AI’s hidden costs and risks: Google’s “0.24 Wh” claim, China-linked hacks, and safety gaps

AI’s small query, big bill: Energy, security, and safety realities executives can’t ignore

MIT Technology Review’s The Download spotlights four signals with board-level implications: Google says a typical Gemini query uses ~0.24 watt-hours; a China-linked campaign breached at least 200 US organizations (via US intelligence reports summarized by the Washington Post); AI infrastructure spending is lifting the real economy (NYT); and OpenAI/Anthropic safety tests show material behavior differences (Engadget, TechCrunch). Together, they reshape risk, regulatory exposure, and IT budgets.

Executive summary

• Costs and carbon: Per-query energy looks tiny, but total AI TCO is driven by training, data center buildouts, cooling/water, and peak power-now a budgeting and ESG issue.
• Security escalation: A broad China-linked intrusion wave raises the floor for identity, logging, and backup hygiene-expect cyber insurance and compliance scrutiny to tighten.
• Model governance: Safety tests show different risk profiles (e.g., sycophancy vs. caution). Model choice becomes a compliance decision, not just a performance one.

Market context: Why this changes the competitive landscape

Google’s 0.24 Wh/query (≈0.00024 kWh) suggests fractions of a cent in electricity per prompt-but this excludes embodied carbon in chips, model training runs, network overhead, and the massive data center and grid capacity required to scale AI. Hyperscaler AI capex is now a macroeconomic driver, intensifying competition for GPUs, power, and space. Companies that secure stable power, efficient hosting, and transparent carbon accounting can scale AI faster and with lower regulatory friction (EU AI Act timelines and evolving ESG disclosures heighten this advantage).

Meanwhile, US intelligence agencies say a China-linked campaign compromised 200+ US entities—evidence that adversaries are pairing traditional intrusion methods with AI-accelerated tooling. Expect rising audit demands from customers, regulators, and insurers. Finally, cross-evaluations by OpenAI and Anthropic indicate material variance: Anthropic’s Claude skews more cautious; OpenAI’s smaller models showed sycophancy risks. This variance affects misuse risk, compliance posture, and the reliability of customer-facing automations.

Opportunity analysis: Where leaders can gain advantage

Energy as a strategic lever: Treat AI like a power-intensive industrial workload. Firms that negotiate power purchase agreements, choose low PUE/WUE facilities, and prioritize efficient model architectures will unlock cost and carbon headroom competitors lack.

Security as growth enabler: Elevating identity, telemetry, and backup maturity reduces breach externalities and can lower cyber insurance costs—freeing budget for AI initiatives while meeting customer and regulator expectations.

Model portfolio strategy: Align models to use cases by risk. Safety-forward models for regulated, high-stakes workflows; faster/cheaper models for low-risk internal tasks with guardrails (RAG, policy filters, human-in-the-loop). This balances velocity with compliance.

Action items for the next 90 days

• Publish an AI power and carbon budget: Include training/inference, data center efficiency (PUE/WUE), and grid mix; add it to TCO and ESG reporting.
• Procure capacity early: Lock colocation/GPU allocations and power contracts; require vendors to disclose PUE/WUE and renewable sourcing.
• Harden identity and telemetry: Enforce phishing-resistant MFA, conditional access, privileged access management; turn on unified logging with 12-24 months retention.
• Ransomware readiness: Implement EDR on endpoints/servers, immutable backups with 3-2-1-1, and quarterly recovery drills covering SaaS and cloud.
• Vendor and LLM governance: Catalog all model uses; apply NIST AI RMF-aligned risk assessments; select models based on safety benchmarks and context windows, not just price/speed.
• Policy guardrails: Add prompt filtering, data loss prevention, and red teaming for critical AI workflows; require human review for regulated outputs.
• Budget controls: Track cost per 1,000 tokens and power per inference; set rate limits and caching where user experience allows.
• Compliance runway: Map AI use to EU AI Act categories and sector rules; prepare documentation (data lineage, evaluation reports, incident logs) now to avoid retrofit costs.

Bottom line: Don’t let a small per-query number lull you. Competitive advantage will accrue to organizations that treat AI as an energy, security, and governance discipline—not just a model choice.