Salt Security published a new report last month – called 1H 2026 State of AI and API Security: Navigating the Agentic Era. We had a careful read of the report, as we do for all reports.
Key findings of interest to us at Osterman Research:
- There’s a gap between the rapid deployment of AI agents at organizations and the security programs designed to protect them. This is a recurring finding across most of the research we see (and undertake) and many of the news announcements we cover. Salt Security’s stat is that 92% of organizations lack advanced security capabilities / maturity to defend AI agent environments.
- Visibility into AI agent actions plus interactions with MCP servers and APIs would help a lot in shrinking the gap. Visibility is only step one, but an essential step nonetheless. Salt Security’s stat is that only 24% of organizations have fully automated API inventory; most use manual tracking and have only partial visibility. Another stat from the research is that 49% are essentially blind to non-human, machine-to-machine traffic.
- Not only is the number of APIs growing year-on-year (67% say growth ranges from 51% to more than 300%), but the growing use of generative AI by developers for creating APIs is exacerbating security exposure. Organizations have a constellation of security concerns with using generative AI for API development, led by lack of control over the security of AI models used for code generation.
- Boards and executive leadership groups are actively scrutinizing AI security (as they should be). In the list of evidence for this, the data says that only 39% of boards were “specifically worried about autonomous agents acting without human oversight.” That feels too low; we think it should be close to 100% – because incidents of this type threaten rapid and significant harm to organizations that fail to address the threat.
There’s a lot more in the report, and if AI agents / API security / etc., are core to your work, get a copy from the Salt Security website (registration required).