What is API governance? It is a topic I’ve explored from a technical, business, policy, and people perspective over and over for many years now, and my hope was renewed last week to hear that others share the belief that API governance is much more than Spectral or Vacuum rules. Like with OpenAPI, there is all kinds of money and interest in the machine-readable Spectral and Vacuum rules, without any acknowledgement and awareness of the human work, expertise, coordination, and communication that goes into the rules. This is API governance, not the YAML or JSON output of all of that peopling.
After talking with hundreds of people implementing API governance on the ground within enterprises as part of work at Postman, spending the last year standing up a program within Bloomberg, reviewing every job description to come along about API governance, an API governance job is clearly 75% herding, navigating, and building trust with the humans, with the rest a mix of business and technological considerations. API governance teams are often being given a technical mandate, when in reality they are doing the work to address the social aspects of how enterprises work or do not work. Which is something that will catch many professionals off guard as they put their hopes into services, tooling, and specifications.
A Spectral or Vacuum rule that ensures that there are no request bodies on a HTTP GET request and is enforced in VSCode and a CI/CD is not governance. API governance is teams understanding why HTTP GET requests should not have a request body, having a conversation about how that particular API operation is being applied by API consumers, and what path and query parameters should be made available to those consumers to achieve their business objective. This is just one of hundreds of rules that get lumped together and called API governance, when API governance is actually about ensuring teams have the proper HTTP literacy, API design skills, and possess access to feedback loops with API consumers, but also an more importantly have the emotional bandwidth in their day to empathize with that consumer.
API governance is a measure of how well teams are educated and equipped for their job. API governance is a measure of how well teams coordinate and communicate with each other. API governance is a measure of how many shared resources an enterprise provides for their teams producing APIs. API governance is a measure of the feedback loops teams have producing APIs with those who are consuming their APIs. API governance is a measure of how much your enterprise understands and has internalized Internet and industry standards. API governance is a measure of how aware your enterprise leadership is around the digital resources and capabilities you possess. Each API governance rule is a measure of how much technical debt your enterprise has accumulated over the years. I can keep going. API governance is all about people conducting business and you will never be successful with API governance until you realize and invest in these people–something that seems at a deficit in this moment.
