Poor API security practices could put agentic AI deployments at risk

A new report exposes a disconnect between rapid API adoption and immature security practices, which threatens the success of critical AI and automation initiatives.

The study from Salt Security, based on responses from over 380 professionals tasked with managing APIs, finds 80 percent of organizations lack continuous, real-time API monitoring, leaving them blind to active threats targeting AI agents.

In addition 33 percent have experienced an API security incident in the past year, while 50 percent had to delay a new application rollout due to API security concerns. Only 19 percent say they are ‘very confident’ in the accuracy of their API inventory, while more than half (54 percent) rely on error-prone developer documentation to identify sensitive data exposure.

“APIs are now central to digital transformation and AI, yet security controls remain inconsistent, reactive, and dangerously behind the curve,” says Eric Schwake, director of cyber security strategy at Salt Security. “AI without API security is like driving a car blindfolded -- if you can’t govern APIs, you can’t govern AI. Without immediate action, the unmonitored API attack surface will continue to expand, putting both innovation and resilience at risk.”

While 62 percent of organizations have already adopted GenAI in API development, more than half (56 percent) view it as a growing security concern, particularly due to vulnerabilities in AI-generated code. At the same time, 59 percent are leveraging GenAI within their security operations, creating a dynamic that introduces both defensive opportunities and offensive risks.

There’s been rapid growth in API adoption, 41 percent of organizations report increases of 51–100 percent over the past year and a further 13 percent experienced growth of 101–200 percent. 42 percent of organizations now manage between 101 and 500 APIs, while 14 percent oversee more than 1,000, further demonstrating the accelerating scale and complexity of today’s API ecosystems.

Although nearly 80 percent of organizations increased their security budgets over the past year, most of these boosts were modest at under 15 percent. Budget limitations are cited as the top barrier by 25 percent of respondents, followed by resource shortages by 16 percent.

“AI adoption is rampant, but security is not keeping up. Existing tools miss the API execution layer, which means attackers can hijack entire AI agents via APIs,” adds Schwake. “Enterprises that master API security will be able to unlock AI-driven innovation safely at scale. Those that don’t are at risk of falling behind.”

You can get the full report from the Salt site.

Image credit: [email protected]/depositphotos.com