In today’s hyperconnected world, Application Programming Interfaces (APIs) serve up powerful digital interactions and are the engine behind Artificial Intelligence (AI). Whether you make reservations at your favorite restaurant or request directions from an AI-assistant, APIs are a big part of our digital infrastructure. A recent security report said APIs now account for 71% of all internet traffic, creating an enormous attack surface. Threat actors are incentivized to leverage single points of failure within digital architecture and the rapid deployment of AI has created new threat vectors.
Understanding How APIs Work and Why They are a Delectable Attack Vector
An API is a set of rules and protocols that allows one piece of software to communicate with another. It defines how systems exchange information, request services, and deliver responses while abstracting the complexity of what happens under the hood. APIs often connect into large data lakes that store treasure troves of personal information.
The most commonly used and easy-to-understand analogy compares APIs to a restaurant server. Imagine ordering a sausage pizza at your favorite restaurant. The waiter (API) hands you a menu (API documentation). You (the user) place your order (API call) and the waiter (API) communicates your request to the kitchen (database or backend system). The kitchen prepares your pizza (API response) and hands it back to the waiter (API), who delivers it to your table. In this scenario, the waiter (API) acts as an intermediary between you (the user) and the kitchen (the backend system), shielding you from the complexity of watching the proverbial “sausage be made.” Importantly, the menu and waiter determine which items can be ordered, facilitates proper communication, and prevents customers from entering the kitchen directly. APIs play a similar role in digital systems. They restrict what external applications can request, validate those requests, and shield backend systems from unintended interference.
How Cyber Criminals Exploit APIs
APIs are a lucrative threat vector for cyber-attacks and cyber criminals are increasingly focused at exploiting them. Below are four of the most common and dangerous API attack vectors:
- Broken Object Level Authorization (BOLA): BOLA occurs when an API fails to properly verify whether the requesting user is authorized to access a specific object or record. For example, in a financial system, an attacker might manipulate identifiers in an API request to gain access to another user’s account information. Without strict validation of user permissions for each object, sensitive data can be easily exposed.
- Injection Attacks: Injection attacks happen when an attacker submits carefully crafted malicious input that deceives the backend system into executing unintended commands. APIs that fail to properly validate or sanitize incoming data can unintentionally allow attackers to manipulate database queries, access unauthorized information, or change system behavior.
- Distributed Denial of Service (DDoS) Attacks: In a DDoS attack, an API is flooded with an overwhelming number of requests, depleting server resources and making the service unavailable to legitimate users. Such attacks often take advantage of poorly designed API endpoints that lack sufficient rate-limiting, resource allocation, or failover protection.
- Broken Authentication: Broken authentication vulnerabilities allow attackers to bypass identity verification mechanisms. Weak credential management, predictable tokens, poorly secured session identifiers, or improperly implemented access controls can enable unauthorized individuals to impersonate legitimate users or maintain ongoing access to protected systems.
AI Acceleration Is Compounding the API Problem & Increasing Supply Chain Risk
Businesses are eager to consume the benefits of AI in the workplace, sometimes bypassing normal third party risk management processes and increasing associated risks. When “AI-powered” tools or SaaS products are rolled out quickly, security protocols and defense in depth must also be quickly deployed. Without proper oversight, an AI-powered chatbot or automation tool with unrestricted API access can quickly turn into an unintended insider threat.
Proactive API Security Is Legally Required
Cyber criminals are actively seeking ways to exploit AI and the data lakes they connect to—which means businesses must implement technical and organizational controls to safeguard systems and data to comply with laws that require “reasonable security.” Demonstrating responsible use of AI and “reasonable security” starts with following an AI governance framework. Technical controls can include API access controls, identity management, and real-time monitoring. Organizational controls include developing actionable AI and cyber governance policies, creating training programs for the workforce and engineers, updating incident response plans specific to the attack vector, and shifting risk to vendors through contracts. Without documented and defensible guardrails, businesses may be eating more cyber risk than their stomachs can hold.
This article was originally published by the TribalHub Digital Magazine, 2025 Summer issue.
