Notifications
Clear all
Topic starter
09/06/2026 11:10 pm
TL;DR: As generative AI and agentic architectures push into API and data-path design, Kong’s workshop frames the operational question as how to govern models, agents, and flows at scale without sacrificing performance or security. The strategic issue is that connectivity now carries identity and authorisation risk, not just traffic management.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should security teams govern AI agents and APIs together?
A: Security teams should govern AI agents and APIs as a single access path, because the real risk sits in how the agent reaches tools and data.
Q: Why do AI agents complicate existing IAM and NHI controls?
A: AI agents complicate IAM and NHI controls because they can combine data access, tool use, and execution in one runtime path.
Practitioner guidance
- Map the AI data path end to end Document every model call, agent handoff, API hop, and data store involved in the workflow.
- Separate connectivity approval from access approval Do not treat API onboarding as proof that the underlying data access is safe.
- Scope agents to task-bound permissions Issue the minimum access needed for the specific job and make revocation part of the design, not an afterthought.
What to expect at the briefing
Kong's full event covers the operational detail this post intentionally leaves for the source:
- The 2026/2027 outlook for AI Gateway, native connectivity, and autonomous infrastructure from the host team.
- Peer exchange on governance and performance trade-offs in AI-enabled API architectures.
- Discussion of security, API lifecycle management, agents, and MCP in a limited attendance setting.
- A strategic setting for CIOs, CTOs, and IT leaders to compare deployment challenges in confidence.
👉 Register for Kong's workshop on strategy and connectivity in the age of AI →
AI data path governance for agents and APIs on June 23?
Explore further
10/06/2026 1:24 am
AI connectivity is becoming an identity problem, not just an architecture problem. The workshop topic reflects a broader shift: once agents and models participate in live data flows, the main risk is no longer only latency or throughput, but who can act through those flows. That is why API design, access control, and NHI governance now need to be treated as one operational plane. Practitioners should plan for identity enforcement at the point of interaction, not after the fact.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: What should organisations check before scaling agentic AI in production?
A: Organisations should check whether their current controls can enforce least privilege across models, agents, APIs, and data flows at runtime. If ownership, logging, and revocation are unclear, scaling will expand the blast radius of every mistake. The key question is whether the control model still matches the access path.
👉 Read our full editorial: AI data path governance for agents and APIs in 2026
