API security in 2025: where identity controls are still failing

TL;DR: Over 80% of enterprises have API defenses misaligned with data sensitivity, according to Raidiam, while one of 68 organisations in its survey used full mTLS and certificate-bound tokens, and 70% lacked contextual or fine-grained access control. The core issue is not API volume but identity assurance, authorisation depth, and monitoring discipline that current programmes still underweight.

NHIMG editorial — based on content published by Raidiam: API Security Checklist: Your Essential Guide to Protecting APIs in 2025

By the numbers:

• Over 80% of enterprises had API defenses dangerously misaligned with the sensitivity of their data.
• Only one of 68 organizations in Raidiam’s survey used full mTLS and certificate-bound tokens.
• Over 70% of surveyed organizations lacked any form of contextual or fine-grained access control.

Questions worth separating out

Q: How should security teams secure APIs that expose sensitive data?

A: Start by binding access to stronger identity proofs, then narrow authorisation to the specific transaction or resource being called.

Q: Why do APIs create NHI governance risk?

A: APIs often rely on non-human identities such as service accounts, tokens, and partner credentials.

Q: What breaks when API authorisation is too coarse?

A: Coarse authorisation usually allows authenticated callers to reach more data or more functions than the use case requires.

Practitioner guidance

• Replace static API keys with bound credentials Move sensitive APIs to certificate-bound tokens, private_key_jwt, or mTLS so stolen strings cannot be replayed outside the original client context.
• Scope API authorisation to context and transaction Use scopes, attributes, and endpoint-level policy to limit each caller to the smallest data set and operation set needed for the workflow.
• Unify API and identity telemetry Correlate gateway logs, token claims, and request behaviour so abnormal access patterns can be detected before bulk extraction succeeds.

What's in the full article

Raidiam's full research covers the operational detail this post intentionally leaves for the source:

• A deeper breakdown of the API security checklist items, including the authentication and transport controls behind each recommendation.
• Survey detail on where enterprises are most misaligned, including the specific control categories that remain weakest across sectors.
• The full set of standards references and implementation prompts for teams working toward financial-grade API security.
• Further examples of real-world API abuse patterns and the governance lessons practitioners can use when prioritising remediation.

👉 Read Raidiam's API security checklist for 2025 →

API security in 2025: where identity controls are still failing?

Explore further

View Full Forum →  |  NHI Foundation Course →