APIs are leaking more than data as security gaps surface in AI-era testing

By Puja Sharma

A research from KushoAI analyses API test executions across 2,600+ organisations to surface where Enterprise API security fails and where tests fail to look

• Around 34% of all API test failures have a direct security implication
• Over 91% of teams test that authentication exists; only 29% test that it is correctly enforced
• AI-generated test suites cover 2.7x more OWASP categories than manually authored ones
• Supply chain attacks now target AI API credentials; current testing has no coverage of them

KushoAI released the State of API Security 2026: An AI-Native Testing Perspective, based on analysis of 1.4 million API test executions across 2,616 organisations. Unlike reports based on surveys or audits, this study draws on observed failures from real test runs, mapped to the OWASP API Security Top 10. To our knowledge, it is the largest published analysis of API security failures observed in AI-driven testing.

Across the dataset, 34% of all API test failures have a direct security implication.

38% of all security failures are auth and authorisation issues. 91% of test suites across enterprises verify that authentication is required. Only 29% verify that access is correctly enforced across users and permissions. An API that correctly rejects unauthenticated requests but incorrectly accepts cross-user access is, from an attacker’s perspective, fully accessible.

AI-generated test suites cover 2.7x more OWASP categories than manually authored ones, with the largest gaps in cross-user access probes, privilege escalation checks, and server-side request forgery. This holds consistently across all 10 categories and all industry verticals in the dataset.

New endpoints carry a 3.1x higher auth failure rate than endpoints older than 90 days. Security testing is least rigorous where it needs to be most rigorous. Newest releases are the most vulnerable.

Only 24% of organisations validate third-party API responses before passing data downstream. The current testing toolchain has no coverage of supply chain risk at all, including the recent LiteLLM PyPI attack and Shai-Hulud npm worm campaigns, both of which targeted AI API credentials and were invisible to any API-layer test.

“The security failures in this dataset are not sophisticated. Cross-user data access, expired credentials still working, scope not enforced on write endpoints. These are detectable by basic automated tests. What the data shows, across 2,600 organisations, is that most teams are not running those tests. AI-native testing closes that gap systematically, by generating the edge cases that manual authoring consistently misses,” said Abhishek Saikia, Co-founder and CEO of KushoAI.