The API space has always been heavily focused on security as a pillar of design and development. APIs trade in data — and this data reflects a broad base of users who expect it to be secured and treated with respect. To ensure that this data is as secure as possible, many providers have looked to the concept of zero trust as the way of the future.

In 2025, however, the evolution of AI has rapidly changed the game. While zero trust was always seen as something to strive for — a way of looking at security in its best form — the rise of AI and complex attack vectors relying on it has necessitated a rapid mindset change. Zero trust is no longer a nice-to-have but a paramount consideration.

Today, we’re going to look at the reality of security in the API realm and the impact of AI on users and providers across the globe. We’ll examine new emerging threat vectors and how zero trust aims to mitigate them. We’ll also explore specific examples of implemented zero trust —assessing whether they have succeeded.

The State of Security

To set the context for why this conversation is so important, we should look at the state of AI in the context of API security.

In the early days of APIs, security was relatively easy to ensure. In many cases, the users interested in using a mainframe-style remote server were limited to a given organization, meaning security was pretty straightforward. As APIs became more ubiquitous and public services began to be offered, this changed, requiring more complex service provision, security approaches, and models for defining a user.

Over time, the nature of trust began to be questioned — what did it mean to trust a user, and was it really necessary to classify trust levels?

The Rise of Zero Trust

As a result of these conversations, traditional trust models — largely based on perimeter defenses such as firewalls—were actively questioned. A new model emerged: zero trust architecture.

Zero trust is basic in concept — never trust, always verify. By assuming that threats exist both inside and outside of an organization’s network or an API’s code structure and framework, no entity is given leeway — everything must be validated and verified. Some saw this as an extreme measure. After all, adopting absolute zero trust meant explicit verification, limiting privileges, and constant monitoring.

Over time, however, API attacks grew more complex and severe. In the early 2000s, attacks weren’t always sophisticated — while DDoS and other mass-flood-style attacks were common, privilege escalation or advanced multi-vector threats were less frequent. When these attacks did occur, they were often carried out by nation-states or organizations targeting specific individuals or entities, making them relatively rare.

Put another way, if you were a hacker in 2004, conducting an attack on a large organization was so expensive that you were often better off seeking crimes of opportunity or launching simple DDoS attacks.

Cost-Efficient Chaos

This changed dramatically. As we moved into the late 2000s and early 2010s, a worrying trend emerged — attackers were becoming increasingly efficient, and small groups began deploying tactics that were once reserved for the best-funded criminal organizations and nation-states.

Part of this shift stemmed from Moore’s Law — roughly every two years, the number of transistors on a chip doubles, significantly improving computing power while reducing costs. Suddenly, tasks that once required supercomputers or clusters of devices could be accomplished on standard desktops, and encryption cracking that was once thought impossible suddenly became a reality.

Accordingly, zero trust began to be seen as an essential security paradigm. In 2018, NIST released SP 800-207, codifying guidelines and structures for implementing zero trust. Even then, zero trust was still generally seen as aspirational — something more suitable for organizations facing insider threats or handling highly sensitive data.

The Specter of AI

Where this narrative pivots is AI. More specifically, large language models (LLMs) with advanced data processing capabilities and natural language processing attributes have transformed the tech world in just a few years. Before the release of ChatGPT in 2022, AI was largely confined to niche areas of the tech industry. It had promise but was evolving incrementally.

With ChatGPT’s release, however, a sudden sea change occurred — AI became a household concept, and consumer access to LLMs became as easy as entering a credit card number. While this led to a surge in AI adoption, it also introduced a major risk — attackers suddenly had access to advanced, sophisticated attack modalities like never before.

According to a report by Gartner, AI-driven attacks are estimated to grow by 548% by 2030 — a shocking number considering that reports from CrowdStrike already highlight AI-powered attacks as one of the most common attack vectors in 2024.

Worryingly, many of these attacks are non-traditional. While past attacks leveraged malware to compromise data, AI-powered attacks utilize everything from social media to voice duplication, creating persistent and hard-to-detect attack vectors.

Examples of AI-Powered Attacks

This is not a theoretical risk — real-world incidents of AI involved in complex attacks have occurred.

A Wall Street Journal report detailed how attackers used AI-generated deepfake audio to mimic a UK-based energy company’s CEO. They then used this deepfake to convince staff to transfer funds to a fraudulent supplier, resulting in a loss of $243,000. The attack exploited internal process vulnerabilities and trust assumptions, circumventing multiple security layers.

A zero-trust model could have mitigated this attack by verifying invoices against transfer requests and ensuring validation from a trusted device. However, because zero trust was not in place, human error prevailed.

As AI evolves, these attacks will only become more complex. AI is built on statistical analysis and pattern recognition, meaning any system with identifiable patterns is at risk. AI-driven attacks now target [broken access control, overly permissive states, improper cryptographic implementations, and other critical weaknesses—threatening the very foundation of API security.

Examples of Zero Trust Success

Given this context, it’s no surprise that zero trust has become a hot topic. Many organizations are rushing to adopt this model in response to rising attack sophistication.

NTT DATA provides a strong example of zero trust at scale. Recognizing security challenges posed by a remote workforce, NTT DATA partnered with Zscaler to deploy a zero-trust platform. Within 30 days, 50,000 users were onboarded, eliminating the need for VPNs and leveraging a secure gateway and heuristic analysis to validate user interactions. Ultimately, 150,000 users were migrated to the platform, allowing secure global operations without introducing additional risks.

Another strong example is Cimpress, best known for its subsidiary Vistaprint. Cimpress operates numerous businesses, each with its own tech stack, security standards, and attack vectors. To securely integrate these diverse systems, Cimpress adopted a zero-trust model, ensuring collaboration without increasing insider threats.

These efforts yield measurable benefits. According to a report by IBM, organizations implementing zero trust see a 30% reduction in data breaches. A Cybereason report found that 81% of organizations adopting zero trust reported improved security and fewer breaches.

Zero Trust: More Than “Nice-to-Have”

Zero trust is rapidly shifting from a forward-thinking “nice-to-have” to an urgent necessity across industries. Organizations should evaluate their tech stack in light of data security concerns. As sophisticated attacks continue to increase, adopting zero trust is not just about future-proofing— it’s a requirement to stay secure in the coming decade.