There’s a particular kind of security failure that keeps me up at night. Not the dramatic zero-day. Not the nation-state actor deploying exotic tooling. The one I’m talking about is quieter, more insidious, and in 2026, dramatically more common: the attacker who does everything right.

They authenticate. They send spec-compliant requests. They operate at volumes that look like legitimate integration traffic. They get what they came for — and they leave without triggering a single alert.

This is where API security currently lives, and it’s a governance nightmare masquerading as a technical problem.

The Number That Should End Every “We Have a WAF” Conversation

95% of API attacks in 2025 originated from authenticated sessions.

Let that land for a second. Not from unrecognised IPs. Not from known malicious signatures. From sessions your perimeter controls blessed as legitimate.

The Dell breach — 49 million customer records — followed this exact pattern. An attacker registered as a fake partner, hit a service tag lookup endpoint with zero entitlement checking, and ran 5,000 requests per minute for three weeks. Authenticated. Spec-compliant. Undetected.

Meanwhile, AI-adjacent API vulnerabilities grew by nearly 400% year-on-year (439 CVEs in 2024; 2,185 in 2025), and 57% of organisations have suffered an API-related breach in the past two years, with average losses north of $4 million per incident.

These aren’t edge cases. This is the normal operating environment.

The Governance Gap Is Worse Than the Security Gap

Here’s what I find more troubling than the breach statistics: only 10–14% of organisations have anything resembling an API posture governance strategy. Only 19% are “very confident” in their own API inventory. And 80% lack continuous real-time monitoring — which means most organisations are not watching their API estate at all.

At the same time, API estates grew by 41% last year alone.

We are running faster and seeing less. That’s not a risk posture — that’s a prayer.

From my work with public sector clients, I can tell you this gap is even wider in government and central departments. Legacy systems, fragmented ownership, under-resourced teams, and simultaneous compliance obligations across half a dozen regulatory frameworks. The API is the connective tissue of the modern digital estate, and in many organisations no one owns it end-to-end.

What the Regulatory Pile-On Actually Means

If you work in financial services, healthcare, or critical national infrastructure, you are now operating under a convergence of API-relevant obligations that most legal and compliance teams haven’t fully mapped yet.

DORA, mandatory since January 2025, imposes digital operational resilience testing with explicit third-party risk requirements. Your ICT provider’s API isn’t exempt just because it’s their infrastructure.

NIS2 expanded obligations to 18 sectors and roughly 300,000 entities, with incident reporting timelines of 24 hours and penalties up to €10 million or 2% of global turnover. Critically, it reaches into supply chain security — meaning the API integrations you manage indirectly are now in scope.

PCI DSS 4.0 Phase 2 controls, live since March 2025, contain the first explicit API mention in PCI history. They require automated, continuous detection and prevention of API-layer attacks. A WAF alone won’t get you there, and the QSA community is beginning to wake up to this.

The UK NCSC issued its first dedicated API security guidance in April 2025 — seven foundational pillars from design through to lifecycle management. Worth reading if you haven’t already.

None of these frameworks are fully aligned. There’s no universal API security standard, and that creates compliance overhead and leaves genuine gaps that each framework assumes another one fills. That’s a legal and governance problem as much as a technical one.

The New Attack Class: When the Agent Doesn’t Know It’s Being Manipulated

Here’s where I want to spend some time, because this is the part that most enterprise security teams haven’t operationalised yet — and the vendors haven’t fully solved.

Agentic AI has fundamentally changed what an API call means.

In 2020, an API call returned a payload. In 2026, an API call can instruct an autonomous agent to send emails, query databases, trigger financial transactions, and call other agents — all without a human in the loop. Gartner reports 35% of enterprises now use agents for business-critical workflows, up from 8% in 2023. 80% of IT professionals have already seen agents perform unauthorised or unexpected actions.

This creates three new attack classes that no current governance framework adequately addresses.

Indirect prompt injection is the most widely exploited. The attacker doesn’t attack the agent directly — they poison the content the agent retrieves. A malicious email sits in your inbox. A user asks your AI assistant a question. The assistant retrieves the email as context, activates the hidden instruction, and exfiltrates data via a rendering trick your Content Security Policy doesn’t catch. This is precisely what happened in the EchoLeak vulnerability (CVE-2025–32711) against Microsoft 365 Copilot. Zero clicks required. Zero visible trace. CVSS 9.3.

Agent-to-agent privilege escalation is even harder to defend against, because the attack doesn’t target your perimeter — it targets trust. A low-privilege agent convinces a high-privilege agent to act on its behalf. One researcher demonstrated this in a multi-agent smart home environment: a malicious agent broadcast a natural language request, a trusted lock agent interpreted it as authorised, and the door unlocked. In enterprise ServiceNow environments, low-privilege agents have been shown to coerce higher-privilege agents into exporting case files to external URLs through second-order injection. Your IAM controls validated every credential. The attack happened at the semantic layer.

Semantic privilege escalation may be the subtlest and most dangerous. The agent has exactly the permissions it should have. It performs an action those permissions technically allow. But the action violates the intent of the original task because a prompt injection in a document, ticket, or API response redirected its behaviour. Every policy check passes. The breach is invisible until the data shows up somewhere it shouldn’t.

OWASP released the Top 10 for Agentic Applications in December 2025. It’s the first systematic taxonomy of this attack class. If you’re deploying anything with agentic workflows and you haven’t read it, stop what you’re doing.

The Supply Chain Problem Isn’t Going Away

Approximately 30% of all data breaches now originate from third-party or supply chain compromise — doubled year-on-year. And annual vendor questionnaires are, frankly, inadequate.

The 700Credit breach is instructive. Attackers compromised one of 200 integration partners, obtained valid API tokens, and ran high-volume queries for months. 5.8 million Social Security numbers were exfiltrated. The partner never notified 700Credit. The questionnaire had presumably been completed.

The U.S. Treasury breach — Chinese state actors (Silk Typhoon), zero-day in BeyondTrust’s infrastructure, single API key enabling remote access to OFAC and the Treasury Secretary’s office — followed the same pattern. A trusted third party was the entry point.

This is why zero-trust API architecture isn’t a nice-to-have. Every integration partner is a potential attack vector. Every API key issued is a standing risk if it isn’t ephemeral, scoped, and monitored. The principle of least privilege doesn’t stop at your own estate.

What Good Looks Like in 2026

I want to be concrete here, because the analysis is only useful if it points somewhere actionable.

Continuous inventory, not periodic audits. You cannot govern what you cannot see. Shadow APIs, deprecated endpoints, and undocumented integrations are where attackers live. Runtime discovery — not scan-and-forget — is the baseline.

Behavioural monitoring from the inside. Signature-based detection misses business logic abuse from authenticated sessions by design. You need anomaly detection that understands what legitimate API traffic looks like for your environment and alerts on deviations from that baseline.

Ephemeral, scoped credentials for all agent interactions. Every agent-to-tool and agent-to-agent API call should use short-lived, narrowly scoped credentials. Persistent API keys in agentic workflows are a CISO incident waiting to happen.

API governance as an IAM problem. This is my lens, and I think it’s the right one. Who (or what) can call which endpoints, under what conditions, with what audit trail? That’s an identity and access question. It belongs in your IAM strategy alongside your human user lifecycle. JML processes that cover human accounts but not service accounts and agent identities are leaving the back door open.

Third-party API risk in your supply chain security programme. Not as a checkbox on a questionnaire — as a continuous monitoring obligation. What tokens does each integration partner hold? What’s the blast radius if they’re compromised?

The Market Signal

The API security market is growing at nearly 30% annually, and the vendor consolidation we’ve seen — Akamai absorbing Noname for $450 million, Traceable merging with Harness — tells you where enterprise budget is heading. Gartner’s 2025 Hype Cycle places API security testing at “High” benefit with under two years to plateau.

But the tooling for agentic AI API security is still genuinely early-stage. No vendor currently offers production-grade protection against semantic privilege escalation or cross-agent confused deputy attacks. The OWASP MCP Top 10 is under development. We are, as an industry, roughly where cloud IAM was in 2015: the threat is real, the frameworks are forming, and the organisations building governance frameworks now will be significantly ahead of those who wait for the standards to mature.

Closing Thoughts

There’s a line I keep returning to from OpenAI’s December 2025 security assessment: “Prompt injection, much like scams and social engineering on the web, is unlikely to ever be fully ‘solved.’”

That’s not defeatism. It’s an invitation to think differently about the problem. We don’t “solve” phishing — we build layered defences, educate users, implement technical controls, and accept residual risk with clear governance around it.

API security in 2026 needs the same maturity shift. The attack surface is too large, too dynamic, and too deeply embedded in agentic systems for any single technical control to contain it. What it requires is governance — continuous, cross-functional, identity-aware governance — treating every API call as a trust decision that needs to be made consciously, logged reliably, and reviewed regularly.

The organisations that get there first won’t just be more secure. They’ll be better positioned for every regulatory audit, every third-party risk assessment, and every boardroom conversation about whether their AI deployments are actually under control.

Which, in 2026, is the question everyone is being asked — and very few can answer with confidence.