Contents

• Introduction

• Quote from America’s AI Action Plan

• IGT-API Principle 3: API Culture

• Interesting Content for the Week

• Product Updates/New Releases

• FeedBack & Share

• Upcoming Conferences

Introduction

I hope you are enjoying the summer. America’s AI Action plan was published two weeks ago, and I found in it an interesting quote I have included in this issue (with emphasis on a phrase I think is worth calling out). I go on to discuss the third principle in my governance toolkit, and as usual bring you some interest API tool updates and article links. Enjoy!

Quote from America’s AI Action Plan

IGT-API Principle 3: API Culture

In previous posts on the Ikenna Governance Toolkit for APIs (IGT-API), I've discussed the first two principles: mapping your production API workflow and your consumption API workflow. By systematically mapping the lifecycles of API creation and consumption, organisations can pinpoint bottlenecks and improve the developer experience. Today, I'll dive into the third principle of the IGT-API: foster an API culture. This principle involves five key components:

1. Defining and communicating your API strategy.

2. Defining an API governance group to own and facilitate the API standard improvements. 

3. Using an API community of practice to communicate about best-known API practices and get feedback on API standards.  

4. Provide training on your in-house API standards, practices, and tools. 

5. Define API delivery scorecards - a structured, quantifiable way to assess whether APIs meet defined standards.  

While I will unpack each of these components over future posts, this issue will focus on the first: defining and communicating your API strategy.

Define and Communicate your API strategy

An API strategy is a high-level plan for how an organisation will design and manage its APIs. It must be aligned with both the business goals and the enterprise architecture. A robust API strategy should have three key components.

The first is that it should be aligned with a clearly defined business objective. For example, the business objective could be expanding partnerships or creating new revenue streams.  

The second component of the API strategy is that it should also articulate the current challenge to delivering that business value. This challenge is what Richard Rumelt, in his book The Crux, calls the central challenge or 'crux' of the strategy [1]. As Professor Rumelt explains, 'Skilled strategists are happy to look at analysis and data, but they are also able to identify and focus on a critical challenge or opportunity and then create a way to address it.' (Emphasis mine).

For example, NHS England’s vision is to improve health and care services [2]. But the challenge they faced with their API program was that integration in the health industry is hard. Navin Bose, Senior Product Manager at NHS England, described this central challenge, explaining, "Integration is hard from a product perspective...; there are a myriad of health industry software products that need to be integrated with. Product vendors ask how integration with NHS England will fit with their product and what their product needs to do with their customers. It is hard from a clinical perspective (how do we represent allergies and medical records?). It is hard from a safety and information governance perspective. It is also hard to make the case for change" [2].

And so a key goal of their strategy was to make integration easier for everyone who wants to connect to their platforms and services, whether they were large software houses or small start-ups [3]. They had six "make it easier" principles relating to their APIs [3]:

• make learning easier

• make design and build easier

• make testing easier

• make onboarding easier

• make help and support easier

• make building APIs easier

The third component of API strategy I want to highlight is that it should define the governance model that supports the strategy. This should include guidelines, policies, processes, roles, and best practices to support the strategy.

In the next issue, we'll dive deeper into the roles required to support an API culture, focusing specifically on how to establish an effective API governance group.

References 

1. R. Rumelt, “The Crux: How Leaders Become Strategists”. London, UK: Profile Books, 2022.  

2. BJSS Ltd, “NHS England API Platform” YouTube. Jun. 12, 2024. [Online]. Available: https://www.youtube.com/watch?v=KcAUXoPvJVk 

3. NHS England, “API management vision” digital.nhs.uk. Accessed: Aug. 04, 2025. [Online]. Available: https://digital.nhs.uk/developer/guides-and-documentation/api-management-vision

Interesting Content for the week

Runtime AI Governance

MCP Doesn’t Stand For “Many Critical Problems” … But Maybe It Should For CISOs: Jeff Pollard and Rowan Curran address the significant security challenges posed by the Model Context Protocol (MCP) and agent-to-agent (A2A) protocols within enterprise agentic AI systems.

Extending Object Definitions With OpenAPI's allOf: Bruno Pedro highlights the importance of using OpenAPI's allOf composition feature to manage and extend object definitions, especially to prevent repetition and facilitate object inheritance.

Why Input Validation for APIs Matters in the AI Age: J. Simpson posits that in the era of AI, traditional API security measures are no longer sufficient to combat AI-driven attacks, making robust input validation an indispensable defence. He further discusses that strict input validation is critical not only for security but also for ensuring the usefulness and reliability of API responses when interacting with AI systems.

Designing agent experience: A practical guide for the era of AX : Nolan Sullivan introduces the concept of Agent Experience (AX) as a crucial design consideration for systems that will be used by AI agents, alongside traditional User Experience (UX) and Developer Experience (DX).

How Agentic AI Is Reshaping API Self-Discovery: Nazrul Islam discusses how Agentic AI can reshape the consumption of APIs by enabling autonomous, natural language-driven discovery and execution and how it overcomes the friction caused by traditional API integrations, which often require explicit knowledge of endpoints and formats, by allowing AI to translate human intent expressed in natural language into correct API function calls.

AI Agents Are Creating a New Security Nightmare for Enterprises and Startups: In this article, Eyal Solomon explains that the rise of autonomous AI agents creates a new security paradigm where traditional network security, which focuses on inbound API traffic, is no longer sufficient.

Securing Enterprise AI: OWASP Top 10 LLM Vulnerabilities Guide: Michael Field presents the OWASP Top 10 for LLM Applications 2025 as the authoritative guide for understanding the unique security threats posed by LLMs, such as Prompt Injection and Sensitive Information Disclosure. The article argues that traditional security measures are inadequate and positions Kong AI Gateway as a comprehensive, multi-layered solution for securing enterprise AI systems.

API Production Governance

5 things to look for in an API management platform (that aren’t in the brochures): Budhaditya Bhattacharya writes that selecting an API management platform requires looking beyond marketing materials and focusing on deeper, less obvious aspects that genuinely impact long-term business goals and operational efficiency.

Maintaining Auto-Generative Api Tests: Need Of De-Duplicate Tests: Sarthak Shyngle and Neha Gupta argue that while auto-generated API tests are easy to create, their inherent redundancy leads to increased test execution times, debugging complexities, and higher maintenance costs.

3 Ways to String Multiple APIs Together: Kristopher Sandoval explores different methodologies for connecting multiple Application Programming Interfaces (APIs) to form secure, coherent, and robust workflows.

How to discover and manage shadow APIs: Dave Shackleford from Voodoo security discusses a proactive, multi-layered approach involving real-time discovery, strong governance, and a collaborative DevSecOps culture is crucial for organisations to effectively manage and mitigate the risks associated with shadow APIs.

Rethinking API governance with Team Topologies: A practical guide for engineering leaders: Carol Cheung argues that traditional, top-down API governance is a bottleneck to innovation. A more effective approach involves embedding governance directly into developers' workflows using the Team Topologies model.

Product updates/New releases

Autoswagger: Open-source tool to expose hidden API authorization flaws: This article introduces Autoswagger, a new open-source tool designed to expose broken API authorization flaws, which are prevalent even in large enterprises and easily exploitable.

ApiShare Release 1.9 — Product Release Notes: ApiShare is an API lifecycle management and governance platform. ApiShare version 1.9 focuses on enhancing secure and automated API key management. Features such as scheduled key operations, notifications, and policy templates, aim to reduce operational risk and improve security and compliance by providing users with more robust, automated controls over the lifecycle of their API authentication keys.

Self-hostable MCP servers — generate with the Speakeasy CLI: Speakeasy announces the release of a standalone Model Context Protocol (MCP) server generation feature in the Speakeasy CLI. The update offers organisations complete control over their servers, allowing MCP-specific features to evolve independently from SDKs, thereby improving performance, deployment, and overall flexibility for users.

Postman’s July 2025 Product Update: Postman's latest product updates for July 2025 focuses on preparing APIs for the demands of AI models and agents. Features released include AI agent templates, real-time monitoring of APIs, and new ways for team collaboration using Postman Notebook

Videos

James Higginbotham’s API Governance Survival Guide : Join API governance expert James Higginbotham for a comprehensive deep-dive into building effective, scalable API governance frameworks. The talk, presented at PostCon 2025, explores proven strategies from James’ enterprise consulting experience in API governance across financial services, healthcare, and manufacturing industries.

Feedback & Share

I appreciate your feedback. If you find my newsletter useful, please forward and share it with a friend

Upcoming API Conferences

 GraphQLConf 2025: Date: September 8th-10, 2025, Location: Amsterdam, Netherlands.

APIdays London: Theme: “No AI Without APIs” Conference Date: September 22nd - 24th, Location: Convene 155 Bishopsgate, London EC2M 3YD

Platform Summit 2025: Date: October 13-15, Location: Stockholm, Theme: Engineer Next-Gen API Architectures Register to get your tickets.

Kong API Summit Live 2025: Join developers, leaders, and visionaries from around the world as we explore the latest innovations around APIs, microservices, and AI. Date: Oct 14 - 15, 2025, Location: New York City

API Conference Berlin: Theme: The Conference for Web APIs, API Design & Management, Date: October 20 - 22, 2025. Register to get your tickets.

API World Conference 2025: Date: Sept 3-5 Location - Santa Clara, CA, Sept 10-12 - Live Online, Register to get your tickets

API Governance Consulting