Application Programming Interfaces (APIs) are what make modern distributed and cloud-native apps work. They let loosely connected services work together without any problems. But the fact that APIs are so widely used has made them much easier to attack, making them perfect targets for stealthy and behavior-driven cyberattacks that can get by traditional signature-based defenses. Current methods for detecting anomalies often either use supervised learning, which needs a lot of labeled attack data, or only use unsupervised learning, which doesn't have enough power to tell the difference between classes and has a lot of false positives, especially when there is a lot of class imbalance. This research presents an AI-driven Normality Fusion Hybrid Model to identify aberrant API usage patterns in distributed systems. The suggested method uses unsupervised anomaly modeling to learn normal API access behavior and combines deviation-aware signals into a supervised classification pipeline. An Isolation Forest is used to model the normal behavior manifold and make deviation scores, which are then normalized and combined with the original access features. A class-weighted Histogram-based Gradient Boosting classifier is then trained on the improved feature space to find rare and changing anomalies in a strong way. To fix the problem of very uneven class sizes, Random Over-Sampling and the Synthetic Minority Over-sampling Technique (SMOTE) are used during training. Numerous trials on the API Security: Access Behavior Anomaly Dataset show that the suggested model works better than strong baseline models and contemporary state-of-the-art techniques, with an overall accuracy of 99.87%. The results show that normality-aware feature fusion greatly improves detection robustness, interpretability, and generalization. This makes the proposed framework good for real-time API security monitoring in remote situations.