APIs are actually the motion layer of AI that make up your API cloth. Each LLM workflow, agent, and MCP software name rides on an API. This makes API governance the working coronary heart of AI governance, particularly with the arrival of landmark frameworks just like the EU AI Act and ISO/IEC 42001. These new laws flip compliance from a productiveness limiter to a enterprise accelerator with measurable effectivity and risk-reduction outcomes. In brief, how a lot time is saved if compliance controls are constructed into your improvement or launch course of, you probably have on the spot entry to audit trails and data-flow maps? Salt’s core perception sums it up: you’ll be able to’t safe AI with out securing APIs.
Throughout lots of of enterprises, Salt Safety’s H2 2025 State of API Safety Report reveals the identical sample: organizations are racing to ship AI options, however governance and runtime safety of the API layer haven’t saved tempo. Half (50%) slowed a launch as a result of API danger, one-third (33%) suffered an API incident, 80% lack steady monitoring, and solely 19% are “very assured” of their API stock. These aren’t theoretical gaps. Within the context of AI, this “danger publicity” consists of particular threats like information poisoning, mannequin theft, and unauthorized system use that may essentially alter an AI system’s conduct. These are actual enterprise outcomes in misplaced time, rework, and elevated danger publicity.
Compliance May Be an API Downside
Assembly these new AI laws is essentially an API safety problem. As an illustration, the EU AI Act mandates “Accuracy, robustness, and cybersecurity” for high-risk methods (Article 15). That is unimaginable with out securing the API, which your whitepaper identifies because the “major assault floor”. Equally, guaranteeing “Knowledge and Knowledge Governance” (Article 10) depends on securing API conduits to forestall information poisoning and guarantee integrity. API safety supplies the very “logging and traceability” (Articles 12 & 20) wanted for human oversight and the entire API discovery required to handle the whole AI lifecycle, as mandated by ISO 42001.
A latest Gartner® report said, “Mannequin Context Protocol (MCP) and Agent2Agent (A2A) don’t change current APIs. They depend on APIs for information, context, instruments and assets for consumption by autonomous brokers and AI functions.”
The expanded assault floor
The amount and class of API-related assaults proceed to climb. The truth is, Salt Labs studies that almost each group (99%) skilled API safety points previously yr. The concentrating on relies partially on the potential to entry and expose personally identifiable info. Of notable concern, a latest report from Salt Labs reveals that 96% of assaults come from authenticated sources with 98% of these concentrating on external-facing APIs. This shift challenges the historic outside-in perimeter mindset.
Salt Labs additionally discovered that almost all of API misuse makes an attempt stemmed from both API1 (Damaged Object Stage Authorization) or API8 (Safety Misconfiguration) vulnerabilities. For these organizations increasing their AI capabilities, this expanded assault floor carries compliance implications. Every vulnerability turns into a possible failure in governance.
As Salt’s analysis highlights, with out sturdy governance and visibility into APIs that deal with delicate information, organizations wrestle to implement safety insurance policies persistently. This usually results in misconfigurations, extreme permissions, and weak entry controls, circumstances that improve breach danger and jeopardize regulatory readiness.
Compliance as we speak
Frameworks like ISO/IEC 42001 and the EU AI Act spotlight that accountability and governance have to be thought of from the start and never handled as an afterthought. Organizations that undertake compliance by design now would be the ones prepared when enforcement begins. The profit extends past regulatory alignment; it’s about strengthening operational resilience.
The Gartner® report additionally said, “Double down on API safety by including specialist safety options to complement customary gateway protections. Price-limiting and entry administration, particularly, are important for APIs AI functions will eat when addressing the danger of knowledge and providers being abused by agentic use.”
Salt’s platform was constructed for precisely this problem: to present organizations AI-aware visibility, policy-driven governance, and real-time safety throughout the APIs that energy AI methods. As a result of within the age of clever brokers, one fact stays: you’ll be able to’t safe AI with out securing APIs.
References:
Gartner, How MCP and the A2A Protocols Impression API Administration, Shameen Pillai, Mark O’Neill, Aaron Lord, 25 August 2025
GARTNER is a registered trademark and repair mark of Gartner, Inc. and/or its associates within the U.S. and internationally and is used herein with permission. All rights reserved.
Gartner doesn’t endorse any vendor, services or products depicted in its analysis publications, and doesn’t advise expertise customers to pick solely these distributors with the very best rankings or different designation. Gartner analysis publications include the opinions of Gartner’s analysis group and shouldn’t be construed as statements of reality. Gartner disclaims all warranties, expressed or implied, with respect to this analysis, together with any warranties of merchantability or health for a specific function.
