F5’s latest report highlights growing API security gaps across the region and urges immediate action to strengthen governance and resilience
SYDNEY, AUSTRALIA, SEPTEMBER 10, 2025 – The rapid adoption of Agentic AI in Asia Pacific (APAC) is creating a critical security blind spot: unsecured application programming interfaces (APIs). This was revealed by F5’s (NASDAQ: FFIV) latest 2025 Strategic Imperatives: Securing APIs for the Age of Agentic AI in APAC, which examines how growing AI adoption is reshaping the API threat landscape as APIs continue to power the region’s digital experiences.
More than 80 per cent of APAC organisations now use APIs to deploy AI and machine learning models. Once simple data connectors, APIs have become critical execution surfaces – enabling Agentic AI systems to sense their environments, make decisions, and execute actions autonomously at machine speed. Without strong safeguards, misaligned permissions or weak governance can trigger unintended and potentially damaging actions at scale.
Despite recognising the high stakes – with 63 per cent of APAC organisations rating API security as “very important” for business continuity, regulatory compliance, and AI transformation – execution lags dangerously behind. Only 33 per cent of ANZ enterprises report mature API governance capabilities, while just 8.5 per cent have established a dedicated API security function. This results in inconsistent enforcement and critical gaps in oversight, exposing organisations to greater operational and compliance risks.
“Our research shows that many APAC organisations are not yet equipped to secure APIs at the pace and scale of AI adoption. Too often, they lack dedicated teams, consistent oversight, and advanced capabilities – gaps that quickly become strategic vulnerabilities in the era of Agentic AI. Addressing these weaknesses will require stronger governance and end-to-end lifecycle controls to protect business continuity, compliance, and trust,” said Manoj Menon, Founder and CEO at Twimbit.
“As AI agents become more autonomous and embedded in digital services, the pressure and demand for API infrastructure has never been greater. Security can’t be an afterthought. It needs to be the pilar around which APIs are designed, deployed, and scaled. Organisations need real-time visibility and control to ensure every interaction is trusted, whether it’s machine or human-led. At F5, we’re helping customers across Australia and New Zealand build that trust into the fabric of their digital ecosystems, and to ensure they can drive innovation securely and sustainably,” said Jason Baden, Regional Vice President for ANZ at F5.
Other key findings from the report include:
- Concern is high, but capabilities remain fragmented: ANZ enterprises reported high concerns across all API security pillars, but most rate their controls only somewhat effective. This indicates a growing awareness of the critical role API security plays in protecting digital assets, yet it also reveals a significant gap between perception and preparedness. Despite recognising the risks, many organisations lack the cohesive strategies, tools, and processes needed to effectively mitigate threats.
- Business logic vulnerabilities top API security concerns: One in three APAC organisations cite unrestricted access to sensitive flows (OWASP API6) as their top API security risk. Other key concerns include unrestricted resource consumption (OWASP API4) and security misconfiguration (OWASP API8), with over 30 per cent citing risks from excessive resource usage and misconfigurations that weaken API-layer control planes. If exploited, these flaws could disrupt digital services and undermine customer trust, highlighting the urgent need for API-level governance.
- Shadow and Zombie APIs create governance blind spots: Shadow and Zombie APIs create critical blind spots: Over a third (36 per cent) of businesses rate undocumented Shadow APIs as a high-risk threat, yet only 38 per cent have effective processes to find them. These ungoverned APIs, along with outdated Zombie APIs, create significant security gaps that are easily exploited.
- Preparedness remains low, with limited confidence across key API risks: While APAC enterprises recognise the severity of API security threats, operational readiness remains inconsistent. Only 36 per cent report advanced preparation for most OWASP API security risks, while 14 per cent are still operating at initial readiness stages. Many enterprises still rely heavily on traditional perimeter-based controls, such as Web Application Firewalls (51 per cent) and Identity and Access Management solutions (42 per cent), which are ill-suited for governing dynamic, autonomous API interactions – leaving a dangerous gap as AI adoption accelerates.
From Reactive to Resilient: Five Strategic Imperatives for Agentic AI
Over the next year, 69 per cent of APAC enterprises anticipate moderate to significant increases in API security spending, signaling that APIs are increasingly regarded as a boardroom priority. However, unified oversight is vital to ensure that bigger budgets don’t fuel fragmented efforts instead of strengthening cyber resilience.
To address the governance gaps that could derail AI transformation initiatives, F5 recommends that enterprises focus on five strategic imperatives:
- Assign C-level ownership for end-to-end API governance: Replace fragmented oversight across DevOps, Security, and Infrastructure teams with unified governance that aligns API policy with enterprise AI, risk, and transformation strategies.
- Prioritise lifecycle controls across discovery, posture, runtime, and testing: Implement comprehensive API security that includes automated discovery, posture policies for access scopes and rate limits, runtime threat detection, and pre- and post-deployment testing.
- Embed agent-aware observability into API traffic monitoring: Deploy systems that detect autonomous behavior patterns, log actions in context, and enable real-time traceability across both human and machine activity.
- Enforce OWASP-based policies across both human and agent API usage: Implement runtime controls for function-level authorisation and misconfiguration detection that apply consistently whether APIs are accessed by human users or AI agents.
- Link API behavior to agent intent and business outcomes through governance architecture: Define clear boundaries for what autonomous systems can do, under what conditions, and with appropriate oversight mechanisms that tie agent actions to business policy.
To evaluate the current landscape of API security in the age of agentic AI within the APAC region, Twimbit conducted research on behalf of F5 in H1 of 2025, surveying 1000 professionals from various sectors, including security, DevOps, SecOps, and application development. Respondents were distributed across 10 APAC markets: Australia, China, India, Indonesia, Japan, Korea, Malaysia, New Zealand, Singapore, and Taiwan.
To learn more about the report and findings, please download the full 2025 Asia-Pacific API Security Report here.
About F5
F5, Inc. (NASDAQ: FFIV) is the global leader that delivers and secures every app. Backed by three decades of expertise, F5 has built the industry’s premier platform—F5 Application Delivery and Security Platform (ADSP)—to deliver and secure every app, every API, anywhere: on-premises, in the cloud, at the edge, and across hybrid, multicloud environments. F5 is committed to innovating and partnering with the world’s largest and most advanced enterprises to deliver fast, available, and secure digital experiences. Together, we help each other thrive and bring a better digital world to life.
For more information visit f5.com
Explore F5 Labs threat research at f5.com/labs
Follow to learn more about F5, our partners, and technologies: Blog | LinkedIn | X | YouTube | Instagram | Facebook
F5 is a trademark, service mark, or tradename of F5, Inc., in the U.S. and other countries. All other product and company names herein may be trademarks of their respective owners. The use of the terms “partner,” “partners,” “partnership,” or “partnering” in this press release does not imply that a joint venture exists between F5 and any other company.
###
Source: F5, Inc.
PR Archives: Latest, By Company, By Date