As Subramaniam explains, “Agent AI systems, which automatically access APIs to perform tasks, complicate API security by expanding the attack surface, enabling dynamic and unpredictable interactions, and increasing the risk inherent in high-speed, automated actions.” Preventing unauthorized access by agents will require more granular control and time-based access control (RBAC).
Another API vulnerability stems from the broader software supply chain. In 2025, JPMorganChase CISO Patrick Opet published an open letter about declining standards for SaaS providers, writing that the SaaS delivery model “quietly allows cyber attackers” and creates “serious risks that weaken the global economic system.”
The use of a third-party API can open an organization to the exposure of sensitive data. According to Gartner, 71% of organizations use APIs provided by third parties such as SaaS vendors, making third-party APIs another major risk vector.
“For third-party APIs, we already require vendor security reviews and contractual security assurances,” said Fortitude Re’s Franklin, noting that this is part of a broader SaaS security program that provides visibility into the systems used by SaaS employees.
However, the onus is also on the consuming organization to implement better token management practices to secure API connections on SaaS platforms. This is very important, as developers are often careless about API keys and secrets. By 2024, Escape found 18,000 API secrets and tokens circulating on the open web.
Some CISOs talk about this. “Our team centralizes and encrypts all third-party credentials — API keys, tokens — within the API management layer,” Subramaniam said. “We never distribute raw data to our internal development teams.”
Maintaining a safe integration requires constant discipline, too. “We apply the same rigor to third-party APIs: Authentication is strictly monitored, rotated regularly, and behavior anomalies are monitored,” Faxon added. “If integration starts working outside of its expected pattern, it’s considered a security event, not a technical glitch.”
For Murphy, avoiding third-party API gaps requires careful evaluation of vendor and tool decisions. “You hope but make sure.” The same goals should be used in evaluating API management tools, too – maintaining multiple niche products increases complexity and brings robustness challenges, and needs to be stitched together to get a unified API security view.
“The more complex it is, and the more disparate monitoring, the more likely you are to screw it up,” said Murphy. “But, the diversity of the platform is good, too, as the differentiation can help with the layered feature of security checks.” One top item on BECU’s 2026 roadmap is automation within their exposure management platform, risk management platform, and security operations center, he adds.
As APIs become a central part of modern business operations, their security risks are becoming increasingly apparent. “Every API bug is not just a security hole,” Faxon said. “It’s a business decision made at the speed of a machine, without human supervision.”
Responding to this new era of threats requires going beyond traditional perimeter defenses. Organizations will need new ways to protect non-human identities – machines, bots, and agents that interact more with systems and data at the business application level.
Franklin says: “The real change is not just from end-to-end to APIs. “From human-driven access to non-human identities such as APIs, service accounts, and machine-to-machine communication.” Although these indicators are now more than people in many companies, he adds, they lack strong governance, which requires rethinking to secure this new attack surface.
The challenge is further complicated by the diversity of API environments. APIs may be deployed across multiple clouds, platforms, and locations, each with different security controls. As Mazal explains, “The challenge is that as development accelerates and the speed of innovation increases, not all APIs follow the same set of controls.”
Edge-based IoT APIs, for example, may not allow the same types of traffic enforcement found in centralized environments. “The resulting integration gaps make it difficult to manage APIs completely and consistently across the ecosystem.” For him, real-time threat monitoring and network telemetry visibility are still important to address visibility gaps.
Finally, CISOs should not abandon traditional security tools. But they need to extend security deeper into development and process design, embed early checks, strengthen identity-based authorization, and improve real-time visibility into business-layer interactions.
By integrating governance, identity controls, and visibility, CISOs can adequately prepare for the security realities of an API-driven world.
