- Commerce organizations face frequent API incidents, with access controls and AI-linked attacks leading the way. Commerce leaders report that exploitation of missing or insufficient access controls was the most common incident type they faced last year, followed very closely by attacks involving APIs linked to AI technologies.
- Lack of visibility into sensitive customer and payment data flows remains a critical gap. While many commerce organizations say they have a full API inventory, very few know which of those APIs return sensitive data.
- Commerce leaders are prioritizing AI security, yet testing maturity and runtime protection lag behind. Securing AI technologies against attacks is the top cybersecurity priority for 41% of commerce organizations.
Key takeaways
Frequently Asked Questions (FAQ)
Frequently Asked Questions (FAQ)
According to the 2026 survey, 85% of commerce organizations reported experiencing at least one API-related security incident in the past 12 months.
The most common incident type is the exploitation of missing or insufficient access controls, followed closely by attacks involving APIs linked to AI technologies.
Attackers can use manipulated prompts to trick AI shopping assistants into sending requests to underlying APIs that lack protections, causing them to expose sensitive customer data or payment details without question.
Visibility is dangerously low, as only about 22% of commerce organizations are able to track which APIs in their inventory actually return sensitive customer or payment data.
The study found that C-suite executives often overestimate their organization’s readiness, reporting 2%–12% higher levels of maturity and integration than the DevSecOps and AppSec professionals who work with the APIs daily.
While 92% of enterprises say they factor APIs into compliance, only 36% actually include them in formal compliance reporting, creating a gap between high-level intent and practical regulatory action.
Teams should focus on implementing continuous automated discovery of all APIs, shifting from functional to rigorous security testing throughout the development lifecycle, and adding dedicated behavioral runtime protection.