Discovery Was Never the Full Story
For years, API security was mostly about discovery. Find the APIs, classify them, build the inventory, and understand what is exposed. And yes, that matters. You cannot secure what you do not know exists. But discovery was never the full story.
APIs are not just endpoints. They are business logic exposed over the internet. They move money, create users, approve actions, update records, expose data, and connect systems. So the real question is not only: what APIs do we have? The better question is: what can these APIs do, who can trigger them, and what happens if that behavior is abused?
One Request. An Army of Agent Smiths.
In The Matrix, the real threat was not one Agent Smith. It was when he learned to replicate. Suddenly, you were not dealing with one fast, relentless adversary. You were dealing with hundreds of them, all acting in parallel, all identical, all unstoppable at human speed.
That is a reasonable way to think about what AI agents do to API risk.
A normal user acts at human speed. One session, one action at a time, with natural pauses, UI friction, and judgment calls along the way. An AI agent has none of those constraints. It can call multiple APIs, chain actions across systems, repeat the same flow hundreds of times, and turn one simple user request into many machine-driven actions simultaneously.
Imagine a user asks an agent: “Help me handle this customer issue.” A human employee would open the CRM, check support history, look at billing, send an email, and decide what to do. An agent may do all of that through APIs in seconds: query the CRM, pull account details, open a support ticket, check invoices, update a customer field, trigger a refund workflow and send a follow-up email.
Each action may look legitimate on its own. But the risk is in the chain. Was the agent allowed to use all these tools? Was the data access appropriate? Was the refund justified? Did it combine permissions across systems in a way no one anticipated?
Here Is How It Actually Breaks
A support agent is given access to a billing API, a customer profile API, and a refund workflow API. Each one is tested individually and looks clean. Nobody tested what happens when they are called in sequence by something operating at machine speed.
In production, a customer submits a support request with a slightly mangled account reference. The agent queries the profile API, which returns account details for a different customer. The authorization check was on the authenticated session, not on whether the requested account actually belonged to that user. The agent then calls the refund API using that account’s data. The refund API processes the request without a secondary ownership check. A refund lands on the wrong account. The agent made 340 API calls in under two minutes and nothing flagged it.
No exploited vulnerability in the traditional sense. No injection, no token theft. Each API did exactly what it was designed to do. The problem was in the combination of gaps: an object-level authorization issue in the profile API, no ownership validation in the refund API, and no behavior monitoring anywhere in the chain.
This is where API security and AI security meet, because agents do not act in theory. They act through APIs.
Visibility Without Control
Most teams still treat API security as an inventory problem. Here are your APIs, here are your sensitive parameters, here are your risky endpoints, here is a long list of findings. Useful, but not enough. Inventory tells you what exists. It does not tell you what matters, it does not prove whether a risk is actually exploitable, and it does not tell you what to do next.
The agent era makes this gap worse. An API that looks low-risk on its own may become high-risk inside an agentic workflow. A normal business function may become dangerous at machine speed. A permission that made sense for a human user may be far too broad for a tool-calling agent.
So the issue is no longer only vulnerability detection. The issue is context. Who is calling the API, why, what action does it enable, is this expected behavior, and what should we do about it?
That is the shift from API inventory to API control.
The Request Was Valid. The Action Was Not.
WAF is critical. It is one of the main enforcement points in production. But a lot of API risk does not look like a classic attack.
Sometimes the request is completely valid: valid endpoint, valid token, valid method, valid payload, valid user. And still, the action is wrong. A user accesses data they should not see. A refund fires in the wrong context. A flow runs hundreds of times in a minute. An agent chains several individually permitted actions into a business outcome that nobody authorized.
From a traditional WAF perspective, this may not register at all, because the problem is not in the packet or the payload. It is in the business context.
A WAF that only sees the live request has to decide in the moment: is this normal or not? That is hard. But if security testing has already proved that a certain API sequence can lead to unauthorized access, wrong-account refunds, privilege abuse, or excessive automated actions, runtime enforcement can become much more precise.
For example, pre-production testing may discover that a refund API is safe when called directly by an authorized support user, but unsafe when it follows a profile lookup that can return another customer’s account. That is not just a finding for developers. It is also runtime knowledge. It tells the enforcement layer that this sequence is sensitive, that ownership validation matters, and that repeated execution of this flow should be monitored, limited, challenged, or blocked.
That is the missing link. Testing should not only create a report. It should create context that production controls can use.
Connected Security, Not Another Tool
The architectural mistake most teams make is treating API security as a separate discipline from runtime protection. One tool discovers APIs. Another tool scans them. Another tool protects production. Each one sees a different part of the story.
The problem is that agentic abuse does not respect those boundaries.
Unlike many solutions in the market that stop at discovery, posture management, or a list of API findings, the real need is to connect validated API risk with runtime enforcement. Not every discovered API deserves the same level of attention. Not every finding is equally exploitable. Not every valid request is actually safe.
This is where Radware’s view is different. The newly announced API testing capability adds the pre-production piece: the ability to find and prove API risk before it reaches production, including risks that only surface when APIs are called together or triggered by automated tooling. When that validated context is connected to runtime protection, the runtime layer does not have to guess blindly. It can act based on what is known to be risky, exploitable, or abnormal for that specific application.
When one user intent can become an army of API calls, security teams need more than a map of what is exposed. They need to understand what each API actually does, who or what is calling it, and where the right control point is.
Sometimes the answer is to fix the code. Sometimes it is to block, rate-limit, or monitor. Sometimes the right fix is changing what an agent is allowed to do in the first place. That decision cannot come from a disconnected tool that only sees part of the picture.
The Takeaway
AI agents make APIs more important, not less. Agents do not browse applications as humans do. They call tools, trigger workflows, connect systems, and execute actions. API security is AI security now.
The question to ask is not just: what APIs do we expose?
It is: what actions do these APIs enable, who or what can trigger them, and how do we control that behavior across the full lifecycle?
Not more noise. Not more lists. Security teams need to know what matters, prove it before production, and act before attackers, bots, or agents do.