API security gaps across humans, workloads and AI agents

TL;DR: APIs are central to modern applications, but common failure modes include broken authorization, misconfiguration, excessive data exposure, and weak monitoring, according to Kong. The governance problem now extends across human, non-human, and agentic access patterns, where identity controls must match how requests are made and how privilege is delegated.

NHIMG editorial — based on content published by Kong: What is API Security? Fundamentals & Strategies

Questions worth separating out

Q: How should security teams secure APIs used by service accounts and automated workloads?

A: Security teams should treat machine API access as a governed identity path, not a convenience layer.

Q: Why do APIs create more identity risk than traditional application logins?

A: APIs expose backend functions directly, so a weak trust decision can affect data, actions, and connected systems in one call path.

Q: What breaks when APIs are not inventoried and monitored properly?

A: Uninventoried APIs become shadow trust surfaces.

Practitioner guidance

• Enforce authorization at the object and function level Verify that each API endpoint checks the specific object being requested and the function being invoked, not just the caller's login state or broad role assignment.
• Inventory every API, including shadow and deprecated endpoints Maintain a living register of production, staging, and legacy interfaces so unknown paths do not sit outside policy, logging, and review.
• Bind tokens to narrow audiences and short lifetimes Set explicit token audience, scope, and expiry values so stolen credentials cannot be reused across unrelated services or long-lived automation flows.

What's in the full article

Kong's full article covers the operational detail this post intentionally leaves for the source:

• A fuller breakdown of each OWASP API Top 10 risk and how it appears in real implementations.
• Step-by-step guidance on API gateway controls, including authentication, rate limiting, and request transformation.
• Programmatic advice on building API inventories, logging pipelines, and DevSecOps testing into delivery workflows.
• Specific examples of tools and patterns for runtime protection, monitoring, and incident response planning.

👉 Read Kong's full guide to API security fundamentals and strategies →

API security gaps across humans, workloads and AI agents?

Explore further

View Full Forum →  |  NHI Foundation Course →