Application security , AI/ML , Risk Identification/Classification/Mitigation APIs under pressure: How AI is rewriting the rules of enterprise security May 20, 2026 Share By Paul Wagenseil Today’s columnist, Jim Richberg of Fortinet, explains why business and government must cooperate as GenAI develops. (Adobe Stock) APIs have grown from back-end technical connectors into one of the most important — and dangerous — aspects of modern enterprise infrastructure. That's the general consensus reached by participants in a recent online forum hosted by the CyberRisk Collaborative (CRC) and sponsored by Akamai. Because the discussion followed the Chatham House Rule, we can't tell you who said what or who was there, but the latest CRC report, "APIs, AI, and the governance gap: Securing the new digital attack surface," lays out key takeaways from the conversation. The full report is available to CyberRisk Collaborative members. Click here to get started . Artificial intelligence , Model Context Protocol (MCP) frameworks, and rapidly expanding API ecosystems are forcing organizations to rethink how they approach security, governance, and operational resilience. APIs sit at the center of digital business operations, including cloud services, AI systems, and automated workflows. The accelerating adoption of AI-powered tools and services means that APIs are multiplying faster than security teams can count, monitor, or govern them. Participants from the banking, healthcare, infrastructure management, software development, and private equity sectors stressed that visibility gaps still plague modern cybersecurity programs. Systems inherited from mergers and acquisitions, undocumented endpoints, and "zombie APIs" operating without active ownership all create hidden attack surfaces that attackers can exploit. AI dramatically amplifies API risk, the participants agreed. Large language model applications are fundamentally API-driven, AI systems themselves have become massive consumers of APIs, and AI tools let anyone create integrations, automation workflows, and MCP-connected services without traditional security review cycles. The result is an explosion of endpoints and connections that outpaces governance processes and creates new opportunities for data exposure and unauthorized access. API security is no longer merely a technical problem, but a cultural one as well. Governance failures, fragmented ownership, and organizational gaps can create larger risks than the technology itself. Because APIs may be jointly managed by development teams, DevOps groups, infrastructure teams, and security operations, it's not always clear who's in charge. Several roundtable participants described efforts to improve collaboration through "green-light" development programs that give teams that demonstrate strong security practices with faster approvals and streamlined reviews. However, it shouldn't be a surprise that traditional application-security tools are often poorly suited for modern API threats. Conventional scanners may detect low-level misconfigurations, but they frequently miss business-logic vulnerabilities involving authorization flaws, data exposure, rate limiting, or workflow abuse — the same categories responsible for many real-world API breaches. To mitigate these issues, the roundtable participants suggested layered defensive approaches that combine SAST, DAST, fuzz testing, schema validation, runtime gateways, and API-specific security testing. Yet many acknowledged that even advanced tooling still struggles to fully understand API behavior in context. The participants affirmed what many cybersecurity pros already know: AI-powered offensive capabilities are compressing security timelines dramatically. Models like Claude Mythos Preview can spot vulnerabilities and figure out exploit paths far more quickly than regular remediation processes can respond. Organizations are being forced to reduce remediation windows from weeks to days — or even hours — for critical externally facing vulnerabilities. But the discussion participants warned that autonomous AI security tools aren't perfect and can still behave unpredictably or disrupt production environments. Ultimately, the future of API security will depend on balancing automation with human oversight. Organizations must combine continuous visibility, governance, layered testing, AI-assisted defenses, and cross-functional collaboration into unified operational strategies capable of adapting to an increasingly AI-driven threat landscape. Paul Wagenseil Paul Wagenseil is a custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, TechNewsDaily.com and SecurityNewsDaily.com. Related Application security Darwinium updates mobile SDKs to detect in-session fraud and account farming SC Staff May 20, 2026 The updated SDKs are designed for banks, payment providers, and digital businesses facing sophisticated fraud that occurs after initial authentication. Container security Edera and Minimus partner for end-to-end container security SC Staff May 19, 2026 The partnership addresses the growing threat of AI-powered vulnerability discovery, which is accelerating the pace at which adversaries can exploit open-source software. Critical Infrastructure Security TeamPCP releases ‘vibe coded’ Shai-Hulud source code, issues challenge Laura French May 15, 2026 The variant was used in recent attacks against TanStack and others – but it’s not the original, researchers say. Related Events Cybercast CISO Stories: AI Security (Blackhat Preview) – Arctic Wolf Thu Jul 9 Cybercast Protecting Application User Data for Better Privacy, Governance, and Compliance On-Demand Event Cybercast The Next Evolution of Application Security: AI- Accelerated DevSecOps On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Attack Surface Banner Browser Client Common Gateway Interface (CGI) Cookie DLL Injection Disassembly Dynamic Link Library Exposure You can skip this ad in 5 seconds