Why AI Is Making API Security a Business Priority in APAC
By Reuben Koh, Director, Security Technology & Strategy, Asia-Pacific and Japan, Akamai

Businesses across Asia Pacific are moving quickly to adopt AI. New digital tools are automating public services, optimizing critical infrastructure, and accelerating product release and delivery cycles.
However, this rush to accelerate and digitize has exposed a critical dependency in the modern digital stack. APIs are the underlying digital connective tissue bringing disparate systems and platforms together. APIs also enable AI systems to retrieve data, trigger actions and perform work across cloud environments, enterprise systems and third-party services.
As a result, APIs have officially become the primary attack surface for modern application threats. In 2025, generative AI spending reached US$37 billion, with more than half going into the applications businesses use every day. As more AI investment moves into real-world applications, businesses need a deeper understanding of the APIs that support them, what data they expose and how their security posture.
API visibility is falling behind
The typical organization in APAC now manages around 5,700 APIs, with highly digitized environments exceeding 32,000 API endpoints. As more AI applications are deployed, this number will only continue to grow. This exponential growth is further accelerated by AI-assisted development tools that frequently push undocumented or misconfigured endpoints directly into production.
Akamai’s latest research found that only 22% of APAC organizations have both a full API inventory and visibility into which APIs return sensitive data. This is almost equivalent to every 4 out of 5 organizations not knowing what APIs they have and what data is being sent. As a result, many organizations are making security decisions without a complete picture of what they need to protect, resulting in a massive, costly blind spot.
APIs are literally the execution layer for agentic AI. If an enterprise lacks absolute visibility into its APIs’ inventory, posture and runtime, it cannot establish effective data bounds or control planes for its AI agents.
Akamai’s study of 640 cybersecurity decision-makers in China, India, Japan and Singapore found that the most common API security incident today involves attacks on APIs connected to AI systems, including applications, agents and large language models. Four in ten organizations experienced this type of attack in the past year. These attacks can be especially damaging because AI-linked APIs typically reside inside trusted business environments. If compromised, they can expose sensitive data, trigger unauthorized actions and amplify the impact of a single breach.
Confidence is not the same as readiness
Many business leaders believe their organizations are prepared for these risks. However, security teams are more cautious. More than half of C-suite respondents, at 56%, say their organizations are well or fully prepared for attacks on AI-linked APIs. Among application security teams, that figure falls to 44%.
When corporate leadership overestimates defensive maturity, it stalls necessary funding, delays essential modernization, and reduces overall urgency to secure what is important.
It also creates a compliance risk. Many regulated data flows now run through APIs, which means businesses need to know which APIs handle sensitive data, where that data goes, and what controls are in place to protect it. As APAC regulatory frameworks increasingly tighten around operational resilience and data sovereignty, enterprises must provide continuous, auditable proof of discovery, classification, and runtime behavioral controls for all data-handling endpoints, which includes APIs.
API security needs to become business critical
The security focus surrounding AI is usually around the LLM layer, specifically threats like prompt injection, data poisoning, and model alignment. While these risks are real, they represent only one part of the problem.
APIs serve as the data pipelines connecting AI engines to critical core infrastructure like transactional systems, enterprise data, and third-party SaaS ecosystems. When these connections are poorly secured or improperly validated, the enterprise risks not just a data leakage, but also exposing its entire business logic.
Organizations need to start with visibility. It is not enough to know that an API exists. Security teams need to know what each API does, where it connects, what data it handles and whether it returns sensitive information. Akamai’s research revealed a concerning finding where although 54% of APAC respondents maintain they have a basic API inventory, they remain entirely unaware to which of those endpoints handle or return sensitive data.
Security teams also need to focus on where attacks are happening. The most common API attacks involve AI-linked APIs, unmanaged endpoints, misconfigured connections and third-party integrations.
These are often the areas where oversight is weakest, making them attractive targets for attackers. If a security team cannot dynamically trace API activity, contextualize the behaviour, and identify where that data travels to at runtime, they will lack the fundamental ability to secure their APIs.
Repeat incidents should also be treated as a warning sign. Among organizations that experienced an API security incident in the past year, more than half reported four or more separate attacks, with an average of 3.6 incidents per organization. This suggests that many organizations are still responding to incidents one at a time, instead of fixing the underlying gaps.
As AI adoption accelerates across APAC, businesses must secure not only the model, but also the APIs, data flows and systems that allow AI to work. Improving API visibility will be critical to deploying AI safely, responsibly and with confidence. For modern enterprises expanding their digital capabilities, shifting from a reactive posture to automated, continuous API protection will become a core necessity for operational resilience, while also enabling the business to innovate securely.
