F5 Report: Unsecured APIs Could Stall APAC’s AI Ambitions
Highlighting the Growing API Security Gaps Across the Region and Urging Immediate Action to Strengthen Governance and Resilience

The rapid adoption of agentic AI (Artificial Intelligence) in Asia Pacific (APAC) is creating a critical security blind spot: unsecured application programming interfaces (APIs). This was revealed by F5’s latest report, “2025 Strategic Imperatives: Securing APIs for the Age of Agentic AI in APAC,” which examines how growing AI adoption is reshaping the API threat landscape as APIs continue to power the region’s digital experiences.
More than 80% of APAC organisations now use APIs to deploy AI and machine learning models. Once simple data connectors, APIs have become critical execution surfaces—enabling Agentic AI systems to sense their environments, make decisions, and execute actions autonomously at machine speed. Without strong safeguards, misaligned permissions, or weak governance can trigger unintended and potentially damaging actions at scale.
Despite recognising the high stakes—with 63% of APAC organisations rating API security as “very important” for business continuity, regulatory compliance, and AI transformation—execution lags dangerously behind. Only 42% report mature API governance capabilities, while just 22% have established a dedicated API security function. This results in inconsistent enforcement and critical gaps in oversight, exposing organisations to greater operational and compliance risks.
“Our research shows that many APAC organisations are not yet equipped to secure APIs at the pace and scale of AI adoption. Too often, they lack dedicated teams, consistent oversight, and advanced capabilities—gaps that quickly become strategic vulnerabilities in the era of Agentic AI. Addressing these weaknesses will require stronger governance and end-to-end lifecycle controls to protect business continuity, compliance, and trust,” said Manoj Menon, Founder and CEO at Twimbit.
“The speed and autonomy of AI agents demand that API security be built into the foundation of business operations. This means integrating governance, visibility, and policy enforcement directly into API workflows, ensuring every interaction—whether human or machine—is authenticated, authorised, and monitored in real time. At F5, we’re helping organisations across the region strengthen these controls so they can confidently scale AI adoption without compromising resilience or agility,” said Mohan Veloo, Chief Technology Officer for Asia Pacific, China, and Japan, F5.
Other Key Findings from F5 Report
-
Business logic vulnerabilities top API security concerns: One in three APAC organisations cite unrestricted access to sensitive flows (OWASP API6) as their top API security risk. Other key concerns include unrestricted resource consumption (OWASP API4), and security misconfiguration (OWASP API8), with over 30% citing risks from excessive resource usage, and misconfigurations that weaken API-layer control planes. If exploited, these flaws could disrupt digital services and undermine customer trust, highlighting the urgent need for API-level governance.
-
Shadow and Zombie APIs create governance blind spots: Shadow and Zombie APIs create critical blind spots. Over a third (36%) of businesses rate undocumented Shadow APIs as a high-risk threat, yet only 38% have effective processes to find them. These ungoverned APIs, along with outdated Zombie APIs, create significant security gaps that are easily exploited.
-
Preparedness remains low, with limited confidence across key API risks: While APAC enterprises recognise the severity of API security threats, operational readiness remains inconsistent. Only 36% report advanced preparation for most OWASP API security risks, while 14% are still operating at initial readiness stages. Many enterprises still rely heavily on traditional perimeter-based controls, such as Web Application Firewalls (51%), and Identity and Access Management solutions (42%), which are ill-suited for governing dynamic, autonomous API interactions—leaving a dangerous gap as AI adoption accelerates.
From Reactive to Resilient: Five Strategic Imperatives for Agentic AI
Over the next year, 69% of APAC enterprises anticipate moderate to significant increases in API security spending, signalling that APIs are increasingly regarded as a boardroom priority. However, unified oversight is vital to ensure that bigger budgets do not fuel fragmented efforts instead of strengthening cyber resilience.
To address the governance gaps that could derail AI transformation initiatives, F5 recommends that enterprises focus on five strategic imperatives:
-
Assign C-level ownership for end-to-end API governance: Replace fragmented oversight across DevOps, Security, and Infrastructure teams with unified governance that aligns API policy with enterprise AI, risk, and transformation strategies.
-
Prioritise lifecycle controls across discovery, posture, runtime, and testing: Implement comprehensive API security that includes automated discovery, posture policies for access scopes and rate limits, runtime threat detection, and pre- and post-deployment testing.
-
Embed agent-aware observability into API traffic monitoring: Deploy systems that detect autonomous behaviour patterns, log actions in context, and enable real-time traceability across both human and machine activity.
-
Enforce OWASP-based policies across both human and agent API usage: Implement runtime controls for function-level authorisation and misconfiguration detection that apply consistently whether APIs are accessed by human users or AI agents.
-
Link API behaviour to agent intent and business outcomes through governance architecture: Define clear boundaries for what autonomous systems can do, under what conditions, and with appropriate oversight mechanisms that tie agent actions to business policy.
To evaluate the current landscape of API security in the age of agentic AI within the APAC region, Twimbit conducted research on behalf of F5 in H1 of 2025, surveying 1,000 professionals from various sectors, including security, DevOps, SecOps, and application development. Respondents to the F5 research were distributed across 10 APAC markets: Australia, China, India, Indonesia, Japan, Korea, Malaysia, New Zealand, Singapore, and Taiwan.
To learn more about the F5 report and findings, please download the full “2025 Asia-Pacific API Security Report“ here.



