Salt Security has officially published the results from its semi-annual State of API Security Report, which exposes an alarming disconnect between rapid API adoption and immature security practices.
Named as H2 2025 State of API Security Report, this particular report arrives bearing a claim that, as enterprises race to capitalize on the new-age AI Agent Economy, API security has emerged as a systemic vulnerability in the given context.
Talk about the whole report on a slightly deeper level, we begin from how 80% of organizations were found to lack continuous, real-time API monitoring, a problem which would leave them effectively blind to active threats targeting AI agents. Furthermore, 1 in 3 of all surveyed companies (33%) went on to report an API security incident in the past year, whereas on the other hand, 50% had to delay a new application rollout due to API security concerns.
Another detail worth a mention is rooted in the fact that no more than 19% are “very confident” in the accuracy of their API inventory, while more than half (54%) rely on error-prone developer documentation to identify sensitive data exposure.
“APIs are now central to digital transformation and AI, yet security controls remain inconsistent, reactive, and dangerously behind the curve,” said Eric Schwake, Director of Cyber Security Strategy at Salt Security. “AI without API security is like driving a car blindfolded – if you can’t govern APIs, you can’t govern AI. Without immediate action, the unmonitored API attack surface will continue to expand, putting both innovation and resilience at risk.”
Beyond that, we ought to mention how, even though 62% of organizations have already adopted GenAI in API development, more than half (56%) view it as a growing security concern, particularly due to vulnerabilities in AI-generated code. An estimated 59% also said they are already leveraging GenAI within their security operations to create a dynamic which introduces both defensive opportunities and offensive risks.
Salt Security’s study even touched on the explosive growth in API adoption. You see, 41% of organizations reported increases of 51–100% in API usage over the past year. In case that wasn’t enough, a contingent of 13% was also deemed to be experiencing growth of 101–200%.
Alongside that, 6% also saw their API volumes rise up threefold, burgeoning by over 301% in just 12 months. This rapid expansion is even reflected in portfolio size, with 42% of organizations now understood to be managing between 101 and 500 APIs. A separate 14% markedly oversaw more than 1,000 APIs.
Hold on, we still have a few bits left to unpack, considering we haven’t yet touched upon how a staggering 80% of organizations increased their security budgets over the past year, but having said so, most of these upticks stood under 15%.
Almost like an extension of it, budget limitations were cited as the top barrier by 25% of respondents, followed by resource shortages (16%). Beyond funding, 15% also cited inadequate runtime security, (14%) poor manageability, and (12%) underinvestment in pre-production security as their biggest barriers.
Among other things, it ought to be acknowledged that Salt Security’s report took into account the opinion of 386 security professionals responsible for API security across industries.
“AI adoption is rampant, but security is not keeping up. Existing tools miss the API execution layer, which means attackers can hijack entire AI agents via APIs,” said Eric Schwake. “Enterprises that master API security will be able to unlock AI-driven innovation safely at scale. Those that don’t are at risk of falling behind.”
