Salt Security has released new research highlighting a critical gap in API security as AI agents rapidly expand across enterprise environments. The report clearly shows that while organizations aggressively adopt AI-driven automation, they are not strengthening their security frameworks at the same pace.
To begin with, the study surveyed 327 security leaders across industries such as technology, financial services, healthcare, and manufacturing. Notably, the findings reveal that 92% of organizations have yet to achieve advanced security maturity in environments where AI agents depend heavily on APIs to perform tasks. As a result, businesses face growing exposure to risks tied to these interconnected systems.
Moreover, API-related concerns are already impacting operations. Nearly 47% of respondents admitted they had postponed production releases due to API security issues. At the same time, 32% reported experiencing an API security incident within the past year. Despite these challenges, only 8% of organizations claim to have reached an advanced level of API security maturity, underscoring a major industry-wide vulnerability.
Meanwhile, API usage continues to surge alongside AI adoption. Approximately 66% of organizations reported that their API usage has increased by more than 50% over the last year. Consequently, security teams now struggle to manage a rapidly expanding and increasingly complex API ecosystem. Alarmingly, only 24% of organizations have implemented a fully automated API inventory, forcing the majority to rely on manual or incomplete tracking methods.
Security Gap Widens with AI Growth
As AI adoption accelerates, a significant disconnect between innovation and security is becoming evident. Salt refers to this issue as the “Agentic Security Gap”, emphasizing the need for organizations to gain comprehensive visibility not only into APIs but also into systems like large language models and Model Context Protocol servers.
At the leadership level, awareness is improving. In fact, 79% of boards and executive teams are now paying closer attention to AI-related security risks. However, confidence remains low—only 18% of respondents feel highly confident in their ability to detect attacks involving generative AI.
Additionally, software development practices are evolving. Nearly 90% of organizations are either using or planning to use generative AI in API development. While this shift boosts efficiency, it also introduces new risks if organizations fail to properly manage code quality, access controls, and testing processes.
Threat Landscape Continues to Evolve
The report further highlights a dramatic shift in cyberattack patterns. According to Salt Labs, 99% of attack attempts now originate from authenticated sources. This means attackers increasingly exploit legitimate accounts rather than relying solely on external breaches.
Furthermore, 65% of attacks take advantage of security misconfigurations, particularly over-permissioned APIs. These vulnerabilities allow attackers to chain API requests and extract sensitive data at high speed.
“You cannot secure AI agents without securing every layer they touch, including the APIs they call, the MCP servers they route through, and the data they access,” said Roey Eliyahu, Co-Founder and Chief Executive Officer of Salt Security.
“Risk in the agentic era doesn’t sit in one place. It lives in how all of those pieces interact in real time,” Eliyahu said.
API Security Takes Center Stage
Given these findings, Salt strongly recommends treating API security as a standalone discipline rather than grouping it under application or cloud security. APIs now serve as the operational backbone of AI systems, connecting applications, platforms, and services across organizations.
To address this challenge, the company introduced the concept of an Agentic Security Graph, designed to map relationships between AI models, APIs, and supporting infrastructure. This approach aims to provide deeper visibility into how AI systems operate, make decisions, and interact across enterprise environments.
Ultimately, the research highlights a critical issue: organizations are not struggling with AI adoption itself but with maintaining proper governance and visibility. Delayed deployments, limited detection capabilities, and incomplete system inventories all point to a pressing need for improved oversight.
“Salt Security was founded on the belief that APIs are the most critical and most overlooked attack surface in the enterprise. As AI agents have emerged, it has become clear that APIs are just one pillar in a much larger, deeply connected system,” Eliyahu said.
“Today, we secure the entire agentic environment, the LLM, agents, MCP servers, APIs, and the data they access. Our 1H 2026 research confirms that this isn’t a future problem, it’s happening now, and most organizations are not ready,” he said.
Recommended Cyber Technology News:
- Horizon Quantum Partners with IonQ to Acquire Advanced 256-Qubit System
- Oracle Enhances AI Database for Security and Uptime
- Censys Advances SOC Modernization With Real-Time Risk Insights
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
