Your API governance is more AI-ready than you think
Writing here after a long gap. Something’s been on my mind and I’d rather think out loud than keep sitting on it.
A couple of years ago I was asked to put a consumer-facing GenAI assistant in front of millions of people, sitting on top of an enterprise estate that had taken us a decade to wire together. Everyone in the room wanted to talk about the model. I spent most of my time on the gateway, and I think that was the right call.
The thing that kept me up wasn’t accuracy. It was that we were about to expose internal services to a caller that could be talked into anything.
So we didn’t invent a new layer. We put the assistant behind the same gateway pattern we already trusted — mediated at the edge, with OAuth2 and mTLS on every hop, dynamic token validation rather than long-lived keys, rate limits sized to the assistant’s realistic burst, and WAF sitting in front of the consumer channel. None of that is novel. That was the point. It was already proven, already audited, already something our security team knew how to reason about.
Prompt injection was the one that didn’t fit the old model, and I want to be honest that we didn’t solve it. What we did was contain it. We assumed the assistant would eventually be manipulated, and made sure that when it happened, it could only reach a narrow, explicitly-permitted set of downstream services with a token scoped to exactly that. The blast radius question is one integration architects have been answering for years. We just pointed it at a new kind of caller.
Since then I’ve built MCP servers and clients myself, from scratch, to understand where this is actually going. The protocol is clean. But it defines how you expose a tool — not who is allowed to call it, how often, or what it costs you. That control plane has to live somewhere, and I don’t think the answer is a new one. I think it’s the API gateway you already run.
If your organization spent the last five years fighting for API-first governance, you are further along on agentic AI than you feel. Those primitives transfer. Don’t throw them out because the client is now a model.
What’s actually breaking first for the rest of you — delegated auth, token cost, or figuring out what the agent even did?
#EnterpriseArchitecture #APIGateway #GenAI #MCP #IntegrationArchitecture
