As Subramaniam explains, “AI agentic systems, which autonomously access APIs to perform tasks, complicate API security by expanding the attack surface, enabling dynamic and unpredictable interactions, and amplifying existing vulnerabilities through high-speed, automated actions.” Stopping unauthorized entry by brokers would require extra granular management and extra time-bound role-based entry management (RBAC).
Different API dangers stem from the broader software program provide chain. In 2025, JPMorganChase CISO Patrick Opet printed an open letter about diminishing requirements for SaaS suppliers, writing that the SaaS supply mannequin is “quietly enabling cyber attackers” and making a “substantial vulnerability that is weakening the global economic system.”
Third-party API consumption can open a corporation to delicate information publicity. Based on Gartner, 71% of organizations use APIs supplied by third events comparable to SaaS distributors, making third-party APIs one other main threat vector.
“For third-party APIs, we already require vendor security reviews and contractual security assurances,” says Fortitude Re’s Franklin, noting that that is a part of a broader SaaS safety program that gives visibility into the SaaS methods workers use.
The onus, nevertheless, can also be on the consuming group to implement higher token-handling processes to safe API connections to SaaS platforms. That is particularly essential, as builders are sometimes reckless with API keys and secrets and techniques. In 2024, Escape found 18,000 API secrets and techniques and tokens floating round on the open internet.
Some CISOs are actively addressing this. “Our team centralizes and encrypts all third-party credentials — API keys, tokens — within the API management layer,” says Subramaniam. “We never distribute raw credentials to our internal development teams.”
Sustaining secure integrations requires ongoing self-discipline, too. “We apply the same rigor to third-party APIs: Credentials are tightly scoped, regularly rotated, and monitored for behavioral drift,” provides Faxon. “If an integration begins acting outside its expected pattern, it’s treated as a security event, not a technical anomaly.”
For Murphy, avoiding third-party API gaps requires cautious vendor analysis and tooling selections. “You trust but verify.” The identical intentions should be utilized to assessing API administration instruments, too — sustaining too many area of interest merchandise will increase complexity and brings scalability challenges, and requires stitching them collectively to acquire a cohesive API safety view.
“The more complexity, and the more differentiated monitoring, the higher risk you’re going to mess up,” says Murphy. “But, diversity in the platform is good, too, since compartmentalizing can help with a tiered aspect to security oversight.” One prime merchandise in BECU’s roadmap for 2026 is automating between their publicity administration platform, vulnerability administration platform, and safety operations middle, he provides.
As APIs develop into a core facet of contemporary enterprise operations, their safety dangers have gotten extra pronounced. “Every API misconfiguration is not just a security gap,” says Faxon. “It’s a business decision being executed at machine speed, without human oversight.”
Responding to this new period of threats requires transferring past conventional perimeter defenses. Organizations will want new approaches to safe non-human identities — machines, bots, and brokers that more and more work together with methods and information at a enterprise software degree.
“The real shift isn’t just from endpoints to APIs,” says Franklin. “It’s from human-driven access to non-human identities like APIs, service accounts, and machine-to-machine connections.” Though these identities now outnumber people in most enterprises, he provides, they lack rigorous governance, requiring rethinking to safe this new assault floor.
The problem is additional difficult by the variety of API environments. APIs could also be distributed throughout a number of clouds, platforms, and places, every with completely different safety controls. As Mazal explains, “The challenge is that as development accelerates and the pace of innovation increases, not all APIs follow the same set of controls.”
Edge-based IoT APIs, as an example, could not enable the identical kinds of site visitors enforcement present in centralized environments. “The resulting gaps in interconnectivity make it difficult to manage APIs holistically and consistently across the ecosystem.” For him, real-time risk monitoring and visibility of community telemetry are nonetheless important to right visibility gaps.
In the end, CISOs shouldn’t abandon conventional safety instruments. However they do want to increase safety deeper into the event and design course of, embedding checks early, strengthening identity-based authorization, and bettering real-time visibility into business-layer interactions.
By combining governance, identification controls, and visibility, CISOs can adequately put together for the safety realities of an API-driven world.
