As Subramaniam explains, “AI agentic systems, which autonomously access APIs to perform tasks, complicate API security by expanding the attack surface, enabling dynamic and unpredictable interactions, and amplifying existing vulnerabilities through high-speed, automated actions.” Preventing unauthorized access by agents will require more granular control and more time-bound role-based access control (RBAC).
Other API risks stem from the broader software supply chain. In 2025, JPMorganChase CISO Patrick Opet published an open letter about diminishing standards for SaaS providers, writing that the SaaS delivery model is “quietly enabling cyber attackers” and creating a “substantial vulnerability that is weakening the global economic system.”
Third-party API consumption can open an organization to sensitive data exposure. According to Gartner, 71% of organizations use APIs provided by third parties such as SaaS vendors, making third-party APIs another major risk vector.
“For third-party APIs, we already require vendor security reviews and contractual security assurances,” says Fortitude Re’s Franklin, noting that this is part of a broader SaaS security program that provides visibility into the SaaS systems employees use.
The onus, however, is also on the consuming organization to implement better token-handling processes to secure API connections to SaaS platforms. This is especially important, as developers are often reckless with API keys and secrets. In 2024, Escape discovered 18,000 API secrets and tokens floating around on the open web.
Some CISOs are actively addressing this. “Our team centralizes and encrypts all third-party credentials — API keys, tokens — within the API management layer,” says Subramaniam. “We never distribute raw credentials to our internal development teams.”
Maintaining safe integrations requires ongoing discipline, too. “We apply the same rigor to third-party APIs: Credentials are tightly scoped, regularly rotated, and monitored for behavioral drift,” adds Faxon. “If an integration begins acting outside its expected pattern, it’s treated as a security event, not a technical anomaly.”
For Murphy, avoiding third-party API gaps requires careful vendor evaluation and tooling decisions. “You trust but verify.” The same intentions must be applied to assessing API management tools, too — maintaining too many niche products increases complexity and brings scalability challenges, and requires stitching them together to obtain a cohesive API security view.
“The more complexity, and the more differentiated monitoring, the higher risk you’re going to mess up,” says Murphy. “But, diversity in the platform is good, too, since compartmentalizing can help with a tiered aspect to security oversight.” One top item in BECU’s roadmap for 2026 is automating between their exposure management platform, vulnerability management platform, and security operations center, he adds.
As APIs become a core aspect of modern business operations, their security risks are becoming more pronounced. “Every API misconfiguration is not just a security gap,” says Faxon. “It’s a business decision being executed at machine speed, without human oversight.”
Responding to this new era of threats requires moving beyond traditional perimeter defenses. Organizations will need new approaches to secure non-human identities — machines, bots, and agents that increasingly interact with systems and data at a business application level.
“The real shift isn’t just from endpoints to APIs,” says Franklin. “It’s from human-driven access to non-human identities like APIs, service accounts, and machine-to-machine connections.” Although these identities now outnumber humans in most enterprises, he adds, they lack rigorous governance, requiring rethinking to secure this new attack surface.
The challenge is further complicated by the diversity of API environments. APIs may be distributed across multiple clouds, platforms, and locations, each with different security controls. As Mazal explains, “The challenge is that as development accelerates and the pace of innovation increases, not all APIs follow the same set of controls.”
Edge-based IoT APIs, for instance, may not allow the same types of traffic enforcement found in centralized environments. “The resulting gaps in interconnectivity make it difficult to manage APIs holistically and consistently across the ecosystem.” For him, real-time threat monitoring and visibility of network telemetry are still essential to correct visibility gaps.
Ultimately, CISOs shouldn’t abandon traditional security tools. But they do need to extend security deeper into the development and design process, embedding checks early, strengthening identity-based authorization, and improving real-time visibility into business-layer interactions.
By combining governance, identity controls, and visibility, CISOs can adequately prepare for the security realities of an API-driven world.
