What do organizations tend to overlook when it comes to API gateway security, based on your experience?

In addition to what other members have commented, it is often enforcing the same level of security to internal consumers compared to external consumers. 

Due to various reasons such as the complexity, cost, effort and time required to implement robust security, relaxed rules are enforced to internal consumers. E.g.: always trusting connections from a set of internal IPs, always trusting certain logins, allowing non-third party certificates to be used for establishing secure connections etc. 

This can lead to unforeseen attacks, unauthorized access, other security related issues from within the organization. 

So, a balance set of security rules need to be applied for both external as well as internal consumers. 

API gateway security is considered a complex task to be picked up. But if you take minimal steps, atleast you can stop unwanted issues on API layer.

1. AAA - Authentication, Authorization and Accounting - Basic yet powerful aspect 
Authenticate a user using tokens, user name and password
Authorize only users that should have access to a particular API
Account for the users who has used your api and log them well

2. RBAC - Though its related to accounting itself, again a powerful measure of your system penetration

3. API gateways - Can be tricky if you implement custom gateways so pick off the shelf ones like AWS API gateway, Kong etc.

User and access management, often underestimated, poses significant risks in API gateway security.