TL;DR: Modern API management and integration layers must now govern both classic service traffic and AI-enabled workflows, according to Kong’s analysis, with Kong Gateway handling policy and observability while PolyAPI executes integrations in standard languages. The shift exposes how much enterprise control still depends on opaque runtimes and weak visibility, especially as AI agents begin consuming APIs.
NHIMG editorial — based on content published by Kong: Modernizing Integration & API Management with Kong and PolyAPI
Questions worth separating out
Q: How should security teams govern AI agents that consume internal APIs?
A: Treat AI agents as non-human identities with explicit scopes, logging, and ownership.
Q: What breaks when integration platforms hide credentials and workflow logic?
A: Governance breaks because teams lose visibility into where secrets live, who owns the access, and how to revoke it when a process changes.
Q: Why do APIs create a larger identity risk surface in AI-enabled environments?
A: APIs become the execution boundary for software agents, workflow automation, and backend services, so any overbroad token can reach multiple systems.
Practitioner guidance
- Define identity classes for every API consumer Separate human, service, workload, and AI-driven consumers in policy so the gateway can apply the correct authentication, logging, and rate limits to each class.
- Inventory credentials embedded in integration logic Review workflows, functions, mappings, and state stores for secrets that are stored inside the execution layer rather than in managed secret systems.
- Require lifecycle ownership for integration functions Assign an owner, review cadence, and revocation path for every reusable function or orchestration so access does not outlive the business process it supports.
What's in the full article
Kong's full blog post covers the operational detail this post intentionally leaves for the source:
- The platform architecture choices behind Kong Gateway, Kong AI/MCP Gateway, and PolyAPI in production integration environments.
- The practical migration and execution model for teams moving off legacy iPaaS runtimes into code-managed integration services.
- The specific use cases for service development, workflow automation, partner enablement, and vendor management that the source article maps to the stack.
- The vendor's detailed view of how AI-enabled workflows interact with API policy, observability, and execution control.
👉 Read Kong's analysis of modern API management and integration with PolyAPI →
API governance for AI workflows: what changes for IAM teams?
Explore further
API governance is now an identity governance problem, not just an integration problem. Once APIs become the front door to business systems, every integration carries an access model, a credential boundary, and an audit requirement. That is true for service accounts, backend functions, and AI consumers alike. The practitioner conclusion is that API security and identity governance can no longer be separated in programme design.
A few things that frame the scale:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%), according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to the same report.
A question worth separating out:
Q: How can teams reduce standing privilege in integration and API workflows?
A: Shorten credential lifetime, scope access to specific functions, and remove persistent secrets from workflow definitions wherever possible. Use managed secret handling, explicit ownership, and regular entitlement review for every integration identity. The goal is to make access temporary, explainable, and revocable before it becomes an operational dependency.
👉 Read our full editorial: Kong and PolyAPI show why API governance now covers AI workflows