48.9% of Enterprises Can't See What Their AI Agents Are Doing to Their APIs

A stat that should be stopping enterprise security conversations cold right now: according to the 1H 2026 State of AI and API Security report, 48.9% of organizations are essentially blind to non-human API traffic — they have no effective monitoring of what their autonomous agents are doing. Another 48.3% cannot differentiate legitimate AI agents from malicious bots.

Put those two numbers together and you have a picture of an enterprise attack surface that has expanded dramatically and, for most organizations, is completely dark.

This is not a future problem. The Akamai State of the Internet report found that 87% of organizations were hit by API attacks in 2025, with average daily API attacks per organization surging 113% year-over-year — from 121 to 258. IBM's 2025 Cost of a Data Breach report puts the average breach cost at $4.44 million globally, $10.22 million for US organizations. Among AI-related breaches specifically, 97% lacked proper access controls.

The timeline is brutal: the attacks are already happening, the costs are already being paid, and half of organizations still cannot see the traffic that is now the dominant vector.

What non-human traffic actually looks like at the gateway

Three years ago, the distinction between human and non-human API traffic was mostly academic. A few scheduled batch jobs, some internal service-to-service calls, the occasional CI pipeline. The vast majority of API requests came from human-driven applications — browsers, mobile apps, partner integrations operated by people.

That ratio has inverted quietly. AI agents operating in task-completion loops now generate call patterns that look nothing like human interaction. A single agent completing a research task might make 30–50 tool calls in under 10 seconds, then stay idle for 20 minutes before the next burst. An orchestration agent coordinating downstream services can fan out to six APIs in parallel within one decision cycle. MCP-connected agents accessing enterprise systems via the Model Context Protocol add another layer of non-human traffic with its own credential patterns and scope requirements.

What makes this dangerous is not the volume alone. It is the combination of high volume, persistent credentials, and the fact that most gateway configurations were designed for human-driven traffic patterns.

Legacy rate limit windows smooth out human burstiness effectively. They do not handle a 50-call burst in 8 seconds followed by 20 minutes of silence. Standard identity reviews catch stale human accounts. They rarely catch a service account credential that has been running unreviewed for six months because nobody explicitly "logged in" with it. Audit infrastructure designed for 50 human API calls per day becomes operationally unwieldy when a single agent session generates 500 calls.

The monitoring tools that worked for the previous traffic composition are not wrong — they just never had non-human traffic as a design case.

Why the visibility gap is being actively exploited

The Bessemer Venture Partners 2026 analysis describes the core problem clearly: every AI agent introduced into an organization creates a non-human identity requiring API access and machine-to-machine authentication — challenges that legacy identity management was never designed to handle.

Attackers understand this gap well. Exploiting it typically follows one of three patterns:

Credential persistence without detection. Agents authenticate with long-lived credentials — service account keys, persistent OAuth tokens, static MCP credentials. Unlike human users who explicitly log out, agents often run with the same credential across weeks or months. A compromised agent credential discovered in a leaked configuration file gives attackers access that persists far longer than a stolen session token, because there is no session expiry and often no credential rotation policy. IBM found that breaches involving shadow AI — AI deployments without proper governance — cost $4.63 million on average, $670,000 more than standard incidents, largely due to the longer detection and containment timelines that follow from poor visibility.

Privilege escalation through MCP chains. As the Futuriom RSAC analysis notes, poorly secured MCP implementations create escalation paths: an LLM with access to an MCP server, which connects to an API with write permissions to a production database, creates an exploitable chain from model reasoning to data modification. The attack does not require compromising any single service — it requires manipulating an agent's decision-making to traverse a permission chain that was never audited as a unit.

Invisible traffic volume as a pre-exfiltration signal. Data exfiltration via API commonly involves high-volume read requests that individually look legitimate. The Equixly 2025 Top API Incidents report documented cases where scrapers and exfiltration tools disguised as agent traffic evaded detection because organizations had no baseline for what normal non-human traffic volume looked like. You cannot flag anomalous agent behavior if you have no model of normal agent behavior.

The control gap: what is actually missing

Running through the gaps that the 48.9% visibility number represents, a consistent pattern emerges. It is not that organizations have no API gateway. Most enterprise teams have something — Kong, AWS API Gateway, Apigee, a homegrown proxy layer. The control gap is more specific than "no gateway":

No client-level identity for non-human callers. Many gateway deployments authenticate requests but do not distinguish between individual AI agent instances. All agent traffic routes through a single shared service account. From the gateway's perspective, there is one client making 2,000 calls per day — not 12 distinct agents each with different scopes, owners, and risk profiles.

No audit schema designed for agent sessions. Standard access logs capture endpoint, timestamp, and status code. They were not designed to capture the correlation ID linking 47 calls across a 90-second agent session, the tool name that triggered each call through MCP, or the delegating user identity on whose behalf the agent acted. Reconstructing what an agent did — which is what every regulated industry requires after an incident — becomes a multi-hour manual exercise, if it is possible at all.

No rate limit architecture for burst-idle patterns. Per-minute sliding windows punish agents for burst patterns that are normal for their workload profile. Organizations either raise limits globally (removing the protection) or accept that legitimate agent workflows will hit 429s constantly. Neither is a real solution — they are both workarounds for rate limit architectures that were not designed with agents in mind.

No credential lifecycle tied to agent identity. Credentials provisioned for agent use often exist outside the normal service account review process. No expiry policy. No owner field. No automated flag when the agent that uses them is decommissioned. The CybelAngel API security research found missing authentication as the most frequent API vulnerability — accounting for 17% of all incidents — and a significant share of those involve credentials that have been abandoned rather than actively stolen.

What full visibility over non-human traffic requires

Closing the visibility gap is not primarily a tooling problem. It is an architecture decision: whether non-human callers are first-class clients in your gateway, or a category of traffic that flows through without identity, audit, or differentiated policy.

The architecture that closes the gap has three properties:

Every caller — human application, AI agent, or MCP client — authenticates with a distinct identity that the gateway recognizes. Not a shared service account. A per-client profile with its own credentials, scopes, rate limits, and audit record. Zerq implements this through client and profile management where each agent is provisioned as a named client with explicit access boundaries. The gateway enforces those boundaries identically regardless of whether the caller is a React app, a Python service, or an agent running through the Gateway MCP.

Every request produces a structured audit record that captures agent context, not just HTTP metadata. Endpoint and timestamp are the minimum — not the goal. The record needs agent identity, session correlation ID, request parameters, response status, and for MCP-routed calls, the tool name. Zerq's complete request logging with payload search writes structured records for every call through the gateway. Compliance queries across agent sessions run in under a minute against indexed records, not across log aggregation pipelines that were designed for human-scale volumes.

Rate limit configuration is per-client and per-operation, with burst allowances tuned to actual agent call patterns. An agent that legitimately bursts 50 calls in 10 seconds should not hit a limit designed for a user clicking through a UI. Zerq's rate limiting is configurable per client and per collection, so agent clients can have burst windows that reflect their actual workload profiles while expensive or side-effecting endpoints carry tighter separate limits.

The point is not that these are technically difficult to implement. It is that they require treating non-human callers as a distinct traffic class with their own requirements — and most gateway deployments were designed before that traffic class existed at enterprise scale.

The 2026 inflection point

The API management market is projected to grow from $8.77 billion in 2026 to $37.43 billion by 2034. That growth is largely AI-driven. The same forecast that has 40% of enterprise applications integrated with AI agents by end of 2026 also implies a corresponding expansion in non-human API traffic volume, credential surface area, and the scope of infrastructure that needs to handle agents as first-class clients.

SecurityWeek's Cyber Insights 2026 puts it plainly: APIs will surpass all other attack vectors to become the dominant source of application-layer breaches, with agentic AI deployments multiplying the number of APIs and increasing the attack surface faster than most governance programs can track.

The 48.9% who cannot see their non-human traffic today are operating under a kind of security debt. The visibility gap already exists. The attack patterns that exploit it are already established. The question is whether the remediation happens before or after the incident that makes the gap unmissable.

For most organizations, the answer is determined by a single architectural decision: does your API gateway treat AI agents as first-class clients with distinct identities, scoped credentials, differentiated rate limits, and structured audit records — or does it route their traffic the same way it routes everything else, without the controls that non-human callers specifically require?

Zerq is designed so that AI agents, MCP clients, and human applications share the same gateway, the same identity model, the same audit trail, and the same enforcement layer — with no separate deployment or configuration path for non-human traffic. See how Zerq handles AI agent access or explore the documentation on Gateway MCP to understand how agent visibility works in practice. Request a demo to run an audit of your current non-human traffic coverage.