APIs are now the action layer of AI that make up your API fabric. Every LLM workflow, agent, and MCP tool call rides on an API. This makes API governance the working heart of AI governance, especially with the arrival of landmark frameworks like the EU AI Act and ISO/IEC 42001. These new regulations turn compliance from a productivity limiter to a business accelerator with measurable efficiency and risk-reduction outcomes. In short, how much time is saved if compliance controls are built into your development or release process, if you have instant access to audit trails and data-flow maps? Salt’s core belief sums it up: you can’t secure AI without securing APIs.
Across hundreds of enterprises, Salt Security’s H2 2025 State of API Security Report shows the same pattern: organizations are racing to ship AI features, but governance and runtime security of the API layer haven’t kept pace. Half (50%) slowed a release due to API risk, one-third (33%) suffered an API incident, 80% lack continuous monitoring, and only 19% are “very confident” in their API inventory. These aren’t theoretical gaps. In the context of AI, this “risk exposure” includes specific threats like data poisoning, model theft, and unauthorized system use that can fundamentally alter an AI system’s behavior. These are real business outcomes in lost time, rework, and increased risk exposure.
Compliance Might Be an API Problem
Meeting these new AI regulations is fundamentally an API security challenge. For instance, the EU AI Act mandates “Accuracy, robustness, and cybersecurity” for high-risk systems (Article 15). This is impossible without securing the API, which your whitepaper identifies as the “primary attack surface”. Similarly, ensuring “Data and Data Governance” (Article 10) relies on securing API conduits to prevent data poisoning and ensure integrity. API security provides the very “logging and traceability” (Articles 12 & 20) needed for human oversight and the complete API discovery required to manage the entire AI lifecycle, as mandated by ISO 42001.
A recent Gartner® report stated, “Model Context Protocol (MCP) and Agent2Agent (A2A) do not replace existing APIs. They rely on APIs for data, context, tools and resources for consumption by autonomous agents and AI applications.”
The expanded attack surface
The volume and sophistication of API-related attacks continue to climb. In fact, Salt Labs reports that nearly every organization (99%) experienced API security issues in the past year. The targeting is based in part on the potential to access and expose personally identifiable information. Of notable concern, a recent report from Salt Labs shows that 96% of attacks come from authenticated sources with 98% of those targeting external-facing APIs. This shift challenges the historical outside-in perimeter mindset.
Salt Labs also found that the majority of API misuse attempts stemmed from either API1 (Broken Object Level Authorization) or API8 (Security Misconfiguration) vulnerabilities. For those organizations expanding their AI capabilities, this expanded attack surface carries compliance implications. Each vulnerability becomes a potential failure in governance.
As Salt’s research highlights, without strong governance and visibility into APIs that handle sensitive data, organizations struggle to enforce security policies consistently. This often leads to misconfigurations, excessive permissions, and weak access controls, conditions that increase breach risk and jeopardize regulatory readiness.
Compliance today
Frameworks like ISO/IEC 42001 and the EU AI Act highlight that accountability and governance need to be considered from the beginning and not treated as an afterthought. Organizations that adopt compliance by design now will be the ones ready when enforcement begins. The benefit extends beyond regulatory alignment; it’s about strengthening operational resilience.
The Gartner® report also stated, “Double down on API security by adding specialist security solutions to supplement standard gateway protections. Rate-limiting and access management, in particular, are vital for APIs AI applications will consume when addressing the risk of data and services being abused by agentic use.”
Salt’s platform was built for exactly this challenge: to give organizations AI-aware visibility, policy-driven governance, and real-time protection across the APIs that power AI systems. Because in the age of intelligent agents, one truth remains: you can’t secure AI without securing APIs.
References:
Gartner, How MCP and the A2A Protocols Impact API Management, Shameen Pillai, Mark O’Neill, Aaron Lord, 25 August 2025
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
