AI-enhanced cyberattacks are the No. 1 concern for application programming interface (API) defenders, according to a survey by Kong published Tuesday.
The survey of 700 IT leaders found that 32% of respondents ranked AI-enhanced attacks as the biggest API security threat to their organization, more than unauthorized access or breaches at 26% and insufficient encryption and data protection at 14%.
Additionally, 92% of survey participants said their organization was taking measures to combat such AI-enhanced attacks, while 25% said they have already encountered AI-enhanced security threats related to APIs or large language models (LLMs).
Meanwhile, API security as a whole was acknowledged as a top priority by 88% of surveyed IT leaders, with 97% considering it to be of greater or equal importance to other areas of cybersecurity like network and endpoint security.
The survey identified a gap in respondents’ confidence about API security and the prevalence of API attacks, with 85% saying they were confident in their ability to secure APIs and only 4% saying they were not confident, despite 55% already having experienced an API security incident within the previous 12 months.
When it came to AI-related risks, 40% said they were not sure whether their organization’s current security investments were sufficient to address them, while 74% expressed being extremely or very concerned about AI-enhanced cyberattacks.
“Organizations cannot afford to underestimate their own security risks – especially in the age of AI. The report showcases that API security is being taken seriously as part of overall cybersecurity strategy, but there are still some blind spots that can open an organization up to threats,” Kong CTO and co-founder Marco Palladino said in a statement. “As AI continues to advance, not only will companies create more vulnerabilities within their own organizations, but attacks will become more sophisticated. Understanding the full threat landscape is crucial to maintaining a strong API security posture.”
How are organizations defending their APIs in the AI age?
The Kong API Security Perspectives 2025 survey report also revealed the cost of API incidents over the past 12 months, with nearly half of respondents (47%) saying recent incidents cost their organization more than $500,000. Nearly a third (32%) of those who reported an incident over the past year said the incident was “severe.”
In defending against API attacks, IT leaders were most likely to report implementing API monitoring and anomaly detection tools (63%), API gateway solutions (61%), API encryption and tokenization (58%) and regular penetration testing and audits (57%).
“Only 35% report adopting zero-trust architecture, surprising given how established and generally accepted as best practice this comprehensive approach to API security is,” the report notes.
When it comes to AI-enhanced attacks in particular, 66% of respondents said they were increasing monitoring and trafficking analysis in response to AI risks, while 60% said they were educating staff on AI, 51% were using AI-driven threat detection systems, 44% were leveraging API security solutions with AI capabilities and 40% were partnering with third-party security services to detect and mitigate AI threats.
Insecure AI usage within one’s own organization was also seen as both a potential security risk. In response, 33% of respondent were implementing AI-specific security policies and 21% were adopting an AI gateway to manage AI consumption. Enhancement of monitoring and anomaly detection for AI traffic was also reported by 19% of respondents.
Overall, 84% of survey participants said AI and LLMs would increase the complexity of securing APIs over the next two to three years.
“The convergence of AI and APIs presents both unprecedented opportunities and risks,” the report concluded. “Many still underestimate critical vulnerabilities like shadow APIs, and as many as 13% of organizations in the US say they’re taking no specific measures against AI-enhanced threats. With API attacks projected to grow by 548% by 2030, the time to act is now.”
