Bengaluru, April 2026: KushoAI today released the State of API Security 2026: An AI-Native Testing Perspective, based on analysis of 1.4 million API test executions across 2,616 organizations. Unlike reports based on surveys or audits, this study draws on observed failures from real test runs, mapped to the OWASP API Security Top 10. To our knowledge, it is the largest published analysis of API security failures observed from AI-driven testing activity.
Across the dataset, 34% of all API test failures have a direct security implication.
38% of all security failures are auth and authorization issues. 91% of test suites across enterprises verify that authentication is required. Only 29% verify that access is correctly enforced across users and permissions. An API that correctly rejects unauthenticated requests but incorrectly accepts cross-user access is, from an attacker’s perspective, fully accessible.
AI-generated test suites cover 2.7x more OWASP categories than manually authored ones, with the largest gaps in cross-user access probes, privilege escalation checks, and server-side request forgery. This holds consistently across all 10 categories and all industry verticals in the dataset.
New endpoints carry a 3.1x higher auth failure rate than endpoints older than 90 days. Security testing is least rigorous where it needs to be most rigorous. Newest releases are the most vulnerable.
Only 24% of organizations validate third-party API responses before passing data downstream. The current testing toolchain has no coverage of supply chain risk at all, including the recent LiteLLM PyPI attack and Shai-Hulud npm worm campaigns, both of which targeted AI API credentials and were invisible to any API-layer test.
“The security failures in this dataset are not sophisticated. Cross-user data access, expired credentials still working, scope not enforced on write endpoints. These are detectable by basic automated tests. What the data shows, across 2,600 organizations, is that most teams are not running those tests. AI-native testing closes that gap systematically, by generating the edge cases that manual authoring consistently misses,” said Abhishek Saikia, Co-founder and CEO of KushoAI.
