Naftiko

API Governance at the Agent Consumption Layer: Governing 405 Operations Across 36 APIs Without Changing Team Behavior

APIDays NYC

Kin Lane
Chief Community Officer (CCO) and Co-Founder @ Naftiko
[email protected]

2026  

01 / 06

My API Governance Journey

Kin Lane API Evangelist My API Governance Journey Chief Evangelist @ Postman · API Governance Lead @ Bloomberg · Chief Community Officer @ Naftiko
Technology, business, and politics of APIs @ API Evangelist since 2010 → API producer mindset → API standardization → API discovery → Chief Evangelist @ Postman and Host of Breaking Changes Podcast → API consumer mindset → OpenAPI, AsyncAPI, JSON Schema → A focus on product-led API governance → API Governance Lead @ Bloomberg → Chief Community Officer @ Naftiko. → Capabilities → AI integration
02 / 06

What is API Governance, Really?

OpenAPI · AsyncAPI · JSON Schema Spectral Rules · Vacuum Rules VSCode · IntelliJ Git · CI/CD Pipelines API Gateway
Design Guides → OpenAPI → AsyncAPI → JSON Schema → Spectral or Vacuum rules → Linting → CLI → Editors → IDE → Git → CI/CD pipelines → Gateways → Platforms → Portals → Catalogs → Teams → Domains → Lines of Business → Products → Sales → Support → Customers → Feedback Loops
03 / 06

36 APIs · 405 Operations · One Governed Interface

consumes:
  - type: http
    namespace: pan-os
    baseUri: https://<fw>/restapi/v10.2
    authentication:
      type: apikey
      key: X-PAN-KEY
      value: $secrets.panos_key
    resources:
      - name: address-objects
        operations:
          - name: list
            method: GET
  - type: http
    namespace: prisma-cloud
    baseUri: https://api.prismacloud.io
    authentication:
      type: bearer
      token: $secrets.prisma_token
    resources:
      - name: alerts
        operations:
          - name: list
            method: GET
Spectral & Vacuum → Naftiko Capability → OpenTelemetry & Prometheus 
exposes:
  - type: http
    namespace: security-ops
    port: 8080
    resources:
      - name: address-objects
        operations:
          - name: list
            method: GET
            path: /address-objects
      - name: alerts
        operations:
          - name: list
            method: GET
            path: /alerts
  - type: mcp
    namespace: security-ops
    port: 8080
    tools:
      - name: list-address-objects
        call: pan-os.list
      - name: list-prisma-alerts
        call: prisma-cloud.list
Domains → Tags → Composition → Orchestration → Abstraction → Transformation → Compliance
04 / 06

Consumer Needs · Multiple API Providers · Capabilities

consumes:
  - type: http
    namespace: pan-os
    baseUri: https://<fw>/restapi/v10.2
    authentication:
      type: apikey
      key: X-PAN-KEY
      value: $secrets.panos_key
    resources:
      - name: address-objects
        operations:
          - name: list
            method: GET
  - type: http
    namespace: prisma-cloud
    baseUri: https://api.prismacloud.io
    authentication:
      type: bearer
      token: $secrets.prisma_token
    resources:
      - name: alerts
        operations:
          - name: list
            method: GET
  - type: http
    namespace: okta
    baseUri: https://<tenant>.okta.com/api/v1
    authentication:
      type: apikey
      key: Authorization
      value: $secrets.okta_token
    resources:
      - name: users
        operations:
          - name: list
            method: GET
Spectral & Vacuum → Naftiko Capability → OpenTelemetry & Prometheus 
exposes:
  - type: http
    namespace: security-ops
    port: 8080
    resources:
      - name: address-objects
        operations:
          - name: list
            method: GET
            path: /address-objects
      - name: alerts
        operations:
          - name: list
            method: GET
            path: /alerts
      - name: users
        operations:
          - name: list
            method: GET
            path: /users
  - type: mcp
    namespace: security-ops
    port: 8080
    tools:
      - name: list-address-objects
        call: pan-os.list
      - name: list-prisma-alerts
        call: prisma-cloud.list
      - name: list-okta-users
        call: okta.list
Boundaries → Integrations → Composition → Orchestration → Abstraction → Aggregation → Observability
05 / 06

Are We Governing People or Are We Governing Engine(s)

Govern people Govern the engine Govern people Govern the engine
Supply Chains → SaaS →People → Teams → Tribes → Products → Budgets → Lifecycle → Versions → Protocols → Patterns → Standards → Pipelines → Gateways → Centralization → Federation → Documentation → Portal → Sales → Support → Customers → Distribution → Regions → Regulation → Global
06 / 06

Consumer-Defined Governance

Desktop Web Mobile Copilots Agents Automation
Consumers → Desktop → Web → Mobile → Copilots → Agents → Automation → Orchestration → Compliance → Observability → Standardization → Context → Transparency → Configuration → Policies → Ephemeral → Secure → Sovereign → Regional → Open-Source → On-Premise → Cloud → Local

Govern the Consumer Layer.
Let Producers Ship What They Ship.

github.com/naftiko/ikanos  •  naftiko.io

Kin Lane  •  [email protected]