Most consuming applications use a http-based API for consuming server resources. Application server just understands what data it received without knowing when, how, who, where, and why data was generated. It accepts submitted data as long as proper authentication data and certificates are passed.
If data can be managed at the client level then there is zero security. It is very simple to manage data if either data or application is static.
Now-a-days most client applications running on mobile or desktop are written in java, .NET, etc. They can be de-compiled and modified to steal all certificates, authentication data, encryption keys, etc. This stolen data can be used for carrying-out fraudulent transactions exploiting APIs. Most security checks can be disabled at application level.
Once the API url and payload structure is known, any application can consume the API by simply passing the appropriate payload.
Similarly, AJAX calls are clearly visible in web pages and also in browser inspector. These calls can be modified using BOTs/ browser addon before they are submitted.
Since it is very easy to exploit APIs and there is no way for organizations to detect exploitation, this becomes a very big threat.
This puts every business and every application at unlimited risk.
"By 2022, API abuses will be the most frequent attack vector resulting in data breaches for enterprise applications" – The Gartner Group.