Here are five foundational best practices for reducing risk, including earlier testing, endpoint visibility, bot differentiation and shared ownership.
Every AI assistant, chatbot, automation tool and autonomous agent relies on application programming interfaces (APIs) to access data, trigger actions and move information between systems.
As organizations in Asia race to deploy AI across payments, customer service, logistics and healthcare, APIs are becoming the connective tissue behind those services — and a growing security concern, according to Reuben Koh, Director of Security Technology & Strategy (APJ), Akamai.
The challenge is that API growth is often outpacing visibility. Many organizations do not have a full inventory of their endpoints, do not always know what normal traffic looks like and may struggle to distinguish legitimate use from abuse.
Koh said APIs are now so embedded in digital operations that organizations should treat them as critical infrastructure rather than back-end plumbing: “In the AI era, securing APIs means securing the business.”
He offers five established steps that organizations can take to reduce risk:
- Get full visibility into the API estate
Koh said many exposures begin with endpoints teams do not know exist. “Much of the exposure comes not from sophisticated exploits, but from APIs that teams did not know existed,” he said. Shadow APIs and forgotten endpoints should be inventoried and monitored as part of routine security work. - Move security earlier in the development cycle
AI-assisted coding can speed up delivery, but it can also push vulnerable APIs into production too quickly. “If AI-assisted coding helps teams ship faster, security testing cannot remain a final-stage checkpoint,” Koh said. Security checks should happen during development and before deployment, not after release. - Watch for abuse, not just breaches
Attackers often use legitimate functions at scale instead of breaking in through obvious flaws. That means security teams should look for repeated requests, scraping, automated purchases or other abnormal behavior. “The bigger concern is how these attacks are evolving,” Koh noted. - Separate helpful automation from harmful bots
Not all automated traffic is bad. “Blocking all automated traffic is not the answer,” Koh said. Organizations need to distinguish between useful crawlers and malicious bots that scrape data, overwhelm services or mimic human behavior. - Build shared ownership across teams
API protection works best when developers, business teams and security teams operate from the same view of the environment, Koh added. “If these groups are not working from the same view of the API estate, attackers will find the seams.”
Koh also noted that the challenge is especially acute in Asia, where digital maturity varies widely across markets. In more mature markets, the issue is often scale and visibility. In faster-growing markets, the problem is speed: organizations are moving quickly to launch digital services, but security practices may not be keeping pace.
According to Koh, the core message is simple: API security is no longer a technical afterthought. A compromised API is not just a technical issue — it can create operational, financial and reputational damage. For organizations scaling AI, API security has to be part of the foundation, not an add-on after innovation is already underway.
