Key takeaways
- API expansion is outstripping security resilience. Rapid innovation in digitization and AI has caused API inventories to explode, with median estates exceeding 5,900 endpoints. Without matching security maturity, this growth creates an unmanageable attack surface that 87% of enterprises failed to defend last year.
- AI adoption acts as a risk multiplier for the API layer. Organizations invested US$37 billion in GenAI in 2025 — allocating $19 billion to the application layer. Yet these applications rely on APIs that often lack the necessary visibility or security controls; consequently, 42% of security incidents are now linked to APIs powering AI applications, models, and agents.
- Invisible data flows create massive compliance and security blind spots. While many firms claim to have full inventories, only 23% actually know which APIs return sensitive data, a decline from 40% in 2022. This lack of insight prevents teams from prioritizing risks, leaving regulated data exposed to unauthorized access.
- A dangerous “perception gap” exists between leadership and technical staff. Forty percent of C-suite executives believe their API security testing is “advanced,” while only 28% of the DevSecOps teams performing the work agree. This misalignment masks critical operational weaknesses and delays necessary investments in automated security.
- API security failures result in significant, quantifiable financial erosion. The average annual cost of API-related incidents has reached US$700,000 per organization, driven by remediation, downtime, and legal fees. Implementing dedicated API security tools is essential to mitigate these rising costs and protect the business’s bottom line.
Frequently Asked Questions (FAQ)
Frequently Asked Questions (FAQ)
According to the 2026 study, 87% of respondents reported experiencing at least one API-related security incident in the past 12 months, a significant increase from 78% in 2022.
The average cost of API-related incidents is US$700,000 per organization, though the top quartile of affected companies reported costs exceeding $1.8 million.
AI applications rely on APIs to access data and trigger actions, but these APIs are often built without adequate resilience. Forty-two percent of survey respondents attributed security events to APIs powering AI applications, agents, and LLMs.
Misconfigurations are cited as the leading cause of incidents, occurring at a time when nearly half of enterprises report being only slightly-to-moderately prepared to address them.
Financial services stands out as the most targeted sector, with 96% of respondents in that industry reporting an API-related attack within the last 12 months.
AI-linked APIs are defined as APIs that provide or retrieve sensitive data, connect to agents or large language models (LLMs), or enable automated actions without comprehensive visibility or governance.
While roughly three-quarters of respondents claim to have a full API inventory, less than one in four (23%) actually know which of those APIs return sensitive data on request.
Loss of productivity was the top-cited impact of API security incidents experienced by study participants in 2025, followed by other factors like brand reputation and revenue loss.