Three-quarters of organizations running AI agents lack API visibility

Three-quarters of organizations running AI agents in production cannot see which agents are talking to which other agents, according to a 2025 industry report on AI agent security. Only 24 percent have full visibility into agent-to-agent communication, leaving the rest unable to reconstruct what an agent called, in what order, or with what parameters when something goes wrong.

The gap sits at the API layer, not the model layer. Prompt injection defenses, output filters, and jailbreak prevention address model behavior, but agents cause incidents by having unrestricted access to production systems — triggering payments, querying databases, reading CRM records, posting to external services — without rate limiting per agent identity, tool access scoping, or audit trails. When an agent misbehaves, most teams cannot determine its blast radius because the enforcement layer for agentic AI security does not exist in the infrastructure where rate limiting and access control have always lived for every other type of system integration.

Prompt guardrails remain a soft boundary that lives in the model. The hard boundary — the one that prevents an agent from draining a payment API or flooding a production database — belongs in the same place where traditional API governance has always been enforced: authentication, authorization, rate limiting, and logging at the infrastructure layer. Without that, organizations are running agents with the same governance posture as an intern with root access.

What's missing is tooling that treats agents as first-class API consumers with scoped permissions, per-identity rate limits, and full call tracing. Until that infrastructure becomes standard, the 76 percent without visibility will keep discovering their agents' blast radius only after an incident.