Agentic AI certainly dominated the theme of apidays New York, an event that brought together some of the API industry’s top thinkers and implementers for two days in mid-May 2026. It’s clear that APIs are still as important as ever, but they are now being repositioned as an execution layer for this new paradigm. In that respect, the big takeaway is that APIs are essentially becoming AI agent infrastructure.

As part of this shift, the industry is moving away from a focus on developer experience and toward agentic experience. There’s also a renewed emphasis on API security and access control, since the unpredictability of LLM-based AI agents introduces new risks.

Below, I’ll summarize the takeaways from nearly all presentations I was able to attend this year. Although I was only able to see a slice of the total talks, some clear meta themes materialized. While the typical guardrails of API best practice knowledge around design, testing, security, and governance are still relevant, they’re getting a new perspective in light of autonomous actors — this means more nuanced guardrails, agentic-native identity and permissions, and new optimization techniques.

1. APIs Are Becoming the Execution Layer for AI Agents

Agentic AI is moving from passive recommendations to proactive actions, and major financial institutions are actively building for this paradigm. According to Hirenkumar Patel, lead software engineer at Mastercard, they’re exploring the Agent Payments Protocol (AP2) as a protocol to help AI agents initiate transactions on behalf of users.

We’re in an agentic era, and APIs are the reasoning systems for agentic AI, according to Suman Devarasetti, director of AI enablement and core modernization at U.S. Bank. Yet, agent- and human-based API traffic need separate identities for a number of reasons.

Traditional APIs are human-centric. Because of this, APIs are breaking when exposed to AI agents, says Sriram Rajendran, senior software engineering manager at Capital One. It’ll take certain tactics to prepare this execution layer for agents. For him, this includes hardened idempotency (to ensure agents don’t create new resources upon retries, for instance), as well as new guardrails, discovery controls, and deeper observability.

On the other side, developer consumers can take certain tactics to optimize how they utilize agentic coding tools. One is deploying agents with pre-configured settings, which could help teams quicken things like database synchronicity, integration with external repositories, and other permissions and governance capabilities.

Just as previous programming languages abstracted away from the bytes, agentic coding tools are abstracting us farther away from the nuts and bolts. “This is the new way that all software is going to be built,” says Rodric Rabbah, head of product at Astro AI, a new control plane for agents from Postman that can supply pre-configurations for agents.

To support these new agentic coding efforts, context engineering is the new practice to consider. Platformable’s Mark Boyd says API providers must think about how they can build an effective semantic layer to position themselves for internal and external agents.

2. Agentic AI Complicates Security and Governance

The rise of AI consumption of APIs means more traffic, scale, and unusual traffic patterns. The cybersecurity response, thankfully, doesn’t need to involve totally greenfield technology, says Aaron Miller, solutions engineer at Akamai. Agentic AI security strategies boil down to API security across the perimeter, identity and access, and detecting shadow technology and data exposure across flows.

APIs typically carry critical data, meaning API authentication and authorization are important to reduce risks. According to Riya Suri, software engineer at Salesforce, today’s high-grade access control requires utilizing well-established standards like OAuth, PKCE, OpenID Connect, JWTs, and mTLS.

AI is moving fast, but if you’re designing a truly autonomous system that can’t be stopped, should you even start it? Florian Boymond, founder of Stackmint, a platform for AI workflows, underscores the necessity of governance in this era, as well as the need for mathematical guardrails that are not probabilistic to prevent unpredictable outcomes. He refers to this as “separating the brain from the hands.”

API governance is typically a catch-all for the security and standards response to a burgeoning API portfolio. But Kin Lane, API evangelist and co-founder of Naftiko, has a nuanced take. For him, governance should be centered around the consumer needs — that includes all consumers: the end consumer, their client, the developer consumer, and the agentic consumer. With AI at our disposal, exact implementation details or nuances between how APIs are defined matter less, as they can be massaged later on, he says, meaning the consumer is king.

3. Solid API Fundamentals Matter More Than Ever

It may be the AI agent era, but the old API fundamentals and best practices still apply. One area is specification linting, because if OpenAPI specifications are vague and undetailed, it can lead to confusion, AI hallucinations, and low-quality SDKs. Nicholas Khami, engineering manager at Mintlify, a documentation platform, says OpenAPI specifications should be more explicit to be consumable for agents. This includes detailed endpoint descriptions, examples for fields, having an operationID, and other areas to make a more verbose specification. API teams can automate these sorts of rules using linting tools like Vacuum.

Others agree that design-first matters. Agentic AI-led development for microservices and APIs is totally possible, says Renjith Ramachandran, senior solutions architect at BJ’s Wholesale Club, but engineers must share the proper context and patterns with agents in order for them to follow internal guidelines and meet industry security standards. For him, a good method is creating a repository structure in a Markdown file defining architecture and standards and sharing it with a coding agent before building.

API design also fundamentally requires an architectural scope. To get there, Bonnie Why, staff software developer at Burns and McDonnell, shares how moving from individual contributor thinking to individual architect can help. Part of this requires systems thinking to understand how things relate to and affect each other.

AI can also accelerate core development areas like API testing. And quality assurance teams don’t have to replace existing test automation frameworks and scripts, either, says Rejenish Kiran, manager of software quality assurance engineering at Citizens Property Insurance Corporation. His team built an AI augmentation layer on top of existing test automation to create more adaptive, intent-based testing practices to increase end API quality.

4. Legacy Modernization Is Still a Core API Story

Underneath all the AI hype, modernization is still well underway at a number of institutions. For instance, Brandon Hattle, software architect at CSX Technology, a railway company, shared their journey turning legacy services into modern APIs using Axway for API management. Beyond incorporating new tools, Hattle says that culturally they’re driving specification-first design as a requirement and encouraging a “One Team Principle” to ensure standard API best practices are adhered to and that APIs look the same across the company.

One industry still evolving at the protocol layer is the automotive industry. Here, legacy automotive protocols like Unified Diagnostic Services Protocol (UDS) have structural limitations, says Dippu Kumar Singh, leader of emerging technologies at Fujitsu, a Japanese international IT conglomerate. This reality is requiring newer protocols like REST design, OpenID Connect, and OAuth to create more modern designs.

For the actual modernization journey, there are many battle-tested patterns for migrating monolithic codebases into microservices. Sachin Telalwar, senior software engineer at doctor-booking website Zocdoc, highlights the strangler pattern, which slowly replaces monolithic architecture with individual components over time, using the saga pattern and fake components for testing purposes during the migration process.

Other industries are still prioritizing API-first development. Take telecom services, in which systems that are connected to subscriptions must change as contracts change. In this scenario, monolithic systems are too tightly coupled for debugging niche changes or fighting fraud, says Tarun Kalwani, principal engineer at Verizon. At Verizon, API-first components are supported by different synchronous and asynchronous API styles and a holistic approach to contract-first development, versioning, and the security model.

Lastly, Steve Melan, executive board member at CMCM, a health insurance agency based in Luxembourg, acknowledges that healthcare data is stuck in time. It’s 2026, and still, electronic health records (EHRs) are not portable or interoperable across countries. It’s a global problem that APIs could potentially solve. What we need is certified national API hubs that are shared internationally to streamline access to patient EHR records.

5. The Next Challenge Will Be Optimizing Agent Use

Agentic AI raises many new questions around cost, reliability, and runtime. And while tokenmaxxing may currently be the rage, experts expect the future will involve more diligence to optimize agentic AI use, as well as having some sense of when and when not to use AI agents.

High token usage can really drive up costs. To combat this, Derric Gilling, vice president and general manager of API platform business at WSO2, recommends looking at cost control metrics hidden within API traffic, such as model accuracy, usage by user, tokens used, or final outcome. Tracking this area can help inform semantic caching, context optimization, whether to use different models, and other strategies to optimize usage.

Time to Prepare the AI Execution Layer

These five meta takeaways are just some of the many themes discussed at apidays NYC 2026. But they give a clear glimpse at what’s top of mind for senior engineers and solution architects across the API industry.

As one can easily tell, agentic coding tools are turning software engineering on its head and, in the process, are unlocking a new way to leverage APIs. While APIs can behave as the execution or capability layer for AI, they will require smart repositioning, discovery, authorization, and a double-down on core API best practices to be used properly.

In other words, it’s time to prepare the AI execution layer.