Salt Security has officially published the results from its semi-annual State of API Security Report, which exposes an alarming disconnect between rapid API adoption and immature security practices.
Named as H2 2025 State of API Security Report, this particular report arrives bearing a claim that, as enterprises race to capitalize on the new-age AI Agent Economy, API security has emerged as a systemic vulnerability in the given context.
If we were to delve a little deeper into the entirety of the report, we would find that 80 percent of organizations lacked continuous, real-time API monitoring—a problem that would effectively render them ineffective at detecting active threats targeting AI agents. Furthermore, 1 in 3 of all surveyed companies (33%) went on to report an API security incident in the past year, whereas on the other hand, 50% had to delay a new application rollout due to API security concerns.
Another interesting fact is that only 19% of respondents are "very confident" in the accuracy of their API inventory, and 54% rely on developer documentation that is prone to errors to identify sensitive data exposure. “APIs are now central to digital transformation and AI, yet security controls remain inconsistent, reactive, and dangerously behind the curve,” said Eric Schwake, Director of Cyber Security Strategy at Salt Security. “AI without API security is like driving a car blindfolded – if you can’t govern APIs, you can’t govern AI. The unmonitored API attack surface will continue to grow if nothing is done immediately, putting innovation and resilience at risk. Beyond that, we ought to mention how, even though 62% of organizations have already adopted GenAI in API development, more than half (56%) view it as a growing security concern, particularly due to vulnerabilities in AI-generated code. An estimated 59% also said they are already leveraging GenAI within their security operations to create a dynamic which introduces both defensive opportunities and offensive risks.
Salt Security’s study even touched on the explosive growth in API adoption. Specifically, 41% of organizations reported API usage increases of 51–100% over the previous year. In case that wasn’t enough, a contingent of 13% was also deemed to be experiencing growth of 101–200%.
Alongside that, 6% also saw their API volumes rise up threefold, burgeoning by over 301% in just 12 months. This rapid expansion even shows up in the size of portfolios: 42% of businesses are now said to be managing between 101 and 500 APIs. Over 1,000 APIs were markedly overseen by a separate 14%. Hold on, there are still a few things to go over because we haven't discussed how a staggering 80% of businesses increased their security budgets in the past year. However, the majority of these increases were less than 15%. Almost like an extension of it, budget limitations were cited as the top barrier by 25% of respondents, followed by resource shortages (16%). Inadequate runtime security, poor manageability, and underinvestment in pre-production security were also cited as major obstacles by 15% of respondents in addition to funding. Among other things, it ought to be acknowledged that Salt Security’s report took into account the opinion of 386 security professionals responsible for API security across industries.
“AI adoption is rampant, but security is not keeping up. Existing tools miss the API execution layer, which means attackers can hijack entire AI agents via APIs,” said Eric Schwake. Companies that understand API security will be able to safely scale AI-driven innovation. Those who don't run the risk of getting behind."
