API security has never been more important because modern APIs are operational necessities.
Unfortunately, many organizations are failing to adapt their security models to a rapidly changing API threat landscape. Like it or not, we live in an AI-first world, and API security must reflect that reality. The Postman 2025 State of API Report is confirmation of that fact.
AI is Becoming Business Critical
AI already plays a significant role in modern business functions. A staggering 89% of developers use generative AI in their daily work, helping with everything from improving code quality (68%), to generating API documentation (41%), and even generating API design (28%).
In short, modern developers are AI native. They rely on AI and, as technology evolves, will likely become even more reliant in the years to come.
AI agents are a key part of this transition. They go beyond mere AI code assistants, acting as autonomous autopilots for software development and testing tasks. Ultimately, their ability to act without human input will irreversibly redefine the developer experience, largely for the better.
However, increased use of AI agents is also redefining threat surfaces. In fact, they have become the new threat surface. And organizations must adapt to that new reality.
AI Agents Are the New Threat Surface
The increasing reliance on AI, particularly agentic AI, essentially means that AI agents are the new API consumers.
This matters because they can call endpoints thousands of times per second, process data at unprecedented scale, and integrate systems in ways that traditional API design never anticipated. The new security risks these creates are reflected in developer concerns:
- 51% worry about unauthorized or excessive API calls from AI agents.
- 49% are concerned about AI systems accessing sensitive data they shouldn’t see.
- 46% worry about AI systems sharing or leaking API credentials.
API Security Must Adapt to AI Consumers
The question, then, is what organizations must do to defend against AI consumers. Postman offers five recommended changes:
- Agent Identification: Tag and distinguish AI from other requests using headers or metadata.
- Dynamic Rate Limiting: Move beyond static throttles to behavior-based limits.
- Granular Least-Privilege Scopes: Ensure API keys can only access what’s needed.
- Short-Lived Credentials and Automatic Rotation: Reduce the blast radius of leaks.
- Enhance Monitoring and Anomaly Detection: Track abnormal agent traffic in real time.
Sound familiar? That’s because Postman’s recommendations for AI security are already part of API security. Wallarm’s platform, for example, provides real-time, behavior-based API protection that automatically identifies and mitigates AI agent traffic by:
- Fingerprinting AI patterns
- Enforcing dynamic rate limits
- Inspecting every request for scope misuse or token abuse
- Continuously monitoring and detecting anomalies to expose API activity as it happens
However, one problem remains: APIs aren’t built for AI. And developers aren’t doing enough to change that.
The AI-API Gap is Creating Security Debt
Although developers are using AI, they’re not designing APIs to handle AI workloads. According to the Postman report, 89% of developers use AI, but only 24% design APIs for AI agents. They’re still assuming traditional consumption. In fact:
- 59% design APIs for human developers/applications
- Only 13% design equally for humans and AI agents/systems
- Just 6% are transitioning from human-first to AI-first API design
- 16% haven’t considered AI agents as API consumers at all
Frankly, this doesn’t reflect the reality of API consumption. 68% of respondents said they relied on AI to improve code quality. But traditional APIs break when AI tries to use them, and that’s when security cracks open.
Put simply, AI-driven consumers magnify every flaw in your API design and documentation. If your schema isn’t explicit and machine-readable, you’re already behind.
Wallarm can help close the AI-API gap by discovering and mapping all your APIs, including shadow and AI-integrated ones, and enforcing schema validation and behavior-based protection at runtime.
Our platform exposes inconsistencies and undocumented endpoints that AI agents could exploit, turning vague, human-centric APIs into well-defined, governed, and monitored interfaces.
Protect APIs in 2025 and Beyond with Wallarm
Amidst a changing API threat landscape, your organization needs a platform that can adapt.
Wallarm does just that.
Our unified platform for API and agentic AI security is the only solution that delivers best-in-class API Security capabilities to protect your entire portfolio of APIs and AI apps in multi-cloud, cloud-native and on-premise environments.
Want to see how it works? Schedule a demo today.
