Resilience Universe with Sanjay Poonen | Google Cloud CEO Thomas Kurian

You know, we talked about two just really important things. One is AI has moved as the skills of models have evolved. AI has moved from primarily being used as a more expressive knowledge finding tool and knowledge management system, which was the first version if you think about chat. It then moved into content generation like you could create content with it. And now the big thing that we see a lot of people wanting and using our AI for is to build agents and agents whether they're to write code and help them assist writing code or to build agents to automate various tasks and processes within the organization. So we announced a new platform, Gemini Enterprise Agent Platform, that gives you all the capabilities to build and deploy and operate agents.

The second thing was in order to do AI well we've always felt you needed a stack and so we built a vertical stack. It's open at every layer but we're engineering a number of the pieces. So at the foundational level we have our own accelerators, TPUs. We've built our own models. We also offer a choice of Anthropic and other models but we do provide a suite of models, Gemini, in order to have agents do their work. Well, you also need to have them reason on information within the company. We call that context. And so we offer a new platform to build using a knowledge catalog rich context to help models reason well. Obviously with all the information happening on security threats from AI, we had a new security platform to protect companies' systems using AI and then finally bring it into day-to-day workflow whether this in our collaboration tools, customer service. So it's a whole stack as well. So our big two themes were around the evolution of AI from chat to now agents and second to do that well we offer a vertically optimized stack of technology to make you use agents really well.

So the five pieces in our stack is at the foundational level sits the infrastructure. This is TPU accelerators, compute, storage, networking. On top of that is foundational models and research. So that's what we're doing with Gemini and our whole portfolio around Gemini, Imagen, Veo, all of our models. Next is the tool set to build AI systems out of it. This is our Gemini Enterprise Agent Platform which gives you all the tools. Then to reason on your data, what we call our Agentic Data Platform. This is the thing that takes all the data in the company and makes it available as context to models to reason on. And finally, our agentic security platform which protects you and protects your information, your corporate systems from the risk of AI. Finally, at the topmost layer, we're offering packaged agents, packaged agents for collaboration, packaged agents for customer service, packaged agents for research, etc.

The big ones I would say is you know we look at it across the different domains in a company. So in the back office we have a lot of people using Gemini to streamline the core processes within the company. So Virgin Voyages for example talked about how they're using Gemini to transform every element of how their organization works from finance to planning all the voyages to planning the food and other things that need to go on their legal department contracting. So one big thing we see is a lot of people using Gemini to enable their core workforce. Walmart does a similar thing. The second big thing that we see a lot of interest from customers is customer-facing. So Best Buy talked about how and a lot of them are sort of evolving. They start with I'm using it to help people find things online then buy them commerce and then handle upsell and cross-sell and finally service and they can do that from web from mobile from surfaces like Instagram so that you have access across all your channels so that's the second big area that we see. Third one is within the IT organization. We have a lot of people using it for the three big scenarios we see is for software engineering and coding to help do data analysis. You know today for example if you look at finance departments in many companies they used to say hey anytime we need to report numbers we always have to go to a database person to have them run all the queries. Why can't we just make this that I can just ask the question through a search system and have an agent go and find the data for me? So that's the data analysis and then cyber is the third part within the IT organization. So these are some of the big domains we see organizations using our AI systems for and we're doing many of that ourselves internally and I know many of our joint customers who are listening to this are also using that.

So, you know, in general there are sort of three four important things that we talk to customers about. The first one is the risk from AI models is not just to source code of applications. The risk can affect binaries. It can affect firmware. It can affect a physical device like a network switch by compromising the firmware of that. And the reason is that models have gotten really good at understanding not just code but also configuration. Like for example they can understand your network and go if I access this switch then I can shut down this part of the network etc. So one thing is that models now have access to a lot more information and their ability to reason on them and so you need to think through what you are protecting is not just scanning your source code.

The second thing that we say is if you look at the rate at which models are advancing, you're going to end up scanning continuously and that can get both expensive but also just finding an infinite number of bugs you need a solution to help you repair it. So that's the second piece is scanning without fixing is not a solution.

The third one is when you look at the evolution of this whole infrastructure, the volume of applications, the volume of data, the volume of all the systems that companies run. If you then say I've got new models finding new things all the time, you then end up having to deal with an extraordinarily large surface area to patch, maintain, and update all the time. And so you can't just say I'm going to start at the start and go till the end because it's such a large estate of stuff. And the fourth complicating factor there's no one model that finds a superset of all the issues. In fact what many many companies are now reporting is a cheaper even a small open-source model with a good harness can find many of the vulnerabilities that a top-end model can do. So when you look at it, you know, you have these four issues. It's not just about source. It's about firmware, binaries, network, everything. Second, it's extremely frequent because you're going to have to get comfortable that models are going to come out all the time and just the volume of these issues is going to grow on you. The third one is just finding without repairing becomes challenging. And when you repair, you need to think about what are you going to focus on repairing. And lastly, no single model is the solution. You have to have a conglomeration of models. Like for example, saying this time I'm going to scan with this model. Next cycle I scan with another model. And so those are the four core beliefs we have based on all the data we've seen and based on what we're doing ourselves to protect Google systems.

So recognizing this list of four issues we've generally said you need to do four things. First you have to plan and prioritize what of all the many systems applications databases that you're going to prioritize first to do. Wiz gives you this graph of all the resources you have and systems, databases, applications, etc. and allows you to see which ones of those are most at risk, which ones are, for example, things you can protect by taking them off of public IP addresses, putting them behind a defense in depth like for example in a zero trust environment so that you get some time to figure out what to remediate. So that's one thing it does. So step one is plan. Step two is scan. So on scanning in general we tell people you need to maintain a software asset management system that tells you these libraries and these applications was scanned with this model at this time. So Wiz gives you that ability to maintain that library and track it so that you can then say okay you know a new vulnerability was found and it was found with this model. Well, when I look at my systems, luckily I just finished scanning and fixing using that version, so I'm likely safe from it. So, the second is it allows you to scan, you know, to manage your software asset management. Third is we built in to the process of remediation. So, for remediation, we offer two solutions. One, several people say, Hey, I've got old code. it has vulnerabilities. Should I just rewrite it in a modern system? So we've integrated Gemini as well as other models so that you can help rewrite it and then you need to deliver a patch and to do the patch we're introducing a new product called Code Mender. So that allow think of it as an agent that's built on top of Gemini that looks at your code looks at the changes you made and can generate a patch. Now to deploy that patch you have generally you need to know on what of the many systems in your company for example how many virtual machines need to be patched with that new library and then if there's a change in that library what are the dependent ones you need to change at the same time and Wiz gives you that as well. Finally, you know, you may think you're done but you're never done because the models keep improving and our general approach has been you want to the last step is to continuously test yourself and so because it's better you find a vulnerability before your adversary does. So with Wiz we have built something called a red agent. Think of it as a red teaming agent that you can deploy that autonomously tests your environment. And so what Wiz brings is it's not about scanning. It's about the tool set to repair. And to do that you need to prioritize. You need to then scan. You need to then remediate it. and you need to deploy and then monitor yourself. Wiz is built in using all of the models out there. We built those tools as agents into Wiz. Wiz works with Google Cloud. It works with AWS. It works with Azure. It works with on-premise environments. So, we give people that as a central pane of glass to protect themselves.

So we built since 2020 we've built sovereign offerings. These sovereign offerings address sort of three important things. One there are customers in international markets who are worried about you know government access to the information or lack of control of the information. And so we've built a version of our of Google Cloud. We call that Google Cloud Dedicated or Trusted which allows a customer to control the location of the data to control the way that the data is encrypted. They get to keep the keys and keep the keys even away from Google. They also control who has access to their environment. So they have all of that. In France and Germany, we now have accredited local partners who operate the cloud on our behalf and provide an additional supervisory control over SaaS and that's actually with Axion in France and we just announced an equivalent one in Germany and those are meant for regulated enterprises, government agencies etc. We also provide an air-gapped environment which has become incredibly popular with intelligence services, government customers, regulated for example telecommunications and financial services as it runs fully air-gapped. It can run Gemini and our AI platform for example and people want to use that to deal with highly classified or confidential information that's being deployed in many many countries around the world and so these give you the ability to use our latest tools but in compliance with government.

I've been fortunate to always work with great people. So, you know, particularly in the technology business, it's always important that we recognize that the products and the way we bring them to customers is because of the ideas people have. And so one important lesson we've always had is an aspiration to attract great people who can come up with these ideas and also lead. That's one. Second, you know, it's a courtesy for the teams I work with that I can get to the detail with that. You know, it's a simple thing that if you're an engineer or a engineering team and you're working hard on something that the person leading the organization is willing to get into sufficient detail that they appreciate what you're working on. And that gives them a sense of fulfillment also that the leadership understands. Lastly, in this environment that we're all in where the pace of technology is moving so quickly, it's really important at least for us, it has been true the last many years, but even now at this AI moment, to prioritize and so we are very clear how we that we need to do fewer things better rather than lots of things. And when you make prioritization decisions, it's enormously helpful if the leadership in the organization both has a coherent vision, but also they trust that the leaders making the decisions understand that and are making decisions based on an understanding of the products and solutions and customer needs. So all those have been important and so I spent a lot of time reading documents, talking to the engineers, meeting the people in the organization so that we can build a cohesive organization that has continues to have great aspirations and also takes care of our customers.

I you know I think you should assume that we always say the capabilities of models are going to advance. The best technology teams are not looking at these models as a replacement for their people. I mean just as an example we at Google are really committed to making sure our engineers become world class at using the models to write code but we're not looking at the models as a replacements for our teams. And the third is that the organizations that get really good at adopting this technology and having their people become really skilled at using it are actually the ones that are going to succeed. And so there's I think part of what we try to talk to people about is that having lived through this whole AI moment for so many years at Google, you know, if you look back, we've been working on AI for many many well before this Gemini. And you know, if you look at Google, we've mostly grown because we've been brave enough to accept the technology and integrate it rather than to resist it or to fear it. And I think some of the noise in the media is making people very anxious about job displacement and other things and sort of getting in the way of people wanting to adopt the technology, learn it, and then become great at using it in their day-to-day.

Thank you. Thank you Sanjay.