AI is a broadcast security issue as well as a productivity tool. 81% of organizations in the APAC region report an API security incident in the past 12 months
For radio and tv broadcasters, publishers and podcasters, the core lesson from a new security report by online security company Akamai is that API security is essential when using AI tools. The apps, agents, models, and workflow tools behind AI all depend on APIs, but these are often poorly inventoried and therefore easier to attack. The risk sits in the connections between prompts, APIs, and your data.
Why broadcasters should care
Broadcasters are increasingly using AI for transcription, metadata tagging, archive search, promo creation, audience service, newsroom support, and workflow automation. Akamai’s research argues that this shift is expanding the attack surface: “every digital interaction — whether human, automated, or AI-driven — is now both a business opportunity and a security decision.”
That matters in radio and tv because a single compromised AI workflow can expose scripts, unreleased programming, guest data, contact databases, or internal production and playout systems. For publishers, AI attacks could inject fake content into the publishing process. Does your station publish news stories from your bulletins with embed broadcast audio on your website? That is potentially vulnerable too.
The guide also warns that organizations often do not know all the APIs already in use, including shadow APIs and AI-linked endpoints hidden inside local experiments or “skunkworks” projects. For broadcasters, that means a producer’s convenient AI plug-in or a newsroom automation script can become an unapproved bridge into sensitive systems. Akamai’s APAC study reinforces the scale of the problem, finding that 81% of organizations in the region had an API security incident in the past 12 months, while only 22% had a full API inventory and knew which APIs return sensitive data.
Main risks to stations
One of the biggest risks is prompt injection, where a malicious instruction causes an AI agent to ignore its intended rules or misuse connected tools. In a media environment, that could mean an AI assistant with access to a content management system, an archive, or a scheduling platform being tricked into deleting material, revealing confidential information, or pushing false output into production. Akamai describes this as a threat that must be handled at runtime, not just at deployment.
Another risk is the Model Context Protocol, or MCP, which the guide calls the “USB-C of AI risks” because it makes it easy for models to connect to data and tools. The danger is not MCP itself, but unmanaged or “shadow” MCP servers that are spun up without proper AppSec review. For broadcasters, that is especially relevant if teams are connecting AI to newsroom tools, shared drives, editing systems, or third-party services. The report also highlights that “traditional controls are failing” because AI-assisted development often prioritizes speed over security, leading to fragile APIs, weak authorization, and error leakage.
What the data says
Akamai’s global study found that 87% of organizations surveyed experienced an API-related security incident in the past year, and 42% of incidents involved APIs linked specifically to AI technology. It also reported that only 18% of organizations felt fully prepared to handle attacks involving AI-linked APIs. Those figures are a strong warning for broadcasters, because media companies often move quickly, run lean technical teams, and adopt new tools before governance catches up.
The report says API misconfiguration was the leading cause of incidents, cited by 54% of respondents, while AI bot activity surged 300% in 2025. 59% of organizations say improving visibility into AI risk is one of their highest priorities. For radio and TV operators, this points to a practical reality: security problems are more likely to appear first in the plumbing behind AI than in the chatbot interface itself.
Solutions
The first rule is simple: do not let AI tools connect directly to critical systems without a gatekeeper. Akamai recommends routing all AI-related traffic through an AI-aware gateway, using that gateway for policy enforcement, rate limiting, and credential management. Broadcasters should apply that principle to newsroom systems, media asset management, ad traffic workflows, cloud storage, and subscriber or listener databases.
Second, treat every AI agent like an identity that needs its own permissions. Akamai advises moving from simple API keys to unique agent identities with scoped permission sets. In a station environment, that means a transcription agent should not have the same access as a promo generator, and neither should have broad write access to archives or scheduling tools unless absolutely necessary. Least privilege is still the best starting point, even when the “user” is an AI agent.
Third, build guardrails around the outputs as well as the inputs. Prompt injection defense, data redaction, and agent/model guardrails to block toxic or unauthorized content should be part of those guardrails.
For broadcasters, this means screening AI-generated copy for sensitive data leakage, hallucinated facts, or language that could breach editorial standards before it reaches air, social, or the website.
Operational checklist
Start with a visibility audit. Akamai recommends behavioral discovery that creates a real-time inventory of APIs and surfaces shadow MCP servers and AI-linked endpoints that static documentation misses. Stations should map where AI is already being used, who approved it, what data it can reach, and whether that data includes personal information, contracts, credentials, or unreleased content.
Then tighten governance and testing. Akamai suggests that organizations should map AI-related APIs to ownership, repository source, and risk exposure, and use policy reviews against frameworks such as the OWASP API Security Top 10. For broadcasters, that translates into a simple rule: no AI service goes live until someone can answer who owns it, what it can access, how it is monitored, and how it can be shut off quickly.
Finally, prepare for abuse at machine speed. The guide says attackers are using the same generative AI tools as developers, but they use them to find and weaponize flaws quickly.
Media companies should monitor unusual traffic spikes, repeated failed logins, strange prompt patterns, and unexpected access to archives or production systems. That is especially important during breaking news, elections, major sports, or high-traffic live events, when security teams may be under pressure and attackers may expect less scrutiny.
Reporting and Analysis: Steve Ahern
Disclosure: Steve used AI to summarise the Akamai report before reading it in full to verify its content. He also made the graphic using AI.

