API governance policies are meant to cover a wide range of operational areas, which begin with API design considerations like which HTTP methods we use to communicate around our digital resources and capabilities, but they go much further and help define how we version our APIs, which authentication, documentation, and even testing we provide as part of our operations. When it comes to government policies or even enterprise policies, the concept of a policly is often seen as slow moving and fixed, but when it comes to API policies, they are as fast or slow as your ability to mobile discussion amongst the stakeholders in your organization, and it is this intersection of policy, process, and people that will help you minimize enterprise technical debt.
When I ask enterprises if they have API governance in place it goes beyond just asking if they are using Spectral rules in VSCode and their CI/CD pipelines. I want to understand the wider apparatus, not just the resulting technical details. The technical details are API rules. The business details are API policies. The business details are what shape operations, and the technical details are how we enforce and report on that shape over time. I am less interested in how an enterprise is versioning their API and more interested in how they came to the decision to version APIs and how they communicate that across teams. I am less interested in what gateway a company is using, and more interested in the work they did as an organization to decide which gateway, and how they are doing that in a centralized or federated way. These are API policies, and we should be able to keep exploring the inner workings or not workings of an enterprise by asking questions about API policies.
When companies have solid API policy foundations for documenting how they use technology, things are much more stabler. When you have strong policies on how you use query parameters, pagination, and are opinionated about how HTTP is applied, you are less likely to allow new technologies like GraphQL come into play without the needed discussion, socialization, and refinement of how the new technology will apply to business. I regularly see a lack of API policies, process, and people involved in emotional responses to market hype and trends from GraphQL to event-driven to artificial intelligence. I am not saying that these technologies don’t have a place, I am saying that how they enter the enterprise, how they spread, and how they become technical debt is much more damaging when there isn’t strong API policies processes in place with opinionated leadership from across enterprise domains weighing in on the role a new technology or specific pattern will have in the business. Without this internal capacity, enterprises are likely to make decisions without the proper awareness of the impact on business as they’ve opted to outsource the capacity to vendors and consultants.
I have watched API sprawl overtake every enterprise I’ve worked with in the last 15 years. I’ve seen simple and complex HTTP APIs spread like wildfire to support web, desktop, and mobile applications. I’ve seen the complexity rapidly grow across multiple protocols and patterns because nobody was there to advocate for the customer or for business stakeholders. I am watching the enterprises who have maintained their internal capacity sensibly approach artificial intelligence, where companies who have outsourced to vendors and consultants over the years, mandate AI as part of operations and invest in the current consolidation of power we’ve seen across OpenAI, Microsoft, Google, and Anthropic. This isn’t new, and I’ve seen it building with similar investments in API management solutions over the last decade. APIs are the inputs and outputs of your enterprise operations, regardless of the applications that utilize them. The governance of these APIs are how you maintain control over your digital resources and capabilities, and without the right API policies, process, and people in place, we are always running a significant risk that we are rolling out technology that will be slowing us down and holding us back in the coming years-—which will make or break the competitive nature of any enterprise, across any industry today.
