Most organisations operating outside regulated frameworks are insufficiently protecting their APIs, leaving sensitive data vulnerable. Fintechs, SaaS platforms, and payments firms are identified as among the most exposed sectors.
A new report from Raidiam, a specialist in secure API access management, has uncovered an API security crisis hiding in plain sight: 84% of enterprises operating outside regulated environments have API security protections that fall dangerously short of what’s needed given the sensitivity of the data they expose.
The report, Helping Enterprises Recognize and Address Critical Risk, is based on a security profiling exercise across 68 organisations spanning fintech, payments, SaaS and enterprise platforms. The findings reveal that while 85% of these organisations handle sensitive or high-value personal and financial data, the vast majority still rely on outdated or weak mechanisms like static API keys and basic OAuth secrets, without additional safeguards.
“We’ve all read the recent headlines; API security should not be an afterthought. The gap between the sensitivity of data and the strength of controls is a board-level risk – not just a technical issue,” said David Oppenheim, Head of Enterprise Strategy at Raidiam.
“In regulated environments like Open Banking, stronger controls like mutual TLS and certificate-bound tokens are already standard. Outside those frameworks, there’s a gaping hole.
“We found that even firms handling payment and personal data still rely on static API keys and basic secrets. In today’s threat landscape, that’s the digital equivalent of leaving the vault door open,” Oppenheim added.
Key findings from the report include:
- 84% of organisations were placed in the “Act Urgently” category – exposing sensitive APIs with insufficient security controls
- 85% handle payment data or special category personal data, yet only one organisation met the benchmark for modern, cryptographic API protection
- 57 out of 68 organisations use bare API keys or basic OAuth credentials, despite known vulnerabilities
- Less than half conduct regular API-specific penetration testing or runtime anomaly monitoring, leaving blind spots for attackers to exploit
- Real-world breaches – like the Dell partner API hack in 2023 – prove attackers are already exploiting these weak points
The report also introduces a Security vs Sensitivity Matrix, mapping organisations’ API protection levels against the sensitivity of the data they expose. The result? A clear skew toward severe misalignment.
“In regulated environments like Open Banking, stronger controls like mutual TLS and certificate-bound tokens are already standard. Outside those frameworks, there’s a gaping hole.”
The report arrives as industry concern over API risk intensifies. In early 2025, JPMorgan Chase’s CISO issued an open letter warning of growing API-driven vulnerabilities in third-party platforms, calling for security to be prioritised over speed in their development roadmaps.
According to Gartner, API breaches tend to leak 10x more data than traditional attacks. “This isn’t theoretical – attackers are already in,” the report warns.
The report outlines a four-step roadmap for improvement:
- Elevate API security to board-level priority
- Modernise controls using cryptographic techniques like mTLS and sender-constrained access tokens
- Invest in developer awareness and security testing
- Engage trusted partners to fast-track adoption of proven standards and infrastructure
Raidiam’s platform and digital trust expertise – already powering secure data-sharing ecosystems around the world – is now helping enterprise organisations close the gap.
Download the full report here: https://www.raidiam.com/download-api-security-report
