Last week I sat down with Darren Shelcusky to kick off this new series on AI security. Darren spent forty-five years at Ford. He architected API security across thirty million vehicles and forty-five thousand endpoints. When he talks about how security models break under AI, it isn't theory.
AI agents don't use your application. They go right to the APIs.
That sentence renegotiates a decade of security thinking, and most teams haven't realized it yet. Here's what stuck.
YouTube · ReplayAI Agents Don't Use Your App. They Hit the API.The app is the experience. The API is the business logic.
Modern applications are a customer experience built on top of APIs that expose the actual business capability. The mobile app, the web page, the Alexa interface — those are the windows. The APIs are the rooms. For fifteen years we built security into the windows: login flows, rate limits, bot detection, input validation, CAPTCHAs, WAFs — all at the experience layer, because that's the layer humans touch. Then the caller changes.
AI agents skip the application entirely.
The agent is software talking to software. No button to click, no login flow. It hits the API the same way your own mobile client does — faster, tireless, indifferent to the UI controls you spent five years tuning. Every app-layer check, every "is this user an admin" guard fails to fire. The work moves down a layer: authentication, authorization, rate-limiting, anomaly detection, audit logging now has to exist at the API, where it largely doesn't.
BOLA didn't go away. AI just made it impossible to ignore.
Broken Object Level Authorization has been the #1 OWASP API vulnerability since 2019. Six years and counting.
BOLA is real easy to test. The problem is people don't test it.
The frameworks exist; teams don't run them. By hand, exploiting it is tedious — iterating object IDs one at a time. Agents aren't tedious: enumerate at machine speed, ask cleanly for the full customer catalog, no coffee breaks. The vuln we lived with because it was annoying to exploit is now annoying to not exploit.
One agent. Five identities. Zero audit trail.
Identity confusion is huge.
You vibe code an agent, log in as yourself. The agent calls an MCP server — its own identity, or yours? The MCP server calls internal APIs — under whose identity? At every hop the identity blurs. Five identities, one logical action, and the audit log can't tell you which one did the thing. A new operating condition: the identity model was built for humans calling services, and agents collapse it.
Prompt injection is phone phreaking, again.
The 1970s: Captain Crunch blew a cereal-box whistle into a phone receiver for free long distance, because the network carried control signals on the same channel users spoke over. Fake the signal, own the system. The fix took years — separate the control channel from the data channel. LLMs today put instructions and data on one channel; a malicious instruction hides inside what was supposed to be data (an email, a document, a tool response). We haven't separated the channels. We're in 1972, blowing the whistle.
From fun to secure: the 10x to 100x gap.
Vibe coding made zero-to-fun essentially free — spin up an agent in an afternoon. Keeping it inside the guardrails is 10x the work to make robust, 100x to make secure. The demo is the easy part; production-grade, attack-resistant is the part nobody budgets for, because the demo looked done. The gap between "this works" and "this works under attack" is where the next wave of incidents lives.
What it adds up to
A decade of security investment is concentrated at a layer the attacker no longer uses. Not wasted — humans still come in the front door. But the marginal attacker is no longer human: fast, never bored, five identities at once, walking straight past everything you built into your application. The work moves down a layer. Same lessons, relearned at the API.