Weak API security puts enterprise AI deployments at growing risk

Salt Security has released a report highlighting that insufficient API security practices could jeopardise the success and security of enterprise AI agent deployments.

The company's State of API Security Report illustrates a growing gap between expansive API adoption across industries and underdeveloped protective measures, potentially placing artificial intelligence (AI) and automation initiatives at risk. The study surveyed 386 professionals responsible for API management, revealing significant concerns in how organisations approach the ongoing security challenges.

Unmonitored threats

According to the findings, 80% of organisations do not maintain continuous, real-time API monitoring mechanisms. This leaves these organisations unable to detect active threats, exposing AI-driven applications and services to possible exploitation. The severity of this oversight is underscored by the fact that one in three surveyed companies reported experiencing an API security incident in the last year. Additionally, half of the respondents indicated they had postponed the rollout of a new application due to API security issues.

The report identifies issues with how organisations maintain knowledge of their API inventory. Only 19% of respondents expressed a high level of confidence in the accuracy of their API records, while over half rely primarily on developer documentation that the report deems inherently susceptible to errors, particularly in identifying where sensitive data may be exposed.

"APIs are now central to digital transformation and AI, yet security controls remain inconsistent, reactive, and dangerously behind the curve. AI without API security is like driving a car blindfolded - if you can't govern APIs, you can't govern AI. Without immediate action, the unmonitored API attack surface will continue to expand, putting both innovation and resilience at risk," said Eric Schwake, Director of Cyber Security Strategy at Salt Security. 

Complexity through AI adoption

The report notes that the rise in generative AI (GenAI) technology further complicates the security landscape. At present, 62% of organisations have implemented GenAI in API development. However, more than half (56%) expressed concern regarding new security challenges, particularly those stemming from vulnerabilities in code generated by AI. Furthermore, 59% of respondents are incorporating GenAI into their security operations, a measure that introduces new defensive tools but also presents novel avenues for potential attacks.

Rapid API growth

The data reveals a significant acceleration in API usage. Forty-one percent of organisations experienced increases in API adoption ranging from 51-100% over the past year, while a further 13% recorded growth between 101-200%. Notably, 6% of organisations saw their API volume surge by more than 301% in twelve months. This growth is also reflected in portfolio size, with 42% now managing between 101 and 500 APIs and 14% overseeing over 1,000 APIs.

This rapid expansion intensifies the challenge of securing complex and expansive networks of APIs, the report notes, especially as digital initiatives and business processes become more interconnected and automated.

Budget and resource barriers

Even as 80% of surveyed organisations reported increasing their API security budgets in the last year, the majority of these increases were fairly modest, typically under 15%. Budgetary constraints were identified as the top challenge by 25% of participants, ahead of staff shortages (16%). In terms of structural impediments, 15% mentioned inadequate runtime security, while 14% raised concerns about manageability and 12% pointed to limited investment in pre-production security measures.

The results indicate that despite an awareness of the rising risks, organisations are still in the process of building comprehensive API security programmes, hampered by both financial and organisational limitations.

Calls for strategic change

The Salt Security report urges a shift from piecemeal, reactive approaches to a more integrated security regimen. This includes deploying continuous API discovery, enhanced governance procedures, effective runtime defences, and protective measures specifically designed for GenAI risks.

"AI adoption is rampant, but security is not keeping up. Existing tools miss the API execution layer, which means attackers can hijack entire AI agents via APIs. Enterprises that master API security will be able to unlock AI-driven innovation safely at scale. Those that don't are at risk of falling behind," added Eric Schwake. 

The findings show that organisations of various sizes and across multiple industries must address persistent security weaknesses as they pursue digital transformation and AI-driven automation projects, or risk facing further incidents and interruptions in their technology initiatives.