The API Weak Spot: Study Shows AI Is Compounding Security Pressures

The results of Akamai’s latest API Security Impact Study reveal a troubling reality for security professionals. While warnings about rogue APIs, shadow APIs, zombie APIs, and other API security vulnerabilities have convinced organizations to invest in API security in recent years, companies are still having difficulty maintaining pace with threats. In the rush to take advantage of new AI advancements, businesses are inadvertently creating a sprawling, unmapped attack surface that traditional defenses cannot see, let alone secure.

Results from the 2026 Akamai API Security Impact Study — a survey of 1,840 security leaders and practitioners across 10 countries — demonstrate how API growth is outpacing resilience efforts. While global enterprises now manage a median of 5,900 APIs, their ability to defend them is cratering. 

This isn't just a technical glitch; it’s a systemic governance failure that costs the average organization US$700,000 per year. What’s more, costs are only going up. The 2024 API Security Impact Study placed the average cost at US$590,000.

Fortunately, organizations are beginning to understand the risks to their APIs. For example, for nearly 80% of enterprises, API security is among their top three cybersecurity priorities. Two-thirds of respondents report increased focus on API security over the past 12 months. And more than half (52%) cited API security incidents as among the top five cyberthreats that are most important to their organization for achieving cyber resilience. 

Security teams just can’t keep up with the sprawl.

For years, organizations treated API security as a perfunctory compliance requirement on a web application firewall (WAF) requirement list. WAFs were designed to block “bad” signatures like SQL injection. But modern API attacks are “low and slow.” They use legitimate credentials and legal protocol structures to perform illegal acts. 

Traditional web security treats APIs as secondary to the UI. In an AI-driven world, the API is the business.

Our research shows that while 80% of firms use a WAF, only 35% use dedicated API security tools. This reliance on legacy perimeters leaves a massive gap in Broken Object Level Authorization (BOLA) and business logic abuse. Attackers aren't breaking your code anymore; they are simply asking your APIs to do things they weren't intended to do — and your WAF permits the unauthorized traffic. 

Indeed, BOLA attacks are often the result of misconfiguration issues like insecure direct object references or an over-reliance on client-side checks. This becomes particularly concerning given that half of the surveyed enterprises reported being only slightly-to-moderately prepared to address misconfigurations.

You cannot protect what you cannot see. The shadow API problem has reached a breaking point. This year’s data shows that while 77% of respondents claim to have a “full inventory of their APIs, visibility into the intent of those APIs has declined for four consecutive years.

In 2022, 40% of organizations knew which APIs returned sensitive data. Today, that number has plummeted to 23%. Attackers are exploiting this visibility gap using AI.

As enterprises invested US$37 billion in GenAI in 2025, they built thousands of new connections to LLMs. These AI-linked APIs determine what data a model can access and what actions it can trigger. If an attacker tricks an AI via prompt injection, it is the API that fetches the sensitive data.

Organizations are beginning to understand the risks. According to the 2026 API Security Impact Study, 42% of security professionals who reported API-linked security incidents over the past year said their incidents were attacks that involved APIs linked to AI technologies, such as apps, agents, and LLMs.

The C-suite confidence gap; Source: 2026 API Security Impact Study

The gaps shown in the table suggest that senior leaders may be underinvesting in API security because they believe the problem is already solved. When the need for speed in AI deployment overshadows security, DevSecOps teams see the cracks first. 

Overconfidence in the C-suite leads to a lack of dedicated resources: only 1 in 6 enterprises have fully embedded security testing for APIs into their CI/CD pipelines, which limits a key step in preventing abuse and attacks.

To survive the AI era, security professionals must not only continue to account for API vulnerabilities, but also shift their thinking. We can no longer rely on static defenses and hope all APIs are accounted for. Organizations must evolve their strategies to prioritize the API layer by: 

• Closing foundational visibility gaps
• Moving beyond functional testing
• Formalizing API governance

Stop relying on static spreadsheets. You need continuous, automated discovery that identifies AI-linked, shadow, and zombie APIs in real time. If you don't know which APIs touch personally identifiable information (PII) or HIPAA-regulated data, you risk losing the trust of customers and regulators.

Functional testing only proves that an API works. It doesn't prove that it is secure. Enterprises must shift to advanced security testing that simulates real-world attack methods, such as credential stuffing and BOLA attacks, during the development phase.

API security must be integrated into formal compliance reporting and risk assessments. While 95% of organizations say that they already factor APIs into regulatory requirements, only 38% include APIs in their mandatory reporting. The execution must match the intention.

The AI race is underway, but it is not too late to strengthen your foundation. Akamai provides the global visibility and behavioral intelligence required to see and stop API abuse before it hits your origin. By combining dedicated API security with our global web application and API protection, we ensure that your AI innovations are built on a resilient, secure architecture.

Read the full report to get benchmark data on how your peers are approaching API security amid AI advances.