Report: APIs, Not Models, Are the Biggest AI Security Risk

“If an attacker could control only one part of your infrastructure, they would pick your APIs.”

This is the first sentence of this year’s Wallarm’s API ThreatStat™ Report, which was released in mid-February. It’s a smart opener — it captures the attention, yes, but it also speaks to an extremely apparent trend.

Wallarm found that 36% of AI vulnerabilities involve APIs and 36% of AI-related exploited vulnerabilities also involve APIs.

The company says this is no coincidence, noting that “AI-related weaknesses do not become less API-centric as attacks progress. They become more operationally visible through APIs.”

So, if AI has a weakness, odds are it runs through an API. Add to that the finding that 15% of all API breaches in 2025 involved AI platforms, and one thing is clear.

AI has been long accused of “creating” new attack surfaces, but this report tells us that’s not the case. It just amplified the ones that already existed.

AI systems are, to put it simply, gigantic API consumers. Tools like your favorite GPT model, model-serving endpoints, integrations, and management UIs are all delivered via APIs. So when APIs and AI are so interconnected, security around AI has to include APIs,and vice versa.

Because data constantly tells us that treating them as separate risk categories is becoming unrealistic. We at HostingAdvice have reported extensively on API security and its weak points, especially involving AI, but according to Wallarm alone:

If more than half of API vulnerabilities don’t even require credentials, how are they “protected”?

It’s as the report said: “Most API vulnerabilities are ‘fast, remote, and trivial to exploit,’” suggesting that we may be building things faster than we can secure them.

Historically, cyberattackers have always moved to where the least amount of attention is focusing.

Wallarm notes that, for a long time, cybersecurity focused on things like injections, memory corruptions, and cross-site issues as major vulnerabilities. But attackers have always been more interested in the most exploitable part of the system, which is often the area that goes unchecked the most.

Still, according to its research, injections and cross-site issues remain near the top, but other categories — like insecure resource consumption and SSRF — are skyrocketing as well.

And since AI systems are usually API-first, every single time information is shared between a site or system and that tool opens a new endpoint. According to the report, attackers are now:

• Using protocol trust weaknesses
• Exploiting identity and session management flaws
• Abusing API delegate authority (especially in AI control planes)

That last one has been a big problem lately. Somewhere around 70% more control panel API vulnerabilities have grown over the past year.

When we talk about control panels in this context, we’re really pointing to the Model Context Protocol (MCP).

Though similar in orchestration to a hosting control panel, it basically functions as a control layer for AI agents, deciding which tools they can use and the actions they’re allowed to do.

Wallarm referenced a real MCP AI vulnerability in which a simple API flaw exposed more than 3,000 MCP servers powering AI tools. The how must be embarrassing for that company because it wasn’t overly sophisticated. They just set their API permissions too loosely.

So while APIs may “just” connect infrastructure to applications, they, in reality, act like keys. And that’s tough news for hosting providers because it’s yet another responsibility of security that will have to rest on their shoulders.

But Wallarm does have some advice for providers.

To secure your AI, you absolutely have to secure the API giving those agents their tools and context. That sounds obvious, but apparently it’s not.

Not every request should be treated as normal just because it has a token. Identity is the key to the sauce here, so hosts may want to consider smaller tokens and rate limiting, especially when the same IP is requesting at the same endpoint over and over.

And a good rule of thumb is if something looks automated, it probably is. It’s as the report says: “As automation increases, control failures delegate power to attackers.”