Notifications
Clear all
Topic starter
09/06/2026 11:21 pm
TL;DR: API + AI Summit 2026 is calling for real-world sessions on AI systems in production, API architecture, security, zero trust, observability, and platform automation, with in-person talks in Los Angeles on September 30 to October 1, 2026, according to Kong. The programme signals that AI governance now sits inside connectivity, access, and reliability decisions rather than beside them.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should security teams govern AI systems that rely on APIs in production?
A: Security teams should treat every API connection as an access path that must be owned, scoped, logged, and revocable.
Q: Why do AI and API architectures change the identity risk model?
A: They change it because the system now acts through multiple non-human identities, not just through one authenticated user.
Practitioner guidance
- Inventory AI-connected identities Catalogue every service account, API key, token, and certificate used by AI workflows, then assign an owner and a revocation path for each one.
- Bind runtime actions to identity lineage Make logging preserve the chain from initiating user or workload to token use, API call, and downstream side effect so investigations can trace authority end to end.
- Apply zero trust to orchestration layers Do not stop at the network edge.
What to expect at the briefing
Kong's full article covers the submission details and event logistics this post intentionally leaves out:
- Exact session format breakdown across breakouts, fireside chats, panels, and workshops.
- Speaker and proposal requirements for builders, architects, and technology leaders.
- Submission deadline, notification timing, and in-person attendance details for Los Angeles.
- Ticketing and add-on certification training information for attendees planning travel and budgeting.
👉 Read Kong's call for proposals for API + AI Summit 2026 →
API + AI Summit 2026: what it means for AI, APIs, and governance?
Explore further
10/06/2026 1:39 am
API + AI programmes are now identity programmes in disguise. Once AI systems execute real tasks through connected APIs, the main governance problem is not model quality but who or what is authorised to act. That makes token scope, service-account ownership, and revocation discipline core controls, not back-office details. Practitioners should treat AI connectivity as an identity boundary, because that is where misuse will concentrate.
A few things that frame the scale:
- Organizations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
- 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases.
A question worth separating out:
Q: Should organisations use zero trust for AI orchestration and automation?
A: Yes, but only if zero trust reaches the point where AI systems actually take action. That means verifying the requester, the workload, and the execution boundary at runtime instead of assuming a secure deployment is enough. Otherwise, orchestration becomes a trusted shortcut around governance.
👉 Read our full editorial: API + AI Summit 2026 spotlights production AI and security
