risk.

Q: How do security teams know if API key exposure is turning into real abuse?

A: Look for billing spikes, abnormal query patterns, keys appearing in public code paths, and AI-enabled credentials with no clear owner. The clearest warning sign is when a key still works after its original application context no longer matches its current permissions. That is a lifecycle failure, not a one-off leak.

Q: Who is accountable when an exposed API key is used for Gemini AI abuse?

A: The accountable owner is the team responsible for the key's lifecycle, scope, and revocation, not just the team that first created it. If the credential gained new permissions over time, governance failed to reassess its status. Identity and cloud platform teams should share responsibility for entitlement visibility and retirement.


Technical breakdown

Why exposed API keys become a Gemini AI identity problem

A Google API key is a static bearer credential, so anyone who sees it can often reuse it without additional authentication. The risk changes when that key is granted Gemini AI-related permissions, because the same identifier can now trigger metered usage or reach stored content. In practice, the identity object did not become more secret, but its authority did become more consequential. That makes code search, public repository scanning, and page-source exposure a live access path rather than just a configuration mistake.

Practical implication: treat every externally visible API key as a candidate entitlement review item, not just a secrets-cleanup task.

How authorisation drift turns old keys into new attack surfaces

Authorisation drift happens when a credential retains its original form but gains new capabilities over time. Here, keys that predated Gemini AI may have been reused or reinterpreted under newer permissions, which means old assumptions about harmless exposure no longer hold. The technical issue is not only leakage but scope expansion without a clean reissue or retirement event. That creates a governance gap between key ownership and current privilege, especially where application teams do not track which APIs are enabled on legacy credentials.

Practical implication: compare current key capabilities against original provisioning intent and retire any credential whose live scope no longer matches its business purpose.

Why leaked keys can affect both billing and data access

The abuse pattern has two layers. First, an attacker can use a valid key to run up query volume and generate cost. Second, if the key also exposes access to stored outputs or linked data paths, the attacker may be able to prompt the service for content already associated with that credential. That makes the key a dual-purpose risk: it is both a spend-control weakness and a potential data exposure vector. The material concern is that consumption and confidentiality collapse into the same credential event.

Practical implication: monitor unexpected API consumption alongside data access paths, because billing anomalies may be the earliest signal of credential abuse.


Threat narrative

Attacker objective: The attacker wants to monetise a valid exposed key by driving up Gemini AI usage or extracting accessible content tied to that credential.

  1. Entry occurs when an exposed Google API key is discovered in webpage source code, application code, or a public repository.
  2. Escalation follows when the valid key is used against Gemini AI-enabled services or stored content endpoints to generate chargeable activity or retrieve data.
  3. Impact lands as unexpected billing growth and possible exposure of private data associated with the compromised key.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Authorised exposure is the real failure mode: A Google API key that becomes Gemini-capable without a governance reset is no longer the same credential. The identity object stays static, but the permission model changes underneath it, which means historical exposure now carries current-risk consequences. Practitioners should treat scope changes as a reclassification event for every previously tolerated key.

Credential inventory is now a cost-control control, not just a security control: This case shows that a visible API key can convert directly into metered AI spend before any traditional security alert fires. That collapses the old separation between identity hygiene and cloud billing governance. Teams that do not track which keys can invoke generative services will miss the first abuse signal entirely.

Public-code secret exposure has moved from nuisance to privilege expansion: The issue is not simply that secrets appear in repositories or page source. The deeper problem is that legacy keys can accumulate new privilege after creation, so exposure that once looked low impact can suddenly grant access to high-value AI capabilities. The implication is that long-lived bearer credentials need lifecycle review whenever downstream services change.

Runtime AI access should be governed like any other high-risk NHI entitlement: Gemini access tied to an API key behaves as a machine identity with business impact, not a convenience feature. The controls that matter are ownership, scope visibility, revocation speed, and auditability, because the attacker does not need to break authentication if the credential is already valid. Practitioners should align AI-service access with NHI governance rather than legacy developer assumptions.

Identity blast radius is expanding faster than change control: The named concept here is identity blast radius, meaning the difference between a credential's original purpose and its newly available actions. When that radius expands without a deliberate review, the organisation inherits exposure it never explicitly accepted. Security teams need to measure that delta and not just whether the secret is present in code.

From our research:

  • 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation, according to the State of Secrets Sprawl 2026.
  • In 2025, 24,008 unique secrets were exposed in MCP configuration files, showing how AI-adjacent tooling can generate large new identity exposure surfaces, according to the State of Secrets Sprawl 2026.
  • For a broader view of credential leakage patterns across NHI estates, see the 52 NHI Breaches Report.

What this signals

Identity blast radius is now the better planning metric than simple secret presence. A credential that gains AI permissions after creation can turn a dormant exposure into active spend and data risk, so teams need lifecycle controls that track entitlement change as closely as they track secret discovery.

The operational signal is ownership drift. When API keys live in code, repos, and cached endpoints longer than their original application context, the programme loses the ability to say who can revoke them, which makes any later exposure materially harder to contain.

That pattern aligns with broader secrets-sprawl evidence in the State of Secrets Sprawl 2026 and reinforces why machine-identity governance now sits inside IAM, not beside it.


For practitioners

  • Inventory every Google API key with current AI entitlements Find keys in source code, repositories, build logs, and configuration files, then verify whether any key has Generative Language API access or an unrestricted warning state. Link each key to an owner and business application so legacy credentials are not left outside lifecycle control.
  • Rotate and reissue long-lived keys whose scope changed If a key was created before Gemini AI was in use, treat it as a legacy credential and reissue it under current access policy rather than preserving historical exposure. Remove the old key, confirm downstream application updates, and validate that the retired credential no longer works.
  • Separate AI-service consumption monitoring from general API monitoring Build alerting for unusual Gemini query volume, sudden billing spikes, and access from unexpected repositories or applications. Billing anomalies can be the first indicator of abuse, so finance and security telemetry need to be connected before loss accumulates.
  • Scan public code paths for live bearer credentials Search webpage source, GitHub repositories, app bundles, and cached endpoints for exposed keys, then prioritise anything with AI-service reach. Use the result to drive revocation, not just remediation tickets, because exposed credentials remain usable until they are removed.
  • Review stored content endpoints tied to AI credentials Check any /files/ and /cachedContents/ style endpoints or equivalent storage paths linked to AI access. Ensure the credential cannot retrieve more content than the application owner intended, especially where old keys now have newer service permissions.

Key takeaways

  • Old API keys are no longer low-risk once they gain AI-service permissions.
  • The measurable danger is not only exposure but rapid billing abuse and possible data access.
  • Inventory, entitlement review, and revocation have to follow scope changes, not just secret discovery.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and MITRE ATT&CK address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01Exposed API keys and secret lifecycle failures are central to this article.
NIST CSF 2.0PR.AC-4The article is about access scope drift and least-privilege failure for machine identities.
NIST SP 800-53 Rev 5IA-5IA-5 governs authenticator management, including key rotation and revocation.
NIST Zero Trust (SP 800-207)Zero Trust assumptions are challenged when a public bearer key can still invoke AI services.
MITRE ATT&CKTA0006 , Credential Access; TA0010 , ExfiltrationThe abuse path includes credential use and possible data retrieval through valid access.

Review public key exposure against NHI-01 and remove any credential that can be replayed from untrusted locations.


Key terms

  • Authorisation Drift: Authorisation drift is the condition where a credential keeps its original form but acquires new permissions over time. In identity programmes, it often appears when legacy keys are reused for newer services without a fresh governance review, creating a gap between original intent and live access.
  • Identity Blast Radius: Identity blast radius is the amount of damage a credential can cause once it is exposed or abused. For API keys and other non-human identities, the blast radius grows when the same secret can trigger billing, data access, or administrative actions beyond what was originally intended.
  • Bearer Credential: A bearer credential is a secret that grants access to whoever possesses it, without extra proof of identity at use time. API keys, tokens, and similar secrets are dangerous when exposed publicly because possession alone is often enough to replay them from another environment.
  • Secret Lifecycle Governance: Secret lifecycle governance is the set of controls that track who owns a credential, where it is used, what it can access, and when it must be rotated or revoked. In mature NHI programmes, discovery is only the first step, because the real control is timely retirement.

What's in the full article

Swarmnetics's full article covers the operational detail this post intentionally leaves for the source:

  • The exact Gemini settings and warning states that indicate a key is unintentionally AI-enabled.
  • Practical checks for spotting exposed keys in webpage source, GitHub repositories, app code, and cached endpoints.
  • Guidance on how to rotate legacy credentials without breaking dependent applications.
  • Examples of the specific abuse pattern that can turn a visible key into billing and data-access risk.

👉 Swarmnetics's full article covers the key checks, abuse pattern, and remediation steps in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-03-06.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org