By Melvin Hipolito

Copyright futurefive

Rapid adoption of Agentic AI in the Asia-Pacific region is exposing a critical security blind spot in the form of unsecured application programming interfaces (APIs), according to new research.

Data from F5’s newly released report, “2025 Strategic Imperatives: Securing APIs for the Age of Agentic AI in APAC,” reveals that more than 80 per cent of organisations across APAC now make use of APIs to deploy artificial intelligence (AI) and machine learning models.

Once functioning primarily as basic data connectors, APIs are now regarded as critical execution surfaces for digital systems. They enable Agentic AI to sense environments, perform autonomous decision-making, and carry out actions independently at machine speed. However, insufficient API safeguards, weak governance, or misaligned permissions could enable unintended or damaging activities to be triggered and scaled without human intervention.

Lagging execution

The report highlights a significant disparity between perception and action in API security practices. While 63 per cent of APAC organisations consider API security to be “very important” for business continuity, regulatory compliance, and AI transformation, execution of robust security processes remains inconsistent.

In Australia and New Zealand (ANZ), only 33 per cent of enterprises report having mature API governance capabilities, with just 8.5 per cent establishing a dedicated API security function. This has resulted in inconsistent enforcement and oversight, exposing organisations to increased operational and compliance risks.

“As AI agents become more autonomous and embedded in digital services, the pressure and demand for API infrastructure has never been greater. Security can’t be an afterthought. It needs to be the pilar around which APIs are designed, deployed, and scaled. Organisations need real-time visibility and control to ensure every interaction is trusted, whether it’s machine or human-led. At F5, we’re helping customers across Australia and New Zealand build that trust into the fabric of their digital ecosystems, and to ensure they can drive innovation securely and sustainably,” said Jason Baden, Regional Vice President for ANZ at F5.

According to Manoj Menon, Founder and CEO at Twimbit, “Our research shows that many APAC organisations are not yet equipped to secure APIs at the pace and scale of AI adoption. Too often, they lack dedicated teams, consistent oversight, and advanced capabilities – gaps that quickly become strategic vulnerabilities in the era of Agentic AI. Addressing these weaknesses will require stronger governance and end-to-end lifecycle controls to protect business continuity, compliance, and trust.”

Key risks flagged

The report also notes that concern is high among ANZ enterprises across multiple pillars of API security, yet most organisations rate their own controls as only somewhat effective. This observation suggests rising awareness among enterprises of how crucial API security is for the protection of digital assets, but also highlights a lack of effective mitigations.

One in three APAC organisations identified unrestricted access to sensitive flows – classified as OWASP API6 – as their top API security risk. Other common concerns include excessive resource consumption (OWASP API4) and security misconfigurations (OWASP API8). More than 30 per cent of respondents cited these latter two issues as key threats that could disrupt services and erode customer confidence, underlining the need for strengthened API governance structures.

Unmonitored “Shadow” and outdated “Zombie” APIs were singled out as additional threats. Over a third (36 per cent) of organisations rated improper oversight of Shadow APIs as a high risk, yet only 38 per cent had processes in place to effectively detect such endpoints. The persistence of these APIs creates blind spots that are susceptible to exploitation.

The report also measured preparedness for these threats, finding that only 36 per cent of enterprises in APAC believed they were well-prepared for the majority of OWASP API security risks, while 14 per cent still operated at the most basic level of readiness. Traditional perimeter-based security tools, such as Web Application Firewalls (51 per cent adoption) and Identity and Access Management systems (42 per cent), remain widely used despite their limited flexibility in overseeing dynamic, autonomous API interactions.

Strategic focus areas

F5’s research indicates 69 per cent of APAC businesses expect to moderately or significantly increase API security budgets over the next year. However, the report cautions that boosting expenditure alone will not address the fundamental governance gaps that threaten AI transformation initiatives.

To promote resilience and support secure AI deployment, F5 recommends five core imperatives: assigning C-level ownership for end-to-end API governance; implementing lifecycle controls covering discovery, posture, runtime, and testing; establishing agent-aware observability in API traffic monitoring; enforcing OWASP-based policies consistently across both human and agent API usage; and linking API behaviour and agent actions to business policy and intent through clearly defined governance architectures.

The research was conducted for F5 by Twimbit, surveying 1,000 professionals specialising in security, DevOps, SecOps, and application development, across ten APAC markets, including Australia, China, India, Indonesia, Japan, Korea, Malaysia, New Zealand, Singapore, and Taiwan.