AI and APIs

API Governance in the Age of AI

16views

Olga Podolyako is a seasoned technology expert with over 30 years of experience in the field. Originally from Russia, Olga moved to the U.S. and has since built an impressive career in software development, enterprise architecture, and API governance. Currently, she works at Microsoft as a Principal API Architect, where she oversees the governance of the Microsoft Graph API. In this role, she ensures that APIs meet rigorous standards while balancing the need for innovation, speed, and quality. Olga’s deep expertise in API governance, coupled with her passion for exploring the intersection of technology and artificial intelligence, positions her as a thought leader in the evolving world of API management.

API governance, which involves setting rules and practices to ensure API consistency, security, and performance, is more critical now than ever. Today, AI technologies like GitHub Copilot are beginning to reshape how we approach development and governance. In this article, we will explore how AI can help streamline API governance and review processes, making them more efficient and scalable.

The Story of Innovasoft and Classic Tech

To illustrate the importance of AI-driven API governance, let’s start with a story about two rival companies: Innovasoft and Classic Tech.

Both companies heavily relied on APIs to integrate various products, but their approaches to API governance differed. Innovasoft embraced AI-driven governance, implementing automated checks for permissions, performance, and integration. Meanwhile, Classic Tech stuck to manual governance, with teams manually reviewing APIs for compliance and performance.

When both companies released new product features simultaneously, Innovasoft’s AI-enhanced APIs ensured seamless integration and performance, while Classic Tech’s manual review process resulted in buggy APIs and frustrated customers. Innovasoft surged ahead in market reputation and sales, while Classic Tech faced a decline.

This story highlights a growing truth: AI-driven API governance is becoming essential for companies that want to stay competitive in today’s fast-paced tech landscape.

API Governance at Microsoft Graph

Let me shift focus to the scale of governance we manage at Microsoft Graph. Microsoft Graph provides access to cloud data and services across several of Microsoft’s SaaS products, such as Office 365, Teams, Outlook, and Azure Active Directory. With over 12,000 unique resource types and more than 2,000 relationships between them, it’s one of the most complex API ecosystems in the world.

More than 100 product teams contribute to the platform, and we conduct over 2,500 API reviews each year. To manage this immense scale, we rely heavily on API governance automation that spans the entire lifecycle, from planning to production.

Automating API Governance

At Microsoft Graph, we use Azure DevOps for work management, automating rules and standards throughout the API lifecycle. For instance, permissions and security controls are automatically enforced and checked at every step. We have also formalized processes for documentation generation and continuous security testing.

However, while automation significantly reduces manual tasks, API review remains the final manual check in our process. It ensures that every API adheres to our design and security standards before moving to production.

The Role of AI in API Reviews

A key question we face today is whether AI can fully replace manual API reviews. To answer this, it’s important to first understand what API reviews entail.

Historically, API reviews focused on design, but as we moved toward an “API as a Product” mindset, the scope of reviews broadened. Today, we ensure that APIs are evolvable, secure, and performant. During a review, we look for compliance with Microsoft Graph’s guidelines, the completeness of the API’s documentation, and that it doesn’t break client code.

One challenge we noticed is that 25% of an API reviewer’s time is spent educating developers about API design guidelines, security protocols, and the onboarding process. This is not an efficient use of time, especially when the same issues are raised repeatedly.

AI to the Rescue: Semantic Search and RAG

To address this, we began exploring AI-powered tools to reduce review time and improve the developer experience. Our solution? Semantic Search and Retrieval-Augmented Generation (RAG).

RAG is an AI pattern where machine learning models use vector searches to find relevant information from a vast knowledge base. This allows developers to ask simple, natural language questions and receive accurate, context-based answers.

At Microsoft Graph, we integrated this system into our governance portal, which is where teams submit their API review requests. The portal now uses Azure AI building blocks like Azure AI Search, Azure OpenAI models, and Semantic Kernel to create a seamless search and response experience.

Here’s how it works:

  1. Document Indexing: We use AI to process and index all relevant documents—such as design guidelines, internal specifications, and onboarding processes—into a vectorized format.
  2. Search Experience: Developers can query the portal with questions like “What constitutes a breaking change in Graph APIs?” and receive highly relevant responses in seconds.

This new approach allows developers to find the information they need without waiting for manual feedback, significantly speeding up the API review process.

Results from the AI Experiment

After implementing this AI-driven system, we saw a 20% reduction in API review time. AI-driven responses provided quick and accurate answers for common questions, such as how long onboarding takes or specific compliance rules.

Moreover, we observed that AI models could generate content based on templates, such as API designs, further reducing the manual work required for API documentation.

Can AI Replace Human Reviewers?

Despite the significant improvements, there are limitations. AI models are incredibly flexible, but maintaining consistency, reliability, and high-quality API review artifacts requires extensive engineering efforts. AI excels at answering simple questions and enforcing standard rules, but when it comes to more complex scenarios, human reviewers are still indispensable.

For example, nuanced issues like handling complex API performance problems, aligning APIs with strategic goals, or making architectural trade-offs require a human touch. AI, while powerful, cannot yet replicate the breadth of expertise and experience that human reviewers bring to the table.

The Future of API Governance

So, can we fully automate API governance with AI? The answer is: not yet. While AI can automate large parts of the API lifecycle and significantly reduce review time, human reviewers are still needed to address complex problems that require in-depth knowledge and judgment.

In conclusion, our journey with AI in API governance has been highly promising. We’ve learned that AI can reduce review time by up to 40% and help streamline the governance process. However, we are still some way from fully automating API reviews.

The story of Innovasoft might not be our present reality, but it’s certainly a vision we are working towards. As AI continues to evolve, we expect it to play an even bigger role in API governance, helping both developers and reviewers navigate the increasing complexity of modern API ecosystems.

Thank you for your attention, and I look forward to seeing how AI continues to transform the world of API governance!

Olga Podolyako
I'm striving to work in a challenging enterprise environment, where I can benefit my clients by applying my strong architecture and leadership skills to solve complex business and IT problems using modern technologies and architectures, build strong architecture practices to deliver desired business outcomes. • Extensive experience in all enterprise architecture domains - business, data, application, and technology • Proven leadership skills in the area of architecture delivery methodology • Extensive expertise with leading software development teams in the application and integration domain • More than 20 years of experience with end-to-end development lifecycle implementing front-end applications, integration solutions, services, and workflows in compliance with enterprise security standards and industry regulations Specialties: Enterprise Architecture, Integration Architecture, Cloud / Infrastructure Architectures, TOGAF and SEI Software Architecture methodologies

APIdays | Events | News | Intelligence

Attend APIdays conferences

The Worlds leading API Conferences:

Singapore, Zurich, Helsinki, Amsterdam, San Francisco, Sydney, Barcelona, London, Paris.

Get the API Landscape

The essential 1,000+ companies

Get the API Landscape
Industry Reports

Download our free reports

The State Of Api Documentation: 2017 Edition
  • State of API Documentation
  • The State of Banking APIs
  • GraphQL: all your queries answered
  • APIE Serverless Architecture