Why CIOs back API governance to avoid tech sprawl

Most companies have transitioned to become more software-centric, and with this transformation, application programming interfaces (APIs) have proliferated. At the same time, API standards are becoming difficult to enforce among ballooning technology catalogs, influencing a greater emphasis on API governance: the practice of defining and enforcing policies that ensure they’re consistently designed, versioned, and have access control in place, says Mark O’Neill, VP analyst and chief of research for software engineering at Gartner.

Carter Busse, CIO of no-code enabled automation platform company Workato, adds that APIs are now important connective tissue to integrate and interact with large language models (LLMs) within business processes. “If companies want to input, leverage, and embed these digital brains into their business, they’ll need an API to connect the LLM to various business applications,” he says. And as reliance on generative AI rises, the number of APIs in use is anticipated to increase accordingly.

But APIs do more than support next-generation technologies — they already serve a foundational purpose within most enterprises. Karl Mattson, field CISO at Noname Security, an API security solution, says APIs are the foundation of nearly every CIO’s strategic plans to deliver business value. As such, he views API governance as the lever by which this value is assessed and refined. “Good governance is the telemetry on that investment, from which operational and tactical plans can be adjusted and focused to achieve strategic objectives,” he says.

API-first strategies on the rise

APIs are ubiquitous within modern software architectures, working behind the scenes to facilitate myriad connected capabilities. “As enablers for the integration of data and business services across platforms, APIs are very aligned with current tech trends,” says Antonio Vázquez, CIO of software company Bizagi. “Reusability, composability, accessibility, and scalability are some of the core elements that a good API strategy can provide to support tech trends like hybrid cloud, hyper-automation, or AI.”

For these reasons, API-first has gathered steam, a practice that privileges the development of the developer-facing interface above other concerns. “API-first strategy becomes critical to navigate contemporary tech trends, foster innovation, and ensure adaptability in a rapidly evolving technological landscape,” says Krithika Bhat, CIO of enterprise flash storage provider Pure Storage. She considers the increasing adoption of cloud computing and microservice architectures to be top drivers of formalized API-first approaches. Digital transformation and growing reliance on third-party services are key contributors as well, she adds.

An API-first culture can also create positive ripple effects across an entire organization. “IT departments already use APIs to power purpose-driven applications, enabling seamless integration and fostering innovation for their employees through customized and personalized applications,” says Workato’s Busse.

Ajay Sabhlok, CIO and CDO at zero trust data security company Rubrik, Inc., agrees that APIs remain relevant in today’s tech landscape, especially for B2B connections. “In the predominantly SaaS applications-based IT architecture, bidirectional data flow between applications is best enabled via APIs,” he says. API-first development yields a multitude of benefits, he adds, including abstraction of the underlying data, increased automation, better governance over data usage, and a more accessible audit trail.

Next-gen platforms drive more API usage

APIs are at the forefront of cutting-edge development trends, and for years now, says O’Neill, modern web and mobile development has involved frontend frameworks calling APIs at the backend, which drives a tremendous amount of API usage. “Current API trends are driven by developers, which include the move toward more developer-friendly, lightweight API gateways, as well as the rise of GraphQL,” he adds.

However, much excitement is centered around the prospect of AI and how it’ll catalyze more API adoption. “APIs remain central to tech strategy and are more vital than ever due their use by LLMs, including OpenAI plugins,” says O’Neill. And Sabhlok adds: “Gen AI LLMs provide APIs that are leveraged across several AI applications, and spawn exponentially growing API usage.”

There are other key drivers behind increasing API utilization. For instance, Sabhlok points to EV car manufacturers or ride-sharing companies, which, he says, develop accessible platforms or devices that consumers or third-party complementary product manufacturers can readily interact with through APIs. He also points to microservices and low-code/no-code platforms, which often leverage APIs as communication gateways. Furthermore, APIs are routinely used as building blocks for internal reusability and integrated data flow processes.

API sprawl brings new management overhead

Enterprises are now composed of a diverse API portfolio, ranging from internal services to partner integrations and third-party SaaS providers. In the wake of managing many new APIs, additional operational overheads are incurred, says Pure Storage’s Bhat. “Organizations need to allocate resources for maintenance, updates, and support, impacting the cost-effectiveness of API management,” she says.

With more APIs, additional effort is required to maintain design consistency and reduce scalability and end-user experience concerns — not to mention the added security risks stemming from a widened surface area. “It becomes crucial to proactively address and mitigate security risks associated with authentication, authorization, and data protection,” adds Bhat. APIs are routinely involved in breaches, and best practices to secure an API throughout its lifecycle are relatively immature, adds Noname Security’s Mattson.

There’s the additional need to simultaneously manage changes throughout various API lifecycles to retain reliable integrations. “Managing APIs is similar to managing building software,” says Busse. “Developers and IT teams must make sure they have the proper change management, source code control, and release management processes in place when implementing APIs to allow effective and secure integration between applications.”

Without proper API inventory management, enterprises can suffer from a decline in reuse, contributing to bloat and technical debt. A development culture can suffer from potential proliferation of similar functioning APIs in custom-built applications if they aren’t cataloging APIs effectively, says Sabhlok.

So API ubiquity presents numerous IT management challenges due to inconsistent design patterns, communication silos, access control, documentation hurdles, and monitoring, performance and scalability concerns, says Ratinder Paul Singh Ahuja, who oversees API governance and security as CTO and VP at Pure Storage. Besides technical considerations, however, there are unique business implications to consider, adds Bizagi’s Vázquez. “We must address the value proposition, who the target user is, what the alignment with the business objectives is, and how APIs can be marketed and monetized, if possible,” he says.

Stemming the tide

API governance has emerged to respond to these escalating management hurdles, and  programs oversee many elements of an API throughout its lifecycle, helping to obtain a safe and reliable ROI. “As APIs have become more common in enterprises,” says Mattson, “IT and business organizations have built API governance programs to ensure their investments in APIs achieve intended results, including performance, efficiency, security, and compliance.”

According to Ahuja, API governance must enforce standards and policies for consistent API development, covering the full scope of API operations. “Meaningful API governance involves API management practices that encompass consistency, operationalization, telemetry, security, and continuous improvements throughout the API lifecycle,” he says.

A burgeoning API culture also requires a governance framework to enable a highly secure state. “Any governance program must define a framework in which a product can be properly managed in time,” says Vázquez. “In the case of APIs, we need to address how they’re going to be monitored and maintained.” He adds we must also assure quality, security, and compliance throughout future updates and versioning.

What good API governance really looks like

In practice, many elements make up a successful API governance initiative. First, good API governance should improve the design of APIs, making them consistent from service to service. “When good API governance is in place, consistent design means all your organization’s APIs look like they were defined by the same team, even if many teams were involved,” says Gartner’s O’Neill. He adds that governance should be automated where possible so an API strategy doesn’t present a bureaucratic bottleneck for API producers or consumers.

In addition to establishing API design standards, Sabhlok emphasizes that quality API governance should consider visibility into APIs. This can be achieved through strategies such as documenting comprehensively, maintaining an active inventory, using observability, and creating operational guidance from the design phase through retirement. He also suggests establishing a center of excellence to review and update the framework components and take corrective actions where necessary.

Factors contributing to a quality API governance model should also future-proof the overall IT strategy. “Effective API governance allows organizations to quickly adapt to changes by enabling the easy creation, sharing, monitoring, and adjustment of APIs, thus helping organizations stay competitive in the long term,” says Busse. “Plus, it enables organizations to streamline and automate workflows, saving time and allowing individuals and teams to focus on business-critical tasks.”

Guardrails bring CIOs peace of mind

CIOs should consider API governance since maintaining a healthy API inventory benefits overall IT agility. “Making sure our API portfolio is healthy will allow us to be scalable, flexible, cost-optimal, and prepared for the adoption of new technologies, like gen AI, in a seamless and reliable way,” says Vázquez.

Additionally, governance helps establish better developer experiences, and a more secure technology posture, both critical for success with API-first initiatives. “API governance is vital for API uptake since it ensures they’re consistently designed,” says O’Neill. “It’s also central to API security since it involves creating access control policies for APIs.”

Plus, governance is crucial to guide strategic alignment between operations and IT strategy. “By adhering to defined standards and policies, CIOs can streamline IT processes, accelerate development cycles, and facilitate effective collaboration among teams,” says Ahuja. “API governance contributes to strategic alignment by promoting a cohesive and well-managed digital infrastructure, which enables CIOs to leverage APIs as strategic assets that drive innovation and support the organization’s broader business objectives.”

API governance can also give CIOs peace of mind by delivering leaner and safer digital experiences at a faster time to market, explains Mattson. “When implemented effectively, API governance enables an organization to create, update, and manage all APIs throughout their life cycles, and continuously adjust its practice toward optimal effectiveness,” he says. Proper governance guides the correct development and delivery of functionality, which reduces risks and helps meet customer expectations.

“CIOs must support API governance because of its many benefits,” says Sabhlok. However, it’s best to avoid boiling the ocean with full governance from day one, and instead take small steps and validate progress early on. “Identifying and getting early support is an excellent way to avoid developing crushing API technical or process debt that may impede enabling governance later,” he adds.

Helping to attain business objectives

In today’s hybrid and connected digital economy, data and software functionality are intrinsically tied to value. “In essence, an API-first strategy becomes critical to navigate contemporary tech trends, foster innovation, and ensure adaptability in a rapidly evolving technological landscape,” says Bhat. Proper governance steers any objective tethered to API-first strategies in the right direction.

Therefore, investments into governing API operations are necessary to attain business goals. “APIs are the foundation of nearly every CIO’s strategic plans to deliver business value,” says Mattson. “The attention and investment in API governance are necessary to make sure these strategic goals are achieved as envisioned.”

According to Sabhlok, governance not only results in more ready-to-use APIs across applications, but acts as a meter to gauge the ongoing success of new tech initiatives. To him, API governance elevates the business by delivering a more “confident impact assessment of making process enhancements or modifications.” It also provides a common forum for the company to share their process health experiences, including performance, data issues, missing transactions, outages, and security, he adds.

API governance can help future-proof an IT strategy, better positioning the business to adopt state-of-the-art technologies. This is important, as APIs are vital to plug in gen AI and LLMs, which are key tools to remain competitive, adds Busse. “Because of this, APIs will be critical to how we do business with customers and partners in an AI-driven future,” he says.

Much potential also lies in API productization — governance makes such externalization viable. “Getting business advantage from APIs often involves creating products from APIs,” says O’Neill. “API governance supports this by ensuring the APIs are consistently designed and managed.”

Governance guides more confident usage

Although APIs are simply a tool to an end, their surging reliance throughout the modern technology stack warrants keen assessment. Executives agree, therefore, that API governance will play an essential role to solidify the future of IT and business strategy. “The API is a tool in the arsenal and, in many cases, is the primary tool,” says Mattson. “Governance practices guide the organization and its tools to achieve all of these objectives with confidence.”

Ultimately, adds Ahuja, API governance contributes to the organization’s agility, innovation, and responsiveness to market demands. “It supports overarching business objectives and ensures the effectiveness of the digital ecosystem,” he says.