Something is rotten in the state of APIs. Then again, it could just be atrophy.
In the 15 years since Kin Lane founded API Evangelist, little about API management has changed.
APIs are still how just about every business process and technology is interwoven, and they are the preferred way for developers to build on and access data. Certainly, API sprawl has scaled tremendously, with the application surface area expanding alongside it. But organizations of all sizes still struggle with their API pipelines, discoverability, integration and documentation.
“Incremental changes have occurred, but I still go into enterprise organizations that are asking the same questions as in 2010 and 11,” Lane said in a webinar reflecting on the Anatomy of an API Report.
“They don’t know much about gateways [or] how to see those APIs. They don’t really see much difference between how they’re used with partners. They’re afraid of them being publicly available when, most of the time, they already are.”
Indeed, the data in this year’s report — which reflects on an anonymized dataset of one billion API requests, 15,000 APIs and 500,000 endpoints — found that most enterprises maintain over 1,000 APIs, with the majority of APIs assumed to be private or internal, but a significant number are actually exposed publicly.
AI adoption only increases the API sprawl, while API security remains bleak. A staggering 76% of all requests tracked had a Medium Threat level, while 85% of APIs are not using any form of rate limiting. More than half don’t have any authentication in place.
API management is still not strategic by design nor secure by design, which turns endpoints from opportunities into attack vectors. Read on and then reflect how your organization’s API program measures up.
Is Your API Program Designed Intentionally?
APIs are like electricity, Lane said. They are something that is necessary for your business to run but maybe you don’t think about them until you try to scale.
As individual consumers, Lane has observed, we end up making more than 10,000 API calls a day on average, making APIs feel as critical as the utilities that we rely on.
“You need the whole API landscape to seamlessly run,” said webinar host Pratim Bhosale, senior developer advocate at Treblle, arguing that API structure is highly impactful on business. “If your API structure isn’t strong enough [and] your policies around how you’re building your APIs are not strong enough, then it’s a crumbling enterprise.”
Truly, Lane remarked, not much has changed with this API utility over the years as its adoption has scaled. Except that now, more than ever, organizations are having to justify the cost of that sometimes 15- to 20-year API sprawl.
“We need to make more money. We need to be more efficient,” he said. “And people worry about governance and products.”
Yet APIs — that backbone of communication among apps, data and increasingly AI — still remain at the bottom of executive priorities. Why?
“They’re hard to see. They’re digital. How do you see an API?” Lane posed. “People don’t talk about their first-party APIs and the ones they’re building behind applications.”
Observability tooling, documentation, playgrounds and sandboxes are ways he suggested to increase API visibility. Of course, partner APIs lend themselves to lots of feedback. Most importantly, he emphasized, is telling stories about query parameters, other risks, and API business use cases.
Are Your Internal APIs Really Private?
The panelists estimated that the average company identifies about 60% of their APIs as private or internal, another 30% as partner and only about 10% as public. And their enterprise clients are always shocked to learn how wrong they are.
“Everybody always cares more about the public ones than the internal ones, because they feel like everybody can see the public ones, nobody knows about the internal ones,” said Vedran Cindrić, CEO and founder at Treblle observability and security platform.
Lane often starts a client engagement by downloading their mobile app or visiting their website and then reverse engineering and proxying APIs. He can then print out those so-called private APIs’ open API code. Suddenly, API discovery, inventory and security feel more urgent.
“APIs are expanding by the minute within these enterprises and they’re largely unaware that these pipes exist,” Lane said. “Let alone have a conversation about how they’re going to standardize them and evolve them.”
From that eye-opener, it’s about connecting the API strategy to business goals.
“They want their staff to do 10x more. They want to be able to cut 10x and be more efficient,” Lane said as to why he’s most often brought into orgs. “How do you boil down things that you’re doing with APIs, that we’re doing with governance, documentation, summaries, listing, [and] rules on status codes?”
They can start to estimate API sprawl, but proving the importance of consistent status codes is harder.
Then, as these boundaries of internal and external, public and private APIs blur, it’s hard to identify which APIs are mission-critical to each business domain.
“You have public APIs that are intended for third-party usage, meaning we’re intentionally publishing it publicly for third-party people to consume,” Lane said. These include partner APIs, but again you can have trusted and untrusted partners. And, of course, there are unintentional third-party APIs and the data and APIs you are unwittingly exposing.
APIs Are Crucial to Overall Productivity Trend
As the industry gives more and more attention to developer productivity, eliminating redundancy and encouraging reuse, more attention must be given to internal APIs.
“This is where you can get the most bang for your buck, because you know every little bit of friction you’re introducing into that pipeline. Those are your own employees that you’re slowing down,” he said. This is why Lane argues you should be treating these as your first-party APIs.
“You’re your own producer and consumer. And they’re publicly available, and you’re not talking about them. They’re shadow. They’re hidden. They’re not secured. They’re not consistent.”
“APIs are expanding by the minute within these enterprises and they’re largely aware that these pipes exist, let alone have a conversation about how they’re going to standardize them and evolve them.”
– Kin Lane, API Evangelist
With this in mind, almost a decade ago, The New Stack spoke to The New York Times about why they dogfood external APIs because their internal ones are so crucial to business continuity.
In 2025, poor API management is also reflected in the platform engineering trend, in which service discovery — including API discovery — is one of the first things developers want to be tackled. There’s a continued demand for API dashboards, like those provided by Treblle, who sponsored the webinar and report, as a way to increase the visibility of APIs, requests and responses.
The API economy has always had the challenge that it feels like a technical issue — and API architects can struggle to speak to business value. Any API strategy and subsequent dashboarding must be able to communicate business value to product managers and beyond.
However, especially during an economic downturn, Lane pointed out that there’s less investment in education and training. Only about 10% of developers will stop to read the documentation — perhaps more with a generative AI chatbot integration like GitHub’s Copilot — while “everybody else is just going to run toward production,” he said.
Let alone as Cindrić pointed out, few of these developers under this increased pressure have time to relearn how to build better, safer APIs.
Rise of AI Makes API Security Much Worse
As with all lines of code, another rapid expansion of APIs is being fuelled by AI, driving a 10% growth in enterprise APIs last year alone.
The state of APIs report found that more than half of all APIs are not what Treblle calls “AI-ready” — not architected with the consumption of LLMs in mind.
AI is also adding to API complexity. The average API in 2023 had 22 endpoints while it had 42 endpoints in 2024. And just like abandoned containers and microservices sitting around that no one really knows what to do with, 35% of those are zombie endpoints.
Of course, all of this isn’t even considering that, according to Gartner, 71% of businesses are consuming APIs via third parties. As Mark Boyd wrote on Platformable’s API Economy Trends for 2025, an uptick in AI-related integrations only increases security and complexity risks. But, on the other hand, he continued, AI will be invaluable in API discovery.
While there are upsides to AI with your APIs, we know that most organizations are zeroing in on the AI-generated code use case. Since more AI means more code and more concerns, it’s not surprising that the decreased security and increased sprawl of the API landscape is no different.
Most AI-backed APIs are built with JavaScript-based languages — in most cases, proxy APIs. The report also uncovered that JavaScript-based APIs had the lowest quality and security score across all languages. The average API language was given a 57 out of 100, while Javascript got a 42.
The bar for API security in general is very low, the Treblle report found, with 52% of requests reviewed having no form of authentication. Add to this, 85% of all APIs evaluated are not using any form of rate limiting, which leaves them wide open to attacks. This again points to how much more public those so-called “private” APIs actually are.
Besides the bleak statistics shared at the top of this piece, 55% of requests don’t use SSL or TSL encryption.
The report gives enterprise API management programs an average API security score of 40 out of 100.
The New Stack has previously covered the need to prepare APIs for agentic AI, where integrators are no longer static, immutable or human-led, but rather are responding to task-based bots spun up to achieve a specific goal. At this time, while short-lived integrations become the norm, organizations can’t afford to leave open endpoints or lead them to dead ends.
Whether you are going all-in on AI or not this year, it’s clear that your organization needs to invest in a better API strategy in 2025.
The post The State of API Management in an Age of AI Insecurity appeared first on The New Stack.
API sprawl means not-so-private APIs, with an increased use of AI APIs. The implications for API management are concerning.