The State of AI & API Security

The last two years have seen 150% year-over-year growth in AI-related incidents, with a significant inflection point coinciding with widespread cloud adoption in the late 2010s/early 2020s and the 2022 release of ChatGPT.

Recent research from Wiz highlights 6 known vulnerabilities with the underlying AI providers themselves.

Recent research indicates that half of organizations reporting AI-related security incidents estimated losses exceeding $50 million. Using an industry-standard metric of $169 per breached record, this equates to approximately 300,000 data records per organization.

Analysis of FireTail's customer data revealed that nearly 39% of all API requests resulted in HTTP 429 (Too Many Requests) responses, suggesting potential abuse. Of these 429 responses, about 20% were linked to bot traffic.

The AI Incident Database maintained by the Responsible AI Collaborative tracks AI-related issues dating back to the 1980s, with concentrated growth from 2010 onwards.

A scan of publicly accessible GitHub repositories found that the number of OpenAPI specifications decreased from 2,879 in 2023 to 2,160 in 2025.

90% or more of generative AI usage falls into the "shadow AI" scenario, meaning it occurs without the knowledge of central IT and information security teams.

Cumulatively, over 1.6 billion records have been exposed since 2017 due to API breaches.

In the last three years, there have been 79 documented API breaches, significantly more than the 22 cloud-related breaches in the same period, indicating APIs are a growing focal point for attackers.

Despite the rise in API security incidents, the number of breaches dropped from 18 to 93.

A vulnerability in the Irish Government COVID-19 Vaccination Portal, present since December 2021, was disclosed in March 2024 and exposed the vaccination records of approximately one million residents.

Approximately 9% of API traffic from Russia, China, and Iran was flagged as bot activity, particularly in January, November, and December 2024.

The mean number of warnings per OpenAPI specification significantly increased, from an average of 215 warnings per spec in 2023 to 1,078 warnings per spec in 2025. Unrestricted String and Array Lengths emerged as the most common warning type.

MIT's AI Risk Repository identifies over 1000+ risks from an academic perspective.

97% of organizations believe AI introduces unique security challenges.

Approximately 70% of AI data breaches have no secondary breach vector, deviating from typical multi-vector API breaches.

Nearly 60% of organizations report inadequate visibility into the APIs supporting their AI systems.

The FireTail API Data Breach Tracker shows a rise in API security incidents, increasing from 22 in 2023 to 26 in 2024.

TracFone Wireless faced a $16 million settlement and a comprehensive consent decree due to API vulnerabilities that exposed customer data.