TL;DR: APIs are central to modern applications, but common failure modes include broken authorization, misconfiguration, excessive data exposure, and weak monitoring, according to Kong. The governance problem now extends across human, non-human, and agentic access patterns, where identity controls must match how requests are made and how privilege is delegated.
NHIMG editorial — based on content published by Kong: What is API Security? Fundamentals & Strategies
Questions worth separating out
Q: How should security teams secure APIs used by service accounts and automated workloads?
A: Security teams should treat machine API access as a governed identity path, not a convenience layer.
Q: Why do APIs create more identity risk than traditional application logins?
A: APIs expose backend functions directly, so a weak trust decision can affect data, actions, and connected systems in one call path.
Q: What breaks when APIs are not inventoried and monitored properly?
A: Uninventoried APIs become shadow trust surfaces.
Practitioner guidance
- Enforce authorization at the object and function level Verify that each API endpoint checks the specific object being requested and the function being invoked, not just the caller's login state or broad role assignment.
- Inventory every API, including shadow and deprecated endpoints Maintain a living register of production, staging, and legacy interfaces so unknown paths do not sit outside policy, logging, and review.
- Bind tokens to narrow audiences and short lifetimes Set explicit token audience, scope, and expiry values so stolen credentials cannot be reused across unrelated services or long-lived automation flows.
What's in the full article
Kong's full article covers the operational detail this post intentionally leaves for the source:
- A fuller breakdown of each OWASP API Top 10 risk and how it appears in real implementations.
- Step-by-step guidance on API gateway controls, including authentication, rate limiting, and request transformation.
- Programmatic advice on building API inventories, logging pipelines, and DevSecOps testing into delivery workflows.
- Specific examples of tools and patterns for runtime protection, monitoring, and incident response planning.
👉 Read Kong's full guide to API security fundamentals and strategies →
API security gaps across humans, workloads and AI agents?
Explore further
API security is now identity security at the enforcement layer. The article describes API controls as technical safeguards, but the practical reality is that every API decision is an identity decision. Authorization, token scope, inventory, and monitoring determine whether a person, service, or workload can act within policy. Practitioners should treat the API layer as the place where identity governance becomes operational.
A few things that frame the scale:
- 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: How do organisations reduce API abuse without slowing delivery too much?
A: The best approach is to standardise policy at the gateway and delegate only narrow, pre-approved access patterns to development teams. Use rate limits, schema validation, and consistent authorization checks so every new API inherits controls by default. That reduces manual review overhead while keeping risky exceptions visible.
👉 Read our full editorial: API security fundamentals for human, NHI and agentic access