As Subramaniam explains, “AI agentic methods, which autonomously entry APIs to carry out duties, complicate API security by increasing the assault floor, enabling dynamic and unpredictable interactions, and amplifying present vulnerabilities via high-speed, automated actions.” Stopping unauthorized entry by brokers would require extra granular management and extra time-bound role-based entry management (RBAC).
Different API dangers stem from the broader software program provide chain. In 2025, JPMorganChase CISO Patrick Opet printed an open letter about diminishing requirements for SaaS suppliers, writing that the SaaS supply mannequin is “quietly enabling cyber attackers” and making a “substantial vulnerability that’s weakening the worldwide financial system.”
Third-party API consumption can open a company to delicate information publicity. In line with Gartner, 71% of organizations use APIs supplied by third events similar to SaaS distributors, making third-party APIs one other main danger vector.
“For third-party APIs, we already require vendor security evaluations and contractual security assurances,” says Fortitude Re’s Franklin, noting that that is a part of a broader SaaS security program that gives visibility into the SaaS methods workers use.
The onus, nevertheless, can be on the consuming group to implement higher token-handling processes to safe API connections to SaaS platforms. That is particularly necessary, as builders are sometimes reckless with API keys and secrets and techniques. In 2024, Escape found 18,000 API secrets and techniques and tokens floating round on the open internet.
Some CISOs are actively addressing this. “Our crew centralizes and encrypts all third-party credentials — API keys, tokens — inside the API administration layer,” says Subramaniam. “We by no means distribute uncooked credentials to our inside improvement groups.”
Sustaining secure integrations requires ongoing self-discipline, too. “We apply the identical rigor to third-party APIs: Credentials are tightly scoped, often rotated, and monitored for behavioral drift,” provides Faxon. “If an integration begins performing outdoors its anticipated sample, it’s handled as a security occasion, not a technical anomaly.”
For Murphy, avoiding third-party API gaps requires cautious vendor analysis and tooling choices. “You belief however confirm.” The identical intentions should be utilized to assessing API administration instruments, too — sustaining too many area of interest merchandise will increase complexity and brings scalability challenges, and requires stitching them collectively to acquire a cohesive API security view.
“The extra complexity, and the extra differentiated monitoring, the upper danger you’re going to mess up,” says Murphy. “However, range within the platform is nice, too, since compartmentalizing can assist with a tiered side to security oversight.” One high merchandise in BECU’s roadmap for 2026 is automating between their publicity administration platform, vulnerability administration platform, and security operations middle, he provides.
As APIs change into a core side of contemporary enterprise operations, their security dangers have gotten extra pronounced. “Each API misconfiguration isn’t just a security hole,” says Faxon. “It’s a enterprise choice being executed at machine pace, with out human oversight.”
Responding to this new period of threats requires transferring past conventional perimeter defenses. Organizations will want new approaches to safe non-human identities — machines, bots, and brokers that more and more work together with methods and information at a enterprise software degree.
“The true shift isn’t simply from endpoints to APIs,” says Franklin. “It’s from human-driven entry to non-human identities like APIs, service accounts, and machine-to-machine connections.” Though these identities now outnumber people in most enterprises, he provides, they lack rigorous governance, requiring rethinking to safe this new assault floor.
The problem is additional difficult by the variety of API environments. APIs could also be distributed throughout a number of clouds, platforms, and areas, every with completely different security controls. As Mazal explains, “The problem is that as improvement accelerates and the tempo of innovation will increase, not all APIs observe the identical set of controls.”
Edge-based IoT APIs, for example, might not enable the identical varieties of site visitors enforcement present in centralized environments. “The ensuing gaps in interconnectivity make it tough to handle APIs holistically and persistently throughout the ecosystem.” For him, real-time menace monitoring and visibility of community telemetry are nonetheless important to right visibility gaps.
Finally, CISOs shouldn’t abandon conventional security instruments. However they do want to increase security deeper into the event and design course of, embedding checks early, strengthening identity-based authorization, and enhancing real-time visibility into business-layer interactions.
By combining governance, id controls, and visibility, CISOs can adequately put together for the security realities of an API-driven world.
