Contents

• Heading to FOST / Apidays Paris Conference

• Interesting content for the week

• Feedback & share

• Upcoming conferences

• My services: API governance consulting

Heading to FOST / Apidays Paris Conference

Welcome to another issue of the newsletter!

I'm heading to the FOST Conference (Apidays Paris) next week, where I'll be speaking on Thursday, December 11th. My presentation is titled: "IGT-AI: A Governance Framework for Evaluating AI and MCP Gateways."

If you're attending, please connect with me! I’m interested in hearing what you are working on, especially in API governance, API platform teams. I can also share with you the latest research I'm conducting on AI and MCP Gateways.

In the meantime, enjoy this week's content.

Interesting content for the week

Runtime AI Governance

Kong AI Gateway and the EU AI Act: Compliance Without the Rewrites: Jordi Fernandez Moledo, offers a solution for enterprises grappling with the new EU AI Act. The suggested approach enables global enforcement of compliance policies at the edge, negating the need for individual development teams to rewrite their applications to meet the rigorous regulatory mandates.

AI Sovereignty: Why Control Is Your Ultimate Operating Leverage: Sudeep Goswami argues that in the age of rapid AI adoption and 'AI Sprawl,' enterprises must prioritise AI Sovereignty. He stresses that control should not be mistaken for mere data residency or vendor-managed solutions.

Why MCP Shouldn’t Wrap an API One-to-One: Kristopher Sandoval critiques the anti-pattern of directly wrapping a REST API one-to-one with the Model Context Protocol (MCP). Sandoval argues that MCP is an interface for intent, designed for AI agents that reason about tasks, not complex URIs and orchestration. Simply mirroring the API forces the agent to navigate the same complexities a human developer would, defeating the purpose of the protocol.

Find the Invisible: Salt MCP Finder Technology for Proactive MCP Discovery: Eric Schwake introduces Salt MCP Finder, a new system designed to address the "massive blind spot" created by the operationalisation of Agentic AI.

MCP’s Next Phase: Inside the November 2025 Specification: Dave Patten, analyses the latest Model Context Protocol (MCP) update, explaining that the changes move MCP beyond simple synchronous tool calling to support secure, governed, and long-running workflows, essential for accountability and operational trust in production systems, even though challenges such as identity and provenance still require resolution.

API Governance

When DDoS Meets Agentic AI: How Autonomous Bots Amplify Volumetric Attacks: Itay Raviv, highlights the dangerous evolution of Distributed Denial of Service (DDoS) attacks with the weaponisation of Agentic AI. Raviv explains that unlike static, fixed-script botnets, these new autonomous agents adapt their vectors, blend attack layers, and self-optimise in real time, making them resilient to traditional, pattern-matching defences. He stresses that this shift necessitates the adoption of intelligent, autonomous defence mechanisms.

How to Automatically Generate Dozens of Test Cases with One Click in Apidog Using AI: Oliver Kingsley explains how Apidog’s new AI feature drastically improves the efficiency of API testing by automatically generating comprehensive test cases. The AI-powered tool leverages the API specifications to intelligently produce and categorise dozens of test cases instantly, allowing testers to run and validate them immediately.

How to gracefully handle resource variants in your REST API: Bruce Hill, addresses the challenge of handling resource variants in evolving REST APIs, particularly when different variants (like AI models) require unique configurations. Hill explores four common API design shapes are explored to help developers balance type clarity, maintainability, and SDK ergonomics when evolving a single endpoint into a more complex structure.

Scoring APIs for the Age of AI : Erik Wilde discusses the critical need for improving API quality in the age of AI agents. Citing a conversation with Frank Kilcommins, Wilde explains that AI systems rely heavily on APIs that express clear intent and consistent semantics, something traditional API design often neglects. He presents a six-dimensional model for scoring APIs to help organisations assess and improve their AI readiness. Find the AI Readiness Scorecard here.

What Is OpenFGA?: Kristopher Sandoval explores OpenFGA, a Linux Foundation incubation project inspired by Google's Zanzibar, which aims to make fine-grained, relationship-based authorization (ReBAC) scalable and predictable.

The Reality of API Programs: David Biesack, shares his insights on achieving genuine API maturity in an interview format. Biesack debunks the "API-first" paradox, asserting that the business problem must always come first.

TypeScript forward compatibility and fault tolerance: The David Adler addresses how Speakeasy’s SDKs manage the inevitable issue of API evolution and specification drift, particularly in TypeScript.

Feedback & Share

Upcoming conferences

Apidays Paris: Apidays Paris sparks essential conversations on data security, digital sovereignty, and sustainable innovation in the age of intelligent systems. Date: 9 - 11 December 2025 Location: CNIT Forest, Paris.

My Services: API Governance Consulting