As APIs become more integral to both everyday digital services and complex AI systems, concerns over their security are growing — and not without good reason. APIs are the connective tissue of modern software, but without strong governance, they can also represent serious vulnerabilities.
Recent research by Kong, called “API Security Perspectives 2025”, highlights that API security is increasingly seen as a critical concern for IT teams, as AI-enhanced threats push the boundaries of traditional cybersecurity defenses. Kong also forecasts a staggering 548% increase in API attacks by 2030, underscoring that API security risks are expected to accelerate significantly in the coming years.
Higher Stakes, Growing Risk
The adoption of AI and large language models (LLMs) is a key driver of this trend. AI doesn’t just create new products — it also creates new opportunities for malicious actors. AI-enhanced attacks are now seen as the top security threat to APIs, with almost three-quarters (74%) of IT leaders saying they are “extremely” or “very” concerned. Just under a third (32%) even call AI-powered attacks the single biggest security risk to entities today.
While AI-driven attacks dominate current concerns, shadow APIs — unmanaged or unknown APIs running in environments — represent another serious but often overlooked risk. Without an accurate system of record for APIs, firms face gaps in visibility that can be exploited.
Gartner’s 2024 Market Guide for API Protection warns that APIs, especially shadow and dormant ones, are linked to breaches that surpass other incidents in both scale and impact. There are potentially thousands of API endpoints in a typical infrastructure, and each one can be an attack vector if left unprotected — particularly if lacking proper authentication, authorization, or rate limiting.
Are Organizations Truly Prepared?
Despite these risks, there’s a marked disconnect between confidence and experience when it comes to API security. The research revealed that
- Eighty-five percent of IT leaders say they are confident in their organization’s ability to secure APIs.
- However, 40% are unsure whether current investments in API security are sufficient — even as 45% report dedicating more than 20% of their cybersecurity budget to API security.
This raises questions about whether this confidence reflects genuine preparedness or that emerging threats are being grossly underestimated.
Mayur Upadhyaya, CEO of APIContext, says the Kong report highlights a critical concern for organizations embracing AI: 25% have already encountered AI-enhanced API threats, and 75% are worried about future attacks. Despite 85% expressing confidence in their security posture, 55% still reported API security incidents in the past year, exposing a clear gap between perceived readiness and real-world risks.
This disconnect reflects a growing challenge, Upadhyaya says. “AI systems are accelerating the complexity and volume of API traffic, making traditional security approaches insufficient. Attackers are leveraging AI to automate attacks, exploit weaknesses, and bypass conventional defenses at scale.”
How Organizations Are Responding
To address these risks, the research found that businesses are deploying a mix of solutions:
- API monitoring and anomaly detection are the most commonly used tools.
- API gateways are widely adopted, though more so in the UK (71%) than in the US (50%), possibly reflecting stricter regulatory environments in the UK.
- Surprisingly, only 35% have implemented zero-trust architectures — despite being considered a best practice for API security.
When it comes to AI-enhanced threats specifically:
- Ninety-two percent of organizations report taking at least some measures to counter AI-driven attacks.
- Monitoring and traffic analysis are the top approaches.
- Notably, 13% of US organizations admit they are taking no specific measures to address AI threats, compared to just 4% in the UK.
Looking Ahead: The AI Factor
As AI advances, IT leaders anticipate growing complexity. The research revealed that a whopping 84% expect AI and LLMs to increase the complexity of API security in the next two to three years. It also showed how nearly two-thirds (65%) say they are actively developing a strategy to deal with AI-enhanced security threats. Moreover, a quarter (25%) report already encountering AI-enhanced API or LLM-related threats.
The data makes clear that APIs are increasingly in the crosshairs of bad actors, particularly as AI reshapes and expands attack vectors. While many entities are investing in security measures, gaps remain, particularly in shadow API management and zero-trust adoption.
To mitigate these risks, Upadhyaya says businesses must adopt proactive strategies, such as continuous API monitoring, including synthetic testing that replicates user journeys, is essential to identifying performance issues and vulnerabilities before they escalate. “Additionally, strengthening identity frameworks and implementing fine-grained authorization controls can limit the damage if attackers gain access.”
As AI continues to reshape digital services, the message is clear: There’s no AI without APIs and you can’t fix what you can’t see, he concludes. “Without comprehensive API visibility and proactive security measures, organizations risk leaving themselves exposed to the next wave of AI-driven threats.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.