AI applications are rapidly evolving from simple chat interfaces into agent-driven systems. These modern “agentic” applications don’t just call APIs—they discover capabilities, orchestrate workflows, and execute actions across many tools and services, often dynamically and at runtime.
Security models, however, are still largely built for static applications with predictable traffic patterns and are working feverishly to catch up to this meteoric evolution as quickly as possible.
This evolution, though, fundamentally changes the role of long-standing security controls like API discovery, detection, and protection, and web application firewalls (WAFs). In an agentic world, these controls are no longer just “perimeter defenses.” They increasingly function as control planes for AI application security—providing the visibility, policy enforcement, and runtime constraints required when agents can decide what to do next.
“In agentic AI architectures, a WAF is no longer just a defender of web-based applications. It is now also a policy enforcement point for high-volume, machine-to-machine traffic.”
AI applications are API-centric by design
At a technical level, nearly every AI application is an API composition engine.
Common API categories include:
- Model APIs: LLM inference endpoints
- Retrieval APIs for retrieval-augmented generation (vector databases, search services, document stores)
- Tool/action APIs: ticketing, email, code execution, CRM, payments, etc.
- Streaming APIs: secure socket engine (SSE), WebSockets, gRPC streaming
- Orchestration and policy APIs: agent routers, workflow engines, guardrail services
As agents mature, they shift from static integration to runtime capability discovery—selecting tools based on what’s available and relevant in the moment. The Model Context Protocol (MCP) is an example of this: it standardizes how AI systems discover and invoke tools through a consistent API surface.
This API-centric architecture makes API visibility and control non-negotiable. When an application can dynamically expand what it can do, a security team must be able to see and govern those expansions in near real time.
The role of API discovery in AI applications
It’s a known rule of thumb: No organization can protect what they cannot see. But this is especially true when an agent can dynamically explore and leverage APIs. This is why API discovery and classification are a necessity today.
API discovery and classification offer continuous visibility into which API endpoints exist, including newly introduced endpoints. They provide insight into the HTTP request methods being used (e.g. GET vs. POST vs. PUT, etc.). They help to determine the schemas and payload shapes that are in play as well as which clients, agents, and services are calling which APIs. And they help to define how the API landscape, and therefore the threat surface, changes over time.
for MCP servers and other AI control APIs—software interfaces that manage, secure, and govern interactions between applications and AI models—API discovery delivers important security value. API discovery can detect unexpected routes or tool descriptors, including capabilities or data that shouldn’t exist or shouldn’t be exposed. It helps to identify shadow and undocumented APIs, which agents or developers may inadvertently use. And it baselines normal agent behaviors, such as what typical usage, rate, and sequencing acts like.
In a dynamic AI environment, API discovery is simply an inventorying exercise. It has become a runtime security signal distinguishing between normal and intended behavior and API lifecycle mismanagement, including API drift, misuse, sensitive data exposure or compromise.
The role of WAFs in AI applications
Once an organization has visibility into what really exists, and what and how it is being used, policies can be created and enforced. In agentic AI architectures, a WAF is no longer just a defender of web-based applications. It is now also a policy enforcement point for high-volume, machine-to-machine traffic.
For MCP endpoints and AI backends, a WAF can enforce strict API boundaries, permitting only known paths, methods, and content types. A WAF will also address protocol correctness, blocking request smuggling, malformed requests, header tricks, and upgrade and streaming abuse.
Authentication and session enforcement is also addressable via a WAF, ensuring identity is validated before privileged tool requests begin. WAFs deliver abuse and enumeration resistance, detecting scans, probes, automated endpoint discovery, and suspicious exploration patterns. WAFs will also provide rate and connection control, helping to mitigate resource exhaustion and denial-of-wallet attacks exploiting costly model and tool calls.
Another key advantage of WAFs is that enforcement occurs before traffic reaches the AI runtime, orchestration layer, or downstream tools, where mistakes become expensive, dangerous, or irreversible.
Rapidly securing agentic AI applications
Today’s agentic AI can turn an application into a dynamic orchestrator of APIs, making well-known static perimeter security insufficient when deployed by itself. API discovery can enable continuous visibility and behavioral baselining across this fast-changing landscape.
It’s the same landscape where WAFs are quickly evolving into frontline policy enforcement points for machine-to-machine agent traffic, constraining what and where agents can reach, their communications, and what and how much they’re able to consume. It’s a landscape where API discovery and WAFs can apply practical controls to secure agentic AI systems as fast as their capabilities and integrations change at runtime.
To learn more, please visit F5.com and our solution pages on F5 WAF solutions and F5 API Security products and services.
About the Author
Related Blog Posts
The patch window has closed. Here is how F5 is built for what comes next.
As AI models have changed software security, the industry needs to adapt.
Responsible AI: Guardrails align innovation with ethics
AI innovation moves fast. But without the right guardrails, speed can come at the cost of trust, accountability, and long-term value.
Best practices for optimizing AI infrastructure at scale
Optimizing AI infrastructure isn’t about chasing peak performance benchmarks. It’s about designing for stability, resiliency, security, and operational clarity
Datos Insights: Securing APIs and multicloud in financial services
New threat analysis from Datos Insights highlights actionable recommendations for API and web application security in the financial services sector
Secrets to scaling AI-ready, secure SaaS
Learn how secure SaaS scales with application delivery, security, observability, and XOps.
How AI inference changes application delivery
Learn how AI inference reshapes application delivery by redefining performance, availability, and reliability, and why traditional approaches no longer suffice.