Contents

• Introduction

• Interesting content for the week

• Upcoming Conferences

• FeedBack & Share

Introduction

Hello 👋. Apidays New York is running this week, and so is API Conference London. I will be at API Conference London - do say hello if you see me there.
In this week’s issue, I briefly discuss the NIST CSF 2.0 framework and how it applies to API governance. I also introduce the study I am doing on AI gateways. Enjoy!

API Governance Frameworks: NIST CSF 2.0

In Issue #38 of my newsletter, I talked about conceptual API toolkits (CATs) as comprising frameworks, methodologies and toolkits for API strategy, governance, and management.

I also mentioned that I would continue by reviewing some publicly available CATs.

The first CAT I will review is the NIST Cybersecurity Framework (CSF) 2.0 (NIST1). NIST is the National Institute of Standards and Technology, a US government agency that develops standards and guidelines for various industries, including cybersecurity.Published in 2024, CSF 2.0 provides a taxonomy of high-level cybersecurity outcomes that an organisation can use to assess and prioritise cybersecurity risks. API security is a subset of cybersecurity, so although the CSF framework is aimed at cybersecurity risks it can also be applied to API security risks in the context of API governance. And a few API security companies have done just that (SaltSecurity1, Traceable1).

At its core, the CSF describes desired outcomes mapped to a list of potential security controls, that can be used to mitigate cybersecurity risks. The outcomes are grouped by Function then Category, then Subcategory. CSF 2.0 lists and defines six outcomes in the Function group. In the context of API security risks, I will take the liberty to re-interpret the goal of each outcome in the Function group as follows (substituting the words 'API' or 'API security' for 'cybersecurity'):

1. Govern: Establish, communicate and monitor the organisation’s API risk management policies and strategy

2. Identify: Identify and understand the organisation’s API assets and the API security risks facing the organisation.

3. Protect: Introduce and use controls to manage the API risks

4. Detect: Discover and analyse API security attacks.

5. Respond: Act on and contain API security incidents.

6. Recover: Restore assets and operations affected by an API security incident.

Side note: You could classify these Function outcomes into two - governance (the Govern function) and API risk management (the Identify, Protect, Detect, Respond, and Recover functions).

Using CSF 2.0, organisations can define outcomes for each of the given functions. For example, under the Function outcome of Protect, and organisation can define "Authentication and authorization mechanisms for all APIs have been implemented" as one of the Category outcomes.

CSF 2.0 is not a prescriptive framework. That is it focuses on what outcomes an organisation should achieve, not how. But the NIST CSF website also provides other resources, like quick start guides (NIST2), that provide guidance and examples on what organisations can do to achieve the outcomes.

In the next issue, I will review a telecom industry specific CAT.

AI Gateway Research Study

At Ikenna Consulting, we are doing a research study on AI gateways. I have collated a list of 22 AI gateways we are tracking, and from this list we are doing a separate report were we are doing a deep dive on 10 of them. You can find the list here:

Apart from evaluating AI gateways, I am also running a survey and interviewing managers and practitioners who have been involved in building AI applications. The goal of this study is to research common themes, patterns, trends, tools and challenges in governing the usage of LLM-APIs in AI applications. The study will examine what patterns organisations are adopting to

• Manage access to LLM-APIs

• Manage the cost of LLM-API usage.

• Manage the performance of LLM-APs

• Observe and monitor LLM-API usage

• Manage Day-2 operations to LLM-APIs (maintenance and improvements)

Participants in the survey will get the full report, and be able to benchmark themselves against others in the study. If you would like to to take part in this survey, reach out to me at [email protected].

On Runtime AI governance

How Generative AI Informs Platform Engineering Strategy: This article discusses how GenAI acts as both a tool for platform engineers to build better internal developer platforms and manage the SDLC more efficiently.

Streamline AI Usage with Token Rate-Limiting & Tiered Access in Kong: Jason Matis higlights the importance of managing AI costs and resources with Token-Based Rate Limiting, and the role of an API gateway, acting as an AI proxy to enforce these token rate limits and tiered access policies.

Agentic Workflow Authorisation: Bruno Pedro addresses the distinct challenge of how autonomous AI agents, operating within automated workflows, can obtain the necessary credentials and authorisation to access protected APIs.

AI and governance in the API ecosystem: Budhaditya Bhattacharya discusses AI in API governance, the increased complexity and risks with AI in APIs and essential best practices for governing AI in APIs.

API Governance and Delivery

Enforcing API consistency with a large team: Phil Sturgeon and Alexander Karan address the challenge of maintaining consistency across APIs developed by large teams within an organisation.

AI, APIs and the path to AI readiness: Structuring the AI supply chain for enterprise adoption : Budhaditya Bhattacharya discusses how effective preparation for artificial intelligence centers on three critical considerations, particularly for engineering and development teams and that API’s serve as the essential connective tissue within this chain.

Robust LLM API Strategies: Retries & Fallbacks in Python: Florian Trautweiler highlights the potential difficulties of developing products that rely on external APIs for LLMs that have multi-modal capacities. The key concern raised is the reliability of these APIs, particularly when new models are released and they experience high demand.

The API Team Mantra: This article by David Biesack is a comprehensive piece on what makes APIs successful by focusing on the developer experience.

HTTP APIs Provide Awareness Around Who Is Using Your Digital Resources: Kin Lane writes about the need for organisations to protect their digital resources from being consumed by AI models without permission. He mentions why it is fundamental to control access through API Keys and rate limiting.

Upcoming API Conferences

API Conference London: The Conference for Web APIs, API Design and Management. Date May 14th, 2025. Location: Park Plaza Victoria London, London, United Kingdom. I’ll be speaking on Evolving API Governance in the Age of AI.

Postman's annual user conference: POST/CON 25. Date: June 3rd & 4th 2025, Location: JW Marriott Los Angeles L.A. Live, Los Angeles, CA Register Here

APIdays Helsinki: Theme: “APIs for Innovation, Intelligence, and Impact” Date: June 3rd & 4th 2025. Location: Pikku-Finlandia, Helsinki Register Here. I will be speaking on ‘Beginning Lean API Governance (with some AI help)’.

APIdays Germany: Theme: “Accelerate AI Use Cases with APIs” Date: July 2nd & 3rd, 2025. Location: Smartvillage Bogenhausen, München, Germany. Register Here

APIdays London: Theme: “No AI Without APIs” Conference Date: September 22nd - 24th, Location: Convene 155 Bishopsgate, London EC2M 3YD

API Governance Consulting

I appreciate your feedback. Please help me improve this newsletter by filling out this 1 minute survey. If you find my newsletter useful, please forward and share it with a friend