APIs, AI agents and identity controls: what changes in 2026?

TL;DR: APIs are shifting from developer interfaces to regulated infrastructure that now power AI agents, telecom, finance, and healthcare, while only 24% of organisations currently design APIs for AI agents according to Kong and GenAI in Enterprise research. The governance gap is no longer about API scale alone: it is about whether identity, authorization, and machine-readable policy can keep pace with autonomous consumption and multi-protocol estates.

NHIMG editorial — based on content published by Kong: The Rapidly Changing Landscape of APIs: Navigating the 2026 API Ecosystem

By the numbers:

• Only 24% design APIs for AI agents.
• 83.2% of respondents have adopted some level of an API-first approach.
• 65% of organizations that use APIs are currently generating revenue from them.

Questions worth separating out

Q: How should security teams govern API access for AI agents and service accounts?

A: Security teams should treat API access as a governed identity path, not a transport detail.

Q: When does API-first design create more governance risk than it removes?

A: API-first becomes risky when teams treat it as a delivery pattern instead of an identity model.

Q: What do organisations get wrong about securing AI-ready APIs?

A: They often assume that better documentation is enough.

Practitioner guidance

• Reclassify API governance as identity governance Inventory every API consumer type, including service accounts, workload identities, and AI agents, and map each to an owner, scope, and review cadence.
• Revalidate OAuth flows against current best practice Replace deprecated grant patterns, tighten token scope, and verify that sender-constrained or bound token patterns are used where bearer replay would be material.
• Unify policy across protocols and gateways Check that REST, GraphQL, gRPC, WebSocket, and event-driven interfaces all inherit the same authorization rules, logging, and rate-limiting logic.

What's in the full article

Kong's full blog covers the operational detail this post intentionally leaves for the source:

• The article's full breakdown of protocol shifts across REST, GraphQL, gRPC, CloudEvents, and HTTP/3
• The source discussion of regulatory drivers such as FHIR, FDX, and the EU Data Act
• The implementation detail behind OAuth 2.1, DPoP, FAPI 2.0, and Rich Authorization Requests
• The vendor's examples of API commercialization and agentic commerce patterns

👉 Read Kong's analysis of the rapidly changing API ecosystem →

APIs, AI agents and identity controls: what changes in 2026?

Explore further

View Full Forum →  |  NHI Foundation Course →