As companies speed up their adoption of AI, an old but increasingly serious problem is resurfacing: lack of visibility. In the recent episode of The Security Strategist podcast, Eric Schwake, Director of Cybersecurity Strategy at Salt Security, joined analyst Richard Stiennon to discuss why APIs, which have long been the backbone of modern applications, have become essential for AI-driven businesses.

They particularly dive deep into the critical importance of API visibility and discovery in the context of rising AI integration within enterprises. They discuss the challenges organisations face in securing APIs, the significance of understanding the attack surface, and the role of governance in managing risks.

The conversation also covers the emerging Model Context Protocol (MCP) and its implications for API security, as well as the future landscape of cybersecurity as AI systems become more autonomous. Schwake emphasises the need for CISOs to be proactive in engaging with AI projects to ensure security is prioritised.

If this system isn’t secured, the entire organisation faces risks.

APIs: The Foundation of AI

APIs have been vital to business structures for years, especially with the growth of microservices. However, Schwake argues that AI has changed the scale of the issue significantly.

“We saw a big increase in the number and usage of APIs when microservices became popular,” Schwake explained. “Now, with AI, it’s just 10 times or even 100 times whatever it is for APIs.”

While much of the industry talk has centred on large language models (LLMs), Schwake emphasised that the real actions—and risks—occur one layer below.

“Everything happening is driven by APIs. The AI agents, the MCP servers, the agents communicating with the LLMs—all of it is API traffic.” In essence, AI may represent innovation, but APIs are the mechanisms that enable it.

API is the “Nervous System” Organisations Overlook

As companies rush to implement copilots, agents, and automation, security often takes a back seat. Schwake warned that this creates a dangerous blind spot. “You need to ensure that you’re securing that underlying nervous system of this new world—and that relies on APIs.”

This lack of attention has resulted in a surge of unknown, unmanaged, and “shadow” APIs, many of which were never documented or designed with security in mind. Without continuous discovery, security teams might not even know what they are trying to protect.

“Visibility is a challenge in security. If you don’t have visibility, you can’t see what you’re protecting—you’re essentially out of luck.”

Discovery First, Governance Second

For the Director of Cybersecurity Strategy, API security begins with understanding the attack surface. This principle hasn’t changed in 20 years, but AI has made it more crucial. “With AI, the attack surface on APIs could grow tenfold. If you don’t have a grasp of that attack surface, you won’t be able to protect it.”

After identifying APIs, the next step is governance. This includes finding owners, setting rules, and reducing risks before attackers exploit vulnerabilities. “You want to ensure that there isn’t a big open gap inviting attackers.”

This becomes even more important as AI tools start writing code and generating APIs, raising both speed and risk.

Schwake concluded the discussion with a clear message for security leaders. “From a CISO perspective, ensure that you engage as early as possible with these projects.”

AI initiatives often start outside of traditional security processes, increasing risk by default. CISOs need to insert themselves early, understand business developments, and safeguard the underlying APIs. “You want to support business success and speed, but also ensure it’s secure.”

API security is no longer a secondary issue. It’s essential for determining whether innovation can scale safely or risks becoming the next major breach story.

Takeaways

  • API visibility and discovery have become crucial due to the rise of AI.
  • Organisations are experiencing a massive increase in APIs.
  • Visibility is essential for effective security management.
  • Understanding the attack surface is key to protection.
  • Governance is necessary to mitigate risks after discovery.
  • MCP serves as a foundational layer for AI communication.
  • The future of API security is rapidly evolving and uncertain.
  • CISOs must engage early in AI projects to ensure security.
  • Security should be integrated into AI development from the start.
  • Organisations need to be aware of AI-related security threats.

Chapters

  • 00:00 Introduction to API Security and Visibility
  • 01:24 The Rise of APIs and AI in Cybersecurity
  • 05:04 Challenges in Securing APIs and AI Integration
  • 07:08 Discovery and Governance of APIs
  • 09:02 Understanding MCP and API Interactions
  • 11:04 Future of API Security in an AI-Driven World
  • 13:37 Key Takeaways for CISOs