Failing to understand your API history increases the risk of repeating past mistakes in future API development. Establishing provenance for each API helps track changes over time and ensures new owners and stakeholders can quickly get up to speed. Architectural decision records for API operations provide stability and a shared understanding among teams, supporting both the creation of new APIs and the maintenance of legacy APIs. In the age of artificial intelligence, API provenance is becoming even more critical for governing enterprise operations. Maintaining clear records of which APIs models have been trained on, which APIs can be used within each model, and which models are accessed via APIs will be essential for meeting future regulatory and compliance requirements. Without proper API provenance, the cost and complexity of delivering APIs are likely to increase significantly.
Provenance
Policies
Dependency SBOM Maintained
Require that every API maintain a current software bill of materials enumerating the libraries, services, and versions it depends on. I want a machine-readable SBOM and dependency manifest kept in ...
Compliance Mapping (Governance)
Require that every API in production maps its endpoints, data, and controls to the specific regulatory and compliance obligations it falls under, whether that is GDPR, HIPAA, PCI DSS, SOC 2, or an ...
Dependency Management (Governance)
Require that every API declares the upstream services, libraries, and other APIs it depends on, and keeps that list current as part of its governance record. I care about this because APIs never st...
Maintainers
Require that every API names its maintainers, the real people or team accountable for its design, operation, and support, and records them where the contract lives. I care about this from the very ...
Strategies
API Dependencies Have an SBOM
I want a software bill of materials for the APIs and services we depend on, so that we always know what is actually in the systems we ship. Every external API we consume is a dependency, and if we ...
API Provenance Is Maintained and Auditable
All API contracts must maintain a clear record of their provenance including reviews, certifications, pull requests, and change history, ensuring that the evolution of each API is traceable, audita...
APIs Are Transparent and Accountable
I want our APIs to be transparent about how they handle data and accountable for the promises we make around it. That means the consent and data processing agreements that govern an integration are...