May 3, 2017

How APIs are Changing Technology Governance Models

Does the term “governance” make you cringe? Governance often brings to mind process gates, bureaucracy, and glacial progress. This is an unfortunate side effect of years of misguided, ineffective, or flat-out failed technology governance practices across the corporate technology landscape.

Truth #1 – Technology governance largely deserves it’s tarnished reputation.

Truth #2 – Governance is critical to managing successful infrastructure and operations. 

Truth #3 – Governance models are changing, due to the shift toward APIs

The Governance Dilemma

Typical promises made by traditional technology governance practices include risk management, data protection, legal compliance, standards compliance, access management, reusability, etc. In today’s world, it’s hard to argue with these valuable functions. The challenge is that typical governance practices are inherently at odds with the direction of the business world.


Traditional approaches to governance simply cannot keep up with the rapid evolution being forced on companies in every industry by pressure from:

  • Smaller players repeatedly disrupting entire industries by unbundling value streams
  • The internet of things (IoT), conversational user interfaces, and artificial intelligence (AI) fundamentally changing customer expectations and corporate customer interaction models
  • Consumers holding incredible power over brands & companies

As companies scramble to remain relevant, digital transformation has become essential, the lines between business and IT are vanishing, and APIs are now the primary means of leveraging digital business capabilities. This movement is one of the drivers behind technology governance disruption.

New Governance Challenges

Today’s business challenges continue to lead us toward more, smaller, cross-functional, and largely autonomous teams, each focused on independent delivery and innovation. Add to this the adoption of cloud (platforms & infrastructure), APIs, & continuous delivery tools, and a few realities emerge:

  • Pervasive & gated governance processes cost far more in business reaction time than the value they typically deliver.
  • Changes come from more places within the business than ever before.
  • Changes are delivered at a dramatically faster pace.

The result? The risks of irrelevancy and disruption frequently lead businesses to abandon governance in favor of pace. But the risks associated with ungoverned change are amplified by the increase in internal change agents and speed.

Where does this leave us?

Governance Redefined

Today’s emerging API governance practices are based on a different set of fundamentals:

API governance models

Let’s take a closer look at a few key distinctions:

1. Value & Transparency-Driven

Transparency is the cornerstone of the new API governance paradigm. As business capabilities are digitized and exposed via APIs, the API Gateway becomes a massive enabler for “free”, consistent and credible performance data collection to be used as a basis for measuring key business indicators:

  • Who uses this digital product and how?
  • How well is the product performing against expectations?
  • What is the consumption trend?
  • How is our sensitive data being consumed and by who?

In many ways, the emerging governance paradigm is simply another manifestation of the build-measurelearn cycle described by the Lean Startup Method.

2. Data-centric

The movement toward API gateway-based integration and microservice architectures dramatically reduces the number of pathways available for sensitive data to flow across systems and in and out of organizations. This trend could create remarkable transparency around how sensitive data flows and is consumed, thereby reducing the risk and the effort associated with data governance. Closer oversight may still be needed in certain contexts, but transparency will be dramatically higher, which will translate into agility.

3. Community-based

To draw a parallel, the quality and value of retail products are now largely defined by the consumers of those products (ever buy a product on Amazon rated 1 star with 300 reviews?). In many cases, embracing of your API consumer community can create a similar effect through your API portal. Taking steps to create an internal economy for digital products can further the impact of community governance.

4. Risk-based

IT departments are rejecting one-size-fits-all governance practices in favor of a risk-based approach using a sliding scale.

For example:

  • High risk changes (PCI, PHI Data usage): gated pre-release inspections
  • Mid-risk (PII data usage, API portal taxonomy impacts): just-in-time community of practice guidance
  • Low-risk (Anything else): post-change measurement

Obviously team leader accountability and trust plays a crucial role in success here.

Final Thoughts

To be clear, I’m not at all suggesting that there is no place for traditional governance practices. I am saying that unless you deal with very high levels of risk (e.g. space travel) or certain legal/compliance contexts, you should be transforming your technology governance practices from impediment to enablement. Focus less on being careful and more on being agile. 

This post was republished with permission from Vanick Digital. Click here to see the original article.


Pete Clare is an API and digital transformation strategist. Pete has a diverse background defined by a deep focus on the application of Lean/Agile principles to digital and API transformations, solution development, and global content delivery. As a 15+ year technology veteran, he draws from a wealth of experience in development, architecture, program management, and leadership.

Looking for software? Try our Product Selection Tool