How to Adapt Your API Strategy to Succeed in the AI Era

24 February 2025 - ID G00818162 - 12 min read
By Shameen Pillai, Mark O'Neill
A robust API strategy is essential for organizations to succeed in their AI initiatives. Software engineering leaders can use this research to assess the impact of generative AI on their API programs and explore strategies to capitalize on emerging AI technologies.

Overview


Key Findings

  • The adoption of APIs to provide data and contextual information to AI initiatives is on the rise. Organizations that lack a robust API strategy will struggle to make effective use of AI.
  • New breeds of API consumers, such as AI agents and large language models (LLMs), elevate the risks associated with API consumption. Managing subscriptions, securing and protecting private data and keeping costs under control are typical challenges faced by software engineering leaders.
  • New AI gateways are emerging, designed to manage, secure and protect API connections with AI providers. However, deep vendor support for AI scenarios is currently limited.

Recommendations

As a software engineering leader responsible for API strategy, you should:
  • Ensure the success of your AI initiatives by adapting your API strategy to provide business data and contextual information effectively using internal, private, public and third-party APIs.
  • Manage API generation and consumption by AI applications to mitigate security, privacy and financial risks. Discover, secure and govern all APIs created by AI tools, and implement an API consumption gateway to support the AI technical stack.
  • Conduct detailed proofs of concept (POCs) for AI gateways to evaluate their technical capabilities, and be ready to fail fast.

Strategic Planning Assumptions


By 2028, more than half of organizations will use API management as a building block of their AI application architecture, up from less than 10% in 2025.
By 2028, over 50% of API security breaches will be related to AI.

Introduction


inline image
The impact of AI on API programs is twofold. On one hand, the increased API usage by AI consumers introduces potential issues related to the security, management and governance of APIs. On the other hand, features and tools such as code assistants and API testing tools based on generative AI (GenAI) show promise in making API life cycle management easier and more efficient.
However, such features are nascent and yet to be proven in the marketplace.
To support AI initiatives, it’s essential to enhance API strategies to accommodate dynamic AI consumers with heightened security and gateway needs. Managing AI consumption and third-party APIs is crucial to the success and cost-effectiveness of these initiatives. Furthermore, unchecked API creation by AI tools can pose significant security and governance challenges.
So, how can organizations better prepare for API use in their AI initiatives and address the challenges of incorporating AI into API life cycle management?
Software engineering leaders should assess the impact of GenAI initiatives on their API programs and identify areas for investment in emerging AI technologies to enhance their API strategies.
Figure 1 shows a typical API life cycle involving developing and consuming APIs, and highlights how GenAI can be leveraged to improve the API life cycle.
Figure 1: Generative AI in the API Life Cycle
Generative AI's role in the API lifecycle comprises two cycles: creating APIs (Plan, Build, Publish, Version) and consuming APIs (Plan, Build, Deploy, Run) with AI-driven enhancements. Generative AI enhances both the creation and consumption of APIs by automating tasks like API definition, documentation and security.

Analysis


Ensure Success of Your AI Initiatives by Adapting Your API Strategy

AI initiatives require APIs to provide data and contextual information, such as for grounding GenAI models in an organization’s business data and providing specific and detailed context for targeted use cases. Retrieval-augmented generation (RAG) typically involves LLMs consuming data via APIs from a set of knowledge sources. Organizations can use internal, private, public and third-party APIs to provide sufficient and relevant data to models to accomplish this goal. This is required not only during the training of various AI models but also on a regular basis for the GenAI applications to function.
Overall, AI elevates the goals of API strategy a few notches higher and demands a higher level of maturity. Below are a few instances of how GenAI’s use of APIs differs from traditional application use:
  • Unplanned and dynamic API consumers: LLMs, such as GPT, LaMDA and LLaMa, are capable of dynamically generating API clients on the fly, which can lead to even more unplanned consumers. Dynamic API consumers could include code snippets, client side code in different programming languages, SDKs, and even applications that can consume APIs.
  • Data security and compliance: Lack of adequate security and compliance of APIs can undermine the security of AI initiatives. AI models trained on unsecured data can significantly multiply the risks and lead to major vulnerabilities and exposure of unauthorized data.
  • Copyright and licensing: APIs not protected by sufficient terms and conditions and applicable usage agreements can lead to copyright, licensing, and brand reputation issues associated with generated content from AI programs.
  • Overuse or misuse: Unregulated AI access to APIs without capacity planning and proper policies for throttling and rate limiting can lead to overuse and misuse, overwhelming the API provider. This will ultimately lead to cost overruns, architecture instabilities and performance degradation.
Though APIs are not the only source of vulnerabilities commonly associated with GenAI applications, they significantly contribute to some of the common issues faced by LLM applications. Improving security and life cycle management of APIs used by AI, can provide coverage to some common vulnerabilities depicted in the Open Web Application Security Project (OWASP) Top 10 security vulnerabilities for LLM applications.
Figure 2 shows OWASP Top 10 security vulnerabilities for LLM applications. For example, mediating traffic to and from LLM prompts through an API gateway can help address the highlighted vulnerabilities at least in part, as indicated by partial coverage but it will not protect against all threats indicated by minimal or no coverage.
Figure 2: OWASP Top 10 Security Vulnerabilities for LLM Applications
OWASP lists the top 10 security vulnerabilities for LLM applications, noting partial or minimal coverage. These include prompt injection, insecure output handling, model denial of service, and more. This underscores the urgent need for robust security measures to protect against these threats.

What Changes Are Needed for Your API Strategy?

For organizations that have already implemented and operate an API strategy, an urgent refresh is warranted to adequately support AI initiatives and benefit from emerging tools and practices that use AI to improve API developer and consumer experiences. Software engineering leaders should invest in creating one if their organization lacks an API strategy.
Gartner’s view of a comprehensive API strategy (see Gartner’s API Strategy Maturity Model) involves the below dimensions:
  • API life cycle management
  • API security
  • Business alignment
  • Developer enablement
  • Measuring business value
Figure 3 shows API strategy dimensions along with examples of steps required to support API life cycle management and API security.
Figure 3: A Robust API Strategy Is Key to GenAI Initiatives
A robust API strategy is crucial for GenAI initiatives, focusing on life cycle management and security. Key elements include optimizing API deployment, monitoring API traffic, generating security policies, and aligning with business goals, ensuring effective developer enablement and business value measurement.
GenAI projects require effective implementation and operation of all aspects of API strategy. However, the most significant aspects are API life cycle management and API security, as these represent a minimum requirement to be able to support AI initiatives:
  • API life cycle management: Refers to the steps involved in managing an organization’s APIs through all stages of its life cycle — from planning, development and operations, all the way through retirement. The API life cycle management strategy needs to change to accommodate APIs that are dynamically created by AI agents and other AI programs and tools, to avoid API sprawl and unmanaged shadow APIs. Here are a few steps to consider:
    • Track and manage APIs that are (or going to be) created by AI applications and GenAI tools just as well as APIs that are created by human actors (internal developers, partners or third parties).
    • Ensure your organization’s API standards, style guides or other coding practices are well documented, ready and available to ground AI models.
    • Ensure your APIs include appropriate terms of use, restrictions and privacy policies to prevent unwanted access and to leakage of sensitive information.
    • Maintain adequate documentation for all APIs, especially the ones created by GenAI.
    • Adhere to versioning and governance policies for all APIs.
    • Track and manage AI-generated API consumers.
    • Test and assure quality of all APIs. Use automated testing as much as possible especially for APIs created by GenAI tools.
  • API security: Involves fine-grained authentication and authorization, access management, throttling and proactive threat protection. GenAI tools and applications introduce significant challenges to all of these aspects. Here are some examples of necessary steps:
    • Ensure that your API access management strategy is adapted for AI consumers, such as AI agents. For example, AI agents must be uniquely identified with adequate permissions, rather than using common or developer identities.
    • Set fit-for-purpose authentication and authorization policies to prevent unwanted data exposure to AI programs.
    • Ensure GenAI models generating APIs are data privacy aware to prevent unwanted privacy violations and leakage of sensitive information.
    • Actively manage API keys and credentials. Keys intended for AI services, such as OpenAI’s APIs, should be tracked separately.
    • Look beyond the interface, and ensure the underlying data and assets are allowed for AI consumption in collaboration with data and security engineers.
    • Actively monitor operational data and telemetric data to prevent unauthorized use.
    • Leverage API security tools to strengthen proactive threat protection of APIs. Prefer tools that provide built-in AI-based features to detect anomalies.
    • Beef up throttling and traffic management policies to ensure support for elevated use.
  • Business alignment and measuring business value: The business alignment part of the API strategy should include both direct and indirect business benefits targeted for the AI initiative(s), especially those using APIs. The benefits should be measured by KPIs and metrics that measure business outcomes.
  • Developer enablement: This strategy should now encompass developers using tooling such as AI code assistants. Developers are already using AI-augmented tooling to develop applications that consume APIs. This means that, for example, API documentation must identify any specific rules or restrictions for AI consumers, such as access restrictions, limits or other terms of appropriate use. Create procedures to prevent API sprawl and ensure that an API catalog is maintained and used by all consumers.

Manage API Generation and API Consumption by AI

API generation typically involves developers using IDEs to create APIs, or using tools to generate APIs that represent data on a database or a data structure. GenAI elevates capabilities of API generation tools by making them more intelligent and dynamic, and capable of responding to specific nuanced requirements and standards.

Managing API Generation by AI

Many API management platforms already incorporate AI capabilities to enhance API creation within their tools. Additionally, there are independent tools that offer AI-based API generation (see Magic Quadrant for AI Code Assistants).
API generation using AI might involve a variety of scenarios; for example:
  • Creating APIs from a natural language description of requirements, like an AI code assistant.
  • Creating API specifications from code or data source.
  • Generating API documentation from API specification and vice versa.
  • Translating API documentation to different human languages.
  • Converting or transforming implementations from one programming language to another.
  • Converting OpenAPI to other API description formats and vice versa.
  • Chat agents for API documentation.
  • API product suggestions and intelligent recommendations for APIs.
  • API policy generation and recommendations.
  • AI-augmented deployment and operational management of APIs.
Software engineering leaders should capitalize on GenAI’s potential to improve API generation by allowing organizational API standards, style guides, and any specific requirements to be used as inputs to create better quality APIs while minimizing the potential for API sprawl.
The key is to manage and govern APIs created by these tools, whether they are automated or created by developers. Ensure that “all” APIs in your organization are discovered, managed, secured and governed without leaving a blindspot of APIs created by generation tools.

Managing API Consumption Challenges

In addition to the APIs used for providing business data and contextual information to AI programs, GenAI applications use APIs as the main integration and mediation point between different architecture elements in their technical stack. The 2024 Gartner API Strategy Survey revealed that, among third-party APIs, OpenAI APIs are among the most widely adopted and anticipated for future use within respondents’ organizations.1
A GenAI application stack might involve the use of multiple AI models. Iterating through RAG cycles orchestrated through APIs is a common technique used in this architecture. Each layer in this stack serves as a mediation point where consumption policies can be applied. Figure 4 shows an example of this architecture stack.
Figure 4: APIs With the Generative AI Stack
APIs are integral to the Generative AI stack, connecting infrastructure providers, model providers, AI engineering, and GenAI applications. Key processes like model chaining use tools such as LangChain to orchestrate AI APIs, facilitating seamless integration across commercial and open-source models.
Software engineering leaders must review their API strategy to ensure that they can provide adequate API consumption management before embarking on AI initiatives. Below are some actions they can take toward this goal:
  • Ensure that there is adequate life cycle management of internal, partner, public and third-party APIs used across the organization.
  • Manage the consumption of AI provider APIs. Make sure to track and manage all AI APIs in use across various projects.
  • Implement adequate capacity planning, throttling and rate limiting policies for all APIs consumed, especially by AI initiatives.
  • Review and adapt terms and conditions, along with any appropriate usage restrictions, for APIs made available for AI consumption.
  • Make sure to review if API pricing and licensing models can support and appropriately scale with AI use.
  • Implement API response contextualization, semantic caching, management of prompts or LLMs as required.
  • Ensure that a plan is in place for monitoring and enforcing SLAs and API key management.
  • Implement an API consumption gateway to support GenAI technical stack to address below common requirements:
    • Mediating traffic between different LLM models
    • API keys and credentials management
    • Token management
    • Prompt templating
    • Prompt guards
    • Content filtering
    • Sanitation of sensitive data
    • Policy enforcement
    • LLM orchestration
    • Rate limiting
    • Semantic caching and routing

Conduct POCs of AI Gateways to Evaluate Their Technical Capabilities

A handful of AI gateways have already become available in the open source and commercial market (see Innovation Insight for AI Gateways). These are mostly API gateways with added features, plug-ins or other components to support AI enablement and include features such as managing the consumption and generation of AI APIs and managing API access to expensive AI-related resources like LLMs. Some gateways also include AI-based features to enhance their operational capability in supporting large-scale AI use.
Figure 5 shows a sample set of AI gateways and emerging AI-based API tools currently available on the market.
Figure 5: AI Gateways and Emerging AI-Based API Tools
AI gateways and emerging AI-based API tools are crucial for managing traffic, ensuring security, and enabling developers. Key functions include traffic mediation, security policy generation, and API lifecycle management. Vendors like IBM and Cloudflare provide these tools to enhance API functionality.
AI gateways are nascent and emerging products, often with additional functionality like plugins or add-ons built on top of existing API gateways. The functionality they offer varies widely, and so is the level of maturity of these products.
If you are in the market for AI gateways or other AI enablement features, it is important to try, test and run POCs before selection. Always opt for modern, low-footprint API gateways, preferably with AI-enabled features. If you already have API gateways, plan to supplement those capabilities with add-on or plugin features. If that is not feasible, revisit your API gateway strategy.
Remember, a robust API strategy advances your AI ambitions, and AI tools improve your API strategy. Leverage both.

Evidence


1 2024 Gartner API Strategy Survey. This survey was conducted online from 27 February through 8 March 2024 to understand the API strategy of organizations through API usage, API styles and AI APIs. In total, 89 IT leaders who are Research Circle members, a Gartner-managed panel, participated. The respondents were screened based on their knowledge about the use and priorities of APIs in their organizations. They were primarily from North America (n = 43), EMEA (n = 33), Asia/Pacific (n = 10) and Latin America (n = 3). Disclaimer: The results of this survey do not represent global findings or the market as a whole, but reflect the sentiments of the respondents and companies surveyed.