TL;DR: AI agents are turning APIs into the capability layer of the agentic era, which raises governance, documentation, versioning, and scaling demands across enterprise ecosystems, according to Kong. The security implication is that API strategy now has to account for machine-driven consumption patterns, not just human developers and traditional app integrations.
NHIMG editorial — based on content published by Kong: Insights from eBay: How API Ecosystems Are Ushering In the Agentic Era
By the numbers:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%).
Questions worth separating out
Q: How should security teams govern agent-facing APIs in production?
A: Security teams should govern agent-facing APIs by treating each one as a non-human identity path with explicit scope, short-lived credentials, and monitored execution boundaries.
Q: Why do APIs become a bigger security issue when AI agents consume them?
A: APIs become a bigger security issue because agents do not compensate for ambiguity, broken contracts, or overbroad scopes the way humans often do.
Q: What breaks when API governance is built only for human developers?
A: What breaks is the assumption that a developer will notice and adapt when an API contract changes.
Practitioner guidance
- Inventory every agent-facing API path Classify each endpoint, gateway route, and MCP-exposed tool by business function, data sensitivity, and whether it can initiate writes, not just reads.
- Bind API access to workload identity Use short-lived, uniquely attributable credentials for integrations, and separate discovery access from execution access so agents cannot move directly from inspection to action.
- Review version drift as a control failure Set a change threshold for schema updates, response shape changes, and permission expansion, then force re-approval when the contract changes.
What's in the full article
Kong's full article covers the operational detail this post intentionally leaves for the source:
- The specific API ecosystem examples used to explain why externalization changes developer adoption behaviour.
- The article's detailed guidance on governance squads, documentation practices, and private beta validation.
- The discussion of MCP and how protocol layers shape the next stage of agentic connectivity.
- The full reasoning behind ecosystem-led growth and how Kong frames API monetization maturity.
👉 Read Kong's analysis of API ecosystems in the agentic era →
API ecosystems and agentic AI - is your governance ready?
Explore further
API governance is now an identity control problem, not just an engineering discipline. Once agents become real consumers of APIs, the control question changes from whether an endpoint works to whether the caller should be trusted to use it at runtime. That pushes API governance into the same domain as NHI and workload identity management. The practitioner conclusion is that API strategy must be reviewed as part of access governance, not only platform engineering.
A few things that frame the scale:
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
- Another finding in the same research shows that 80% of organisations report AI agents acting beyond intended scope, including unauthorised access and sensitive data sharing.
A question worth separating out:
Q: Who is accountable when an API-connected agent causes data exposure or misuse?
A: Accountability should sit with the organisation that owns the API, the team that approved the integration, and the owner of the workload identity or token in the path. If the API is exposed to external partners or agents, the offboarding and review process must be explicit. Governance fails when nobody owns the lifecycle of the access path.
👉 Read our full editorial: API ecosystems and agentic AI: what changes for governance