The AI Control Loop: AI Security is API Security - with Tim Erlin of Wallarm

Today, we are kicking off a new series entitled The AI Control Loop, How enterprises govern the AI they've already deployed - sponsored by our friends at Wallarm.Wallarm is the AI Control Platform for Enterprise AI, protecting every AI workload, API, and application in production, giving CISOs the governance they need and CIOs the speed they demand. Organizations choose Wallarm for a complete inventory of APIs, AI agents, and AI apps, patented AI/ML-based threat detection and blocking that operates at production traffic speeds.Today's episode is entitled AI Security is API Security, and joining us is Tim Erlin, VP of Product Marketing at Wallarm. We discuss the foundational link between AI security and API security, digging into the role that APIs play in the dev, deployment, and operations of AI. We explore how they contribute to the risk profile of AI transformation projects, and how securing APIs is critical for successful AI transformation.QuestionsWhen people hear “AI security,” they often think first about models, prompts, or training data. Why do you argue that AI security starts with APIs?Where do you see organizations underestimating API risk as they move AI projects from pilot to production?How does the rise of AI agents change the stakes for API security compared with traditional application architectures?What are the most common API security assumptions that break down once AI systems begin taking action autonomously?Wallarm’s ThreatStats research points to APIs as a major overlap point for AI vulnerabilities and exploited vulnerabilities. What does that tell us about where attackers are likely to focus?How should security leaders think differently about authentication, authorization, and API abuse when the “user” may be an AI agent rather than a human?What is one practical step teams can take today to strengthen API security before AI adoption expands further?Once you accept that AI security depends on APIs, what do organizations actually need to discover before they can protect it?Linkshttps://www.wallarm.com/https://www.linkedin.com/in/tim-erlin/Full AbstractIn the first episode of the AI Control Loop series, Tim Erlin, VP Product at Wallarm, examines why AI security and API security are the same problem approached from different angles, and what organizations need to discover before they can protect either one.Every AI model needs data to act on. Every AI agent needs services to call. Every AI workflow needs integrations to function. The connective tissue running through all of it is APIs, which means the security posture of any AI system is inseparable from the security posture of the APIs underneath it.That link is not theoretical. APIs are already the most targeted attack surface in enterprise environments, and AI is making that problem significantly larger. Agents that act autonomously on behalf of users do not just consume APIs the way traditional applications do. They discover them, invoke them dynamically, chain them across workflows, and do all of it at a speed and scale that makes human review impractical. The authentication assumptions, rate limiting strategies, and abuse detection models that worked for human-driven API traffic were not designed for this, and the gaps are not subtle.Most organizations moving AI from pilot to production are underestimating how much of their AI risk surface is actually API risk surface. Shadow APIs that were never inventoried, overpermissioned integrations that made sense for a human user but not for an autonomous agent, authentication patterns that cannot distinguish a legitimate AI session from an abused one. Securing AI at the foundational level means answering the API question first: what APIs does the AI touch, what can it do through them, and what would an attacker be able to reach if any part of that surface were compromised.Our Sponsors:* Check out Cash App and use my code CASHAPP10 for a great deal: https://click.cash.app/ui6m/mt82fpxl #CashAppPod. Cash App is a financial services platform, not a bank. Banking services provided by Cash App’s bank partner(s). Prepaid debit cards issued by Sutton Bank, Member FDIC. See terms and conditions at https://cash.app/legal/us/en-us/card-agreement. Cash App Green, overdraft coverage, borrow, cash back offers and promotions provided by Cash App, a Block, Inc. brand. Visit http://cash.app/legal/podcast for full disclosures.* Check out Plaud AI and use my code CODESTORY for a great deal: https://plaud.aiAdvertising Inquiries: https://redcircle.com/brandsPrivacy & Opt-Out: https://redcircle.com/privacy