The study found that 84% of government and public sector organizations experienced at least one API-related security incident in the past 12 months.
Key takeaways
AI-linked attacks are exposing persistent API security gaps. AI-linked API attacks may be the newest headline risk, but the underlying weaknesses are familiar. In government environments, known API security gaps around configuration, authentication, authorization, and inventory can become more consequential as AI apps, agents, and LLMs connect to more systems and workflows.
Limited API visibility can turn security gaps into operational consequences. In public sector environments, APIs often sit between the systems, data, workflows, and AI tools that agencies depend on to deliver services.
Public sector leaders are sharpening their focus on API security, but gaps still exist. Securing AI technologies against attacks ranks as the top cybersecurity priority for government organizations. A strong majority (65%) of public sector leaders report increased focus on API security over the past year.
Frequently Asked Questions (FAQ)
Attacks involving APIs linked to AI technologies have become the most common incident type, ahead of even classic access-control problems.
Leaders report that 39% are driven by rapid API growth from AI, automation, and low-code initiatives, while 38% are motivated by regulatory and compliance requirements.
The survey revealed that 52% of organizations have a full API inventory but do not know which specific APIs return sensitive data, leaving only 23% with both full inventory and sensitive data visibility.
The top impacts are productivity loss (37%), loss of customer goodwill and churned accounts (35%), loss of trust and reputation (27%), regulatory fines (27%), and service downtime or outages (23%).
WAFs alone are not equipped to handle fast-evolving API threats, as 48% of organizations recognize they fail to address the new visibility, access control, and data exposure challenges created by AI-linked APIs.
Only 9% of organizations have embedded advanced security testing at every stage of the API SDLC and CI/CD pipelines.