The API security crisis in MENA — now amplified by an army of AI agents.

The APIs your team doesn't know exist are the ones attackers find first.

In every cybersecurity conversation across the Gulf, there is a question that produces uncomfortable silences. How many APIs are running in your production environment right now? The honest answer, almost always, is some version of: more than the documentation says.

This is not a failure of competence. It is a structural consequence of how modern software is built. Development teams ship endpoints in days; security teams catalogue them in weeks. Test environments become permanent. Microservices replace monoliths and bring their own internal APIs along with them. Third-party integrations create new ingress paths that no one fully owns.

The numbers are not subtle. Per Traceable AI's 2025 research, organisations now run an average of 131 third-party APIs alongside their internal estate — and only 16% of those organisations say they can meaningfully mitigate the risks from those external integrations. The remaining 84% are operating with attack surfaces they cannot fully see.[1]

For the Gulf specifically, the consequences are not theoretical. Cyfirma's 2025 Saudi Arabia threat landscape report documented multiple high-profile breaches affecting delivery platforms, recruitment databases, government departments, and e-commerce backends — many of them tracing to unsecured or undocumented API endpoints. In several cases the database itself was not the original target; an exposed API was.[2]

Fifty-three percent of buyers will tell you the secret out loud.

The most striking finding in Traceable AI's research is not that organisations are being breached. It is that they have stopped pretending their existing defences are adequate. Fifty-three percent of organisations now openly admit that traditional WAFs and WAAPs are inadequate for detecting or preventing fraud at the API level.[3]

That number deserves a second look. A majority of security teams are saying — on the record, in vendor-funded surveys, in front of their CFOs — that the security stack they currently pay for cannot solve the problem in front of them. This is not a marketing claim. It is the buyers themselves describing the gap.

The reason is architectural. Legacy WAFs were designed for a different world: HTTP traffic to a small number of public-facing web applications, defended at the perimeter. Modern enterprise traffic is something else entirely — east-west flows between microservices, GraphQL queries that legacy parsers cannot inspect, GenAI agents making millions of authenticated calls without human oversight, and Kubernetes orchestrators spinning up endpoints faster than any rule-based engine can catalogue them.

The result is a category of attack — broken object-level authorisation, business logic abuse, authenticated bot fraud — that legacy WAFs were structurally never built to catch. Per Traceable, 95% of API attacks in 2025 came from authenticated sessions. The attacker already had valid credentials. The WAF did exactly what it was designed to do. The breach happened anyway.

The attack surface has doubled — and most security teams cannot see half of it.

Every conversation about API security in 2026 is also a conversation about AI. Not because security vendors decided to bolt the words together, but because the buyers themselves have stopped treating them as separate problems. AI agents are now the dominant new consumer of enterprise APIs. They are also, increasingly, the dominant new attack surface.

The data is stark. According to Gravitee's State of AI Agent Security 2026 report, drawn from 900+ executives and technical practitioners, 88% of organisations had a confirmed or suspected AI agent security incident in the last year. In healthcare specifically, that number reaches 92.7%. The mean enterprise is now running thirty-seven autonomous agents in production — a number that has roughly doubled every quarter through early 2026.[19]

Salt Security's 1H 2026 State of AI and API Security Report — based on 300+ surveyed security leaders — frames the architectural diagnosis bluntly: "You cannot secure AI without securing the APIs that power it." Forty-eight point nine percent of organisations are entirely blind to machine-to-machine traffic. Forty-eight point three percent cannot reliably distinguish a legitimate AI agent from a malicious bot. Ninety-two percent lack the security maturity required for autonomous agent environments. Two-thirds of enterprises report API growth above 50% year-on-year — almost entirely driven by AI workloads.[20]

The deeper problem is identity. Only 21.9% of organisations treat AI agents as independent, identity-bearing entities with their own access controls. 45.6% still rely on shared API keys for agent-to-agent authentication — meaning when something goes wrong, there is often no way to determine which agent did what, or to revoke access to one specific actor without taking down the entire fleet. Seventy percent of enterprises now report that their AI systems have more access than the equivalent human roles doing the same work.[21]

The architectural verdict from these surveys is consistent: the legacy WAF, the API gateway built for human-developer sessions, and the model-centric AI security tools each solve one slice of the problem. The Agentic Action Layer — where AI agents, LLMs, MCP servers, and the APIs they invoke all meet — has no incumbent owner. The CISOs winning the 2026 audit cycle are the ones who treat that layer as a single, governed surface rather than as three disconnected disciplines.

In Saudi Arabia and the UAE, compliance is no longer aspirational.

For most of the past decade, the cybersecurity regulatory conversation in the Gulf was framed around frameworks and intent — "alignment with international best practices," "voluntary adoption," "phased compliance roadmaps." That era has ended — and it has ended at exactly the moment AI agents became the dominant new attack surface.

In January 2025, the Saudi Central Bank issued enhanced cybersecurity rules granting the National Cybersecurity Authority direct enforcement powers, including financial penalties of up to SAR 25 million — roughly USD 6.7 million per incident — for non-compliance.[4] This is not a recommendation. It is a quarterly board-meeting item.

Compounding the pressure: the NCA's Essential Cybersecurity Controls Version 2 (ECC-2), issued in 2024, expanded the framework to 114 controls across five domains — governance, asset management, risk management, people security, and technology protection. ECC-2 is mandatory not only for government entities but for any organisation owning, operating, or hosting Critical National Infrastructure, plus their full supply chains. The cryptography and application-security controls speak directly to runtime API behaviour.[5]

Layered onto that, Saudi Arabia has formally designated 2026 as the "Year of Artificial Intelligence", with SDAIA's AI Ethics Principles, Generative AI Guidelines, and the AI Adoption Framework now operating as procurement filters — particularly for government and government-adjacent contracts. SDAIA itself achieved ISO 42001 certification in July 2024, signalling the standard the regulator expects suppliers to meet. The UAE has moved in parallel: the Central Bank of the UAE published its Guidance Note on AI/ML in February 2026, covering governance, bias testing, transparency, and human oversight for every licensed financial institution.[22]

The Saudi Central Bank's SAMA Cybersecurity Framework — which is now mandatory for every licensed bank, insurer, and fintech in the Kingdom — covers cybersecurity governance, risk management, incident response, third-party security, and data privacy in a way that materially overlaps with NCA ECC-2 and SDAIA's AI guidance. Triple compliance — NCA, SAMA, and AI-specific — is not a convenience. It is now the default operating reality.

Most GCC enterprises are now running three security stacks that don't talk to each other.

If you ask a CISO at a Saudi bank or an Emirati insurance company to describe their current security architecture, you will hear three layered stories. There is an on-premises stack — usually mature, often older, defended by a legacy WAF that has been in production for years. There is a cloud stack — newer, more dynamic, running across AWS, Azure, or Google Cloud, defended by whatever native controls came with the platform. And now there is a third: the agentic stack — AI agents, LLM applications, and MCP servers that have been deployed in the past eighteen months and are increasingly responsible for the majority of new traffic crossing the API layer.

This is the structural blind spot, now triple-layered. Three policy regimes, three log streams, three operational teams, and a population of API endpoints sitting between them that no one fully owns. Per Seceon's 2025 review of more than fifty Middle East organisations, the typical enterprise runs 8 to 12 disconnected security tools, manages three separate dashboards, retains two compliance consultants — and still faces more than 200 daily alerts. After eighteen months of spending USD 2–5 million annually, many of these organisations remained both non-compliant and unsuccessfully breached.[6]

The Dubai CISO quoted earlier in this briefing is not an outlier. The frustration is regional. And the architectural diagnosis is consistent: the gaps between the systems are where attackers operate, while security teams are buried in noise from inside the systems they can already see — and now have an entire new attack surface their existing tools were never designed to cover.

The way out is not another tool. It is a single platform that can see the API layer everywhere applications run — Kubernetes clusters, cloud workloads, bare metal, hybrid integrations, and the agentic action layer where AI agents, LLMs, and MCP servers invoke APIs at machine speed. The challenger vendors that solve this architecturally, rather than by stitching legacy products together, are the ones GCC CISOs are now actively evaluating.