API-driven digital platforms transform business processes into programmable services, but they also expose sensitive workflow states through request-response interfaces. Mass assignment exposure occurs when a server binds user-supplied fields directly to internal model objects without adequate field-level control, allowing unauthorized changes to roles, balances, ownership, verification states, or workflow status. This study develops a business risk analytics framework for measuring such exposure in developer workflows. The proposed Mass Assignment Exposure Index combines static indicators such as direct entity binding, sensitive-field setters, validation gaps, deserializer tolerance, cascade propagation, and service-layer copy logic with dynamic evidence from schema-aware injection tests. The Workflow Business Risk Score then weights exposure by asset value, identity sensitivity, regulatory impact, and remediation friction. A numerical evaluation based on three benchmark project classes and eight high-risk endpoint candidates shows that hybrid analytics reduces immediate actionability from eight static candidates to three confirmed high-impact exposures while preserving a backlog for fragile designs. Scenario analysis indicates that a hybrid risk policy prevents confirmed exposure without the workflow disruption produced by a static-only gate. The findings contribute to business and data analytics by converting API security telemetry into decision-oriented risk measures for release governance, internal audit, and platform control design.