API Security Lags as AI Adoption Accelerates, Report Finds
Published
- Incident Rate: A third of organizations reported experiencing at least one API security incident within the past 12 months.
- Persistent visibility gaps: A substantial 80% of organizations lack continuous, real-time API monitoring, creating significant blind spots.
- Attack vector: Almost all observed attack attempts originated from authenticated sources, highlighting the insufficiency of perimeter-based security alone.
API security practices are failing to keep pace with rapid adoption, creating significant business risks. The survey of 386 security leaders reveals that half have been forced to slow the rollout of new applications due to concerns over API vulnerabilities.
These delays underscore a critical friction point where the pace of innovation, driven heavily by AI and digital transformation, is outstripping security maturity.
API Security Challenges Hamper Business Velocity
The H2 2025 State of API Security report released by Salt Security indicates that the most prevalent issues found were vulnerabilities (41%), sensitive data exposure (34%), and authentication problems (33%), confirming that foundational security gaps remain a primary concern.
- 80% lack continuous, real-time API monitoring,
- 33% have suffered an API incident in the past year,
- 50% have slowed a release due to API risk;
A tactical analysis of attack data shows a clear shift in the API threat landscape. An overwhelming 96% of attack attempts originated from authenticated entities, rendering traditional perimeter defenses inadequate.
The dominant attack vectors align with the OWASP API Security Top 10, with API8 (Security Misconfiguration) accounting for 78% of attack attempts and API1 (Broken Object Level Authorization) contributing another 10%.
This indicates that attackers are primarily exploiting governance and authorization failures rather than attempting to brute-force authentication.
AI's Dual Role in API Security
The report highlights the dual nature of AI and API security. While AI/ML capabilities and AI agents are key drivers for API adoption, 56% of organizations also view generative AI as a growing security concern.
Leaders express apprehension about the potential for AI-generated code to introduce new vulnerabilities (45%) and the lack of control over the security of AI models (56%). Despite this, organizations are beginning to leverage AI as a defensive tool to streamline threat detection.
This dynamic requires organizations to establish formal governance frameworks to manage the secure adoption of AI in development and operations. The findings stress the necessity of continuous monitoring, behavioral anomaly detection, and robust authorization controls to mitigate modern threats.
“APIs are now central to digital transformation and AI, yet security controls remain inconsistent, reactive, and dangerously behind the curve,” said Eric Schwake, Director of Cyber Security Strategy at Salt Security.
“AI without API security is like driving a car blindfolded - if you can’t govern APIs, you can’t govern AI. Without immediate action, the unmonitored API attack surface will continue to expand, putting both innovation and resilience at risk.”
Another recent report highlighted that security gaps are forcing companies to rethink AI adoption, with over 85% of organizations slowing their rollouts.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular