AI agents are sprouting up everywhere. They promise to make our lives easier by knowing how to do whatever needs doing. That means agents need to access resources such as services, tools, and data, but that access should not be unlimited. To operate responsibly, resources should only be accessible in the appropriate context. The following guidelines demonstrate how APIs function to achieve this goal.
Standards promote APIs as a structured intermediary.
APIs are a structured intermediary. Invoking APIs creates an execution space where actors find resources, access is controlled, and authorization is verified. APIs are flexible, reducing exposure yet accommodating a variety of business-approved actions at the same time. The downside of flexibility is the lack of standards which inhibit interoperability. Therefore, emerging standards such as Model Context Protocol (MCP), Open Agentic Schema Framework (OASF), LangChain Agent Protocol, and Agent2Agent Protocol (A2A) are a step in the right direction. They promote thoughtful API design and the utilization of APIs as the primary external interface within agentic ecosystems. Ecosystems of services, tools, and data that agents will use to accomplish their self-directed workplans.
Secure APIs using infrastructure services.
Today’s business applications expose their functionality via APIs, but APIs do not function alone. Gateways consolidate cross-API functions such as user access, authorization, and service discovery. Firewalls filter ports, support routing rules, and protect against malformed protocol requests. Authorization proxies implement advanced identity controls such as authorization code flows and policy lookups. APIs are the gate leading into business applications. Infrastructure services streamline, enhance, and enable proper validation of requests to APIs.
Dynamic validation will replace static validation.
When one AI agent lacks permission for a specific action, it can collaborate with another agent that does have permission. This allows workflows to continue without violating access boundaries. For example, a shopping assistant might request a discount code from a fulfillment agent instead of pulling it directly from a sensitive database. APIs facilitate this interaction while preserving separation of duties. This works well today because agents can act on behalf of a human user or role.
Users and roles represent static permission schemes readily supported by current identity and policy systems. Looking ahead, it is conceivable that agents themselves will eventually possess their own identity (or multiple identities) which will increase the need for strong guardrails to govern access to resources across a wide variety of situations. Eventually, dynamic zero-trust security measures, which validate requestor, target resource, and action at run-time, will replace static, predefined validation.
API-first designs will rise.
APIs are vital for AI agents because the agents need clear delineation of which resources they can access and which security context to use for every action they take. The more agents deployed, the more resources they will access and the more requests they will make—all through APIs. If a single agent executes multiple tasks, there may be multiple authorizations using multiple security contexts. The need for capable APIs intensifies as the number of agents involved increases. APIs must enable appropriate access, automatically and at extremely high scale.
Today, users gain access to resources through applications and custom APIs. Moving forward, standardized APIs will emerge as the strategic control point where agentic AI systems and line-of-business resources interact across network, organizational, and industry boundaries. API-first thinking will lead us into the agentic AI age offering governance, interoperability, and scale.
About the Author
Related Blog Posts
At the Intersection of Operational Data and Generative AI
Help your organization understand the impact of generative AI (GenAI) on its operational data practices, and learn how to better align GenAI technology adoption timelines with existing budgets, practices, and cultures.
Using AI for IT Automation Security
Learn how artificial intelligence and machine learning aid in mitigating cybersecurity threats to your IT automation processes.
The Commodification of Cloud
Public cloud is no longer the bright new shiny toy, but it paved the way for XaaS, Edge, and a new cycle of innovation.
Most Exciting Tech Trend in 2022: IT/OT Convergence
The line between operation and digital systems continues to blur as homes and businesses increase their reliance on connected devices, accelerating the convergence of IT and OT. While this trend of integration brings excitement, it also presents its own challenges and concerns to be considered.
Adaptive Applications are Data-Driven
There's a big difference between knowing something's wrong and knowing what to do about it. Only after monitoring the right elements can we discern the health of a user experience, deriving from the analysis of those measurements the relationships and patterns that can be inferred. Ultimately, the automation that will give rise to truly adaptive applications is based on measurements and our understanding of them.
Inserting App Services into Shifting App Architectures
Application architectures have evolved several times since the early days of computing, and it is no longer optimal to rely solely on a single, known data path to insert application services. Furthermore, because many of the emerging data paths are not as suitable for a proxy-based platform, we must look to the other potential points of insertion possible to scale and secure modern applications.