New report finds a disconnect between 88% of respondents saying they are taking action to protect APIs against AI-enabled attacks and their lack of some basic measures
Kong Inc has just published an API Security Perspectives 2025 Report, which highlights critical vulnerabilities in API security.
This report is based on a survey of 700 IT professionals and business leaders in the UK and the US, via a polling company in October and November 2024.
The survey found that 25% of respondents’ organisations have already faced AI-driven attacks targeting APIs or large language models (LLMs). Also, despite 85% expressing confidence in their security capabilities, 55% of respondents reported an API security breach in the past year, “exposing a significant gap in preparedness”.
While 92% of respondents say they are taking measures to counter AI-enhanced attacks and 88% of respondents citing API security as a top priority, it is clear that many organisations lack the comprehensive security measures needed to protect their API infrastructure in the AI era.
Further, 20% of respondents have experienced API incidents costing nearly £500,000/£400,000 (per incident on average) in the last 12 months.
Worryingly, 92% of them are addressing AI-driven threats but many fundamental protections are still missing, only 35% have adopted zero-trust architecture and just 3% recognise shadow APIs as a serious security risk.
Cannot afford to underestimate
“Organisations cannot afford to underestimate their own security risks — especially in the age of AI,” said Marco Palladino, CTO and Co-Founder of Kong, Inc. “The report showcases that API security is being taken seriously as part of overall cybersecurity strategy, but there are still some blind spots that can open an organisation up to threats.
“As AI continues to advance, not only will companies create more vulnerabilities within their own organisations, but attacks will become more sophisticated. Understanding the full threat landscape is crucial to maintaining a strong API security posture.”
As might be expected 84% of respondents feel AI and LLMs will make securing APIs more difficult, but surprisingly, the research finds many basic API security tactics being left out of overall strategy.
Only 35% of organisations are adopting zero-trust architecture in order to mitigate API security risks and only 3% of respondents cite shadow APIs as a significant security threat to their organisation. With the convergence of APIs and AI, it is more important than ever to have a strong API security posture.
Additional key stats from the report include:
- The top three measures organisations are taking to secure APIs against AI-enhanced threats include increased monitoring and traffic analysis (66%), educating staff on AI-related threats (60%), and AI-driven threat detection systems (51%)
- The top three steps being taken to mitigate API security risks are API monitoring and anomaly detection tools (63%), API gateway solutions (61%), and API encryption and tokenisation (58%)
- 45% of organisations have dedicated at least 20% of their cybersecurity budgets to API security
- 41% are unsure or doubtful that their organisation’s investment is enough to cover API security risks
- 66% of organisations are implementing API governance frameworks to ensure compliance with internal policies and external regulations (such as GDPR, HIPAA)
You can view the full report from Kong here.