As organizations deploy autonomous agents and generative AI tools at scale, APIs have become a backbone of modern operations — introducing a growing attack surface.
Enterprises are rapidly embracing AI and API-driven architectures, but a new report from Salt Security reveals that security is struggling to keep up.
“The future of AI will not be defined only by how intelligent our systems become. It will be defined by how safely we allow them to act,” said Roey Eliyahu, Co-Founder and CEO of Salt Security in an email to eSecurityPlanet.
He added, “Our 1H 2026 research shows that 47% of organizations have already slowed AI deployments because of security concerns, and that is the cost of building without the right foundation.”
Key findings from the report highlight the growing security gap.
| Finding | Impact |
| 79% report increased executive scrutiny of AI risks. | AI security is now a board-level issue. |
| 49% lack visibility into machine-to-machine traffic. | Organizations are blind to AI behavior. |
| 48% can’t distinguish legit AI agents from bots. | Detection gaps increase risk. |
| 32% experienced API security incidents in the last year. | Attacks are already happening. |
| 99% of attacks use authenticated access. | Traditional perimeter security is failing. |
AI Growth Is Outpacing API Security
The findings point to a widening gap between rapid innovation and the ability to secure it.
As organizations accelerate AI adoption, many lack the visibility and controls required to manage increasingly complex, machine-driven environments.
Nearly half (49%) of organizations report they cannot effectively monitor machine-to-machine traffic, while 48% struggle to distinguish legitimate AI agents from malicious bots — creating significant blind spots in detection and response.
APIs Become the Execution Layer for AI
At the same time, APIs have evolved far beyond their traditional role as integration points.
The report emphasizes that APIs now function as the execution layer for AI systems, enabling everything from data retrieval to automated decision-making.
This shift elevates API security from a technical concern to a strategic priority, reinforcing the need for stronger governance, continuous monitoring, and improved visibility across the API ecosystem.
API Growth Expands the Attack Surface
That challenge is compounded by rapid API growth. Nearly half of organizations report a 51% increase in API volume over the past year, driven by digital transformation and AI adoption.
While this expansion fuels innovation, it also increases the attack surface.
As a result, 32% of organizations experienced an API-related security incident in the past 12 months, with common issues including sensitive data exposure, authentication failures, and exploitable vulnerabilities.
Generative AI Introduces New Security Risks
Generative AI is further accelerating both development and risk.
Sixty-nine percent of organizations now use AI to build APIs, yet 60% report limited control over the security of AI models that generate their code.
In addition, 57% worry AI-generated code introduces new vulnerabilities.
Traditional security tools such as SAST and DAST are often ill-equipped for this shift, as they lack the contextual awareness needed to evaluate AI-generated logic and complex API interactions.
Attackers Shift to Authenticated Access
Meanwhile, attacker behavior is evolving just as quickly.
Rather than relying on external breaches, threat actors are increasingly exploiting authenticated access.
The report found that 99% of attack attempts originate from authenticated entities — often compromised machine identities, over-permissioned AI agents, or hijacked automated workflows.
This trend undermines traditional perimeter-based defenses and highlights the need for continuous verification and behavioral monitoring.
Common API Weaknesses Are Amplified by AI
At the root of many of these incidents are familiar — but now amplified — API security issues.
Misconfigurations and authorization flaws remain dominant risks.
Overly permissive APIs can grant AI agents unintended access to sensitive data, while vulnerabilities such as broken object-level authorization (BOLA) can be exploited across chained API calls to automate large-scale attacks.
In AI-driven environments, these risks are magnified by speed and scale.
Automation enables both attackers and compromised agents to act in milliseconds, allowing even minor vulnerabilities to escalate into enterprise-wide incidents.
As a result, organizations must rethink API security — not as a static layer, but as a dynamic control plane that governs how autonomous systems operate and interact.
How to Reduce API Security Risk
As API ecosystems expand and AI-driven automation becomes more deeply embedded in enterprise operations, traditional security approaches are no longer sufficient.
Organizations must adopt a more proactive and continuous security model that accounts for machine-to-machine interactions and autonomous behavior.
This requires not only greater visibility into API activity, but also stronger controls across development, identity, and runtime environments.
- Implement real-time API monitoring to detect anomalous behavior and machine-driven threats.
- Maintain a dynamic, automated API inventory to identify shadow and undocumented endpoints.
- Secure AI-generated code by embedding validation and guardrails into development pipelines.
- Enforce strong authentication and authorization with least privilege and zero trust principles for machine identities.
- Apply behavioral analytics and runtime protections to detect and prevent malicious AI agent activity.
- Manage API keys and tokens with rotation, short lifespans, and continuous usage monitoring.
- Test incident response plans and use attack simulation tools with scenarios around API attacks and AI-driven attacks.
By implementing these controls, organizations can build resilience into their API ecosystems and limit the blast radius of exploitation.
Growing Role of APIs in AI Security
The rise of agentic AI is reshaping how organizations think about enterprise security, with APIs increasingly serving as the foundation for how systems communicate and operate.
As APIs take on a more central role in enabling automation and AI-driven workflows, gaps in their security can introduce broader operational and data risks if not properly managed.
At the same time, effective API security is becoming an important enabler of innovation.
Organizations that invest in modern, API-centric security approaches are better positioned to deploy AI with confidence and maintain development velocity — especially as 47% of organizations report delaying application releases due to API security concerns.
As organizations work to strengthen API security in increasingly automated environments, many are adopting zero trust solutions to help continuously verify identities and better manage risk across machine-to-machine interactions.
