Since the advent of the internet, software developers have used online assistants, like search engines, to improve their time to market. In the AI era, you can think of AI agents as a new type of user agent that goes beyond the capabilities of search engines to perform concrete tasks and provide further efficiency improvements.

From an enterprise viewpoint, AI has the potential to further improve time to market and benefit digital products in multiple ways. For example, you can build solutions that integrate customers with their data and offer them new experiences. You can also build new digital AI services that are found by external agents, to provide new revenue streams.

AI also introduces major risks related to incorrect or unauthorized data access. To realize AI’s benefits and mitigate its risks, organizations need an AI security strategy. Typically, you also need an AI people strategy so that stakeholders reach agreement on AI initiatives. In this article, I show how API security is the key to implementing these strategies.

Use Interoperable API Access

Customer-facing AI agents can be third-party programs, such as ChatGPT or Claude. Agents can also be normal applications, like an organization’s web portal. The user interacts with the host application and sends natural language commands, which eventually reach a large language model (LLM).

The LLM is the part of an AI agent that processes information. To interact with external data and services, agents also need tools that extend the capabilities of the model. To use tools, the LLM instructs the agent to make API requests using interoperable API protocols, like the Model Context Protocol (MCP) or the Agent2Agent protocol (A2A). Enterprises only need to implement backend MCP or A2A server entry points, after which they can connect any compliant agent.

An initial use case with business value for many organizations is to provide dynamic customer support features. In the following diagram, an insurance web portal acts as an A2A client that is a forwarder to a backend insurance agent. The backend agent acts partly as an API to provide A2A entry points. The customer can take closer control of their insurance policies or update to new policies.

The LLM can use raw data that the MCP server returns and process it in flexible ways. If the customer wants a different result, they ask a different question. Organizations need to implement fewer web portal features, which improves their time to market. Meanwhile, developers can follow a hybrid work approach to help build the solution and quickly implement features like document generation.

To enable the above type of AI initiative, you may need to review API hosting capabilities so that you can provide endpoints compatible with agent use cases. In some architectures, you may need to take foundational steps like refactoring legacy websites and introducing an API gateway. You typically also need to ensure that backend agents cannot call existing APIs and gain access to sensitive data in unexpected ways.

Use People-Focused Designs

The technical mechanics of AI integrations are not especially difficult. They just involve APIs and API clients, which developers have been building for years. The more challenging concern is risk management. Without care, organizations could release insecure solutions that result in data breaches, which can lead to major fines in some industries.

To prevent bad outcomes, consider the viewpoints of multiple stakeholders:

• A product team might think up an AI business idea.
• An AI team could go ahead and build a technical integration.
• A compliance team may raise major concerns about data security and privacy risks.
• The CEO may raise concerns about the potential for reputational damage.

To prevent blocking issues later, create a list of AI security requirements at the start of each AI initiative, and agree on the requirements with stakeholders. You might start with the following list:

• Backend agents must only be able to access user data when the user is present.
• The user must consent to their information being supplied to an LLM.
• Backend agents must only be able to call a restricted set of API endpoints.
• APIs must ensure that an agent task for user A cannot access user B’s data.
• The user must approve high-privilege operations before agents can complete them.
• Administrators must be able to quickly deny access to misbehaving AI agents.

Once you have such a list, you will notice that the real requirements are end-to-end strategies that involve humans, applications (including AI agents), and APIs. In particular, APIs must always be kept informed so that they can correctly authorize access to business resources.

Use Token Intelligence

To secure MCP server endpoints, you must use MCP Authorization, which is a profile of the OAuth 2.0 Authorization Framework. Then, use the same OAuth flows for A2A. The key behaviors are user authentication and consent, AI agent authentication, and, most importantly, correct API authorization that protects business data.

The most important OAuth mechanism is short-lived access tokens to enable API access. Use access tokens whose OAuth scopes set API boundaries to restrict agent access to low-privilege areas. The main power of access tokens is their ability to securely convey claims, providing APIs with attributes about the user, agent, or other runtime context. Given this context, API developers can easily adjust their authorization for AI use cases. If an LLM ever instructs the agent incorrectly and creates invalid requests, APIs can safely reject those requests.

You should be able to take full control over time-based access and attribute-based access. In OAuth 2.0, organizations use a centralized authorization server to issue access tokens. The authorization server issues access tokens that provide APIs with the required authorization context. Complex agent flows will require token exchanges with external domains.

The authorization server also enables users to consent to an agent’s requested level of access. APIs can initiate step-up authentication flows to force human approval, which can involve alerting a user who is no longer present. The agent then receives a higher-privilege access token to complete an operation, such as changing the user’s insurance policy. Short access token lifetimes also ensure that AI agent access depreciates to zero standing privilege.

Many organizations use OAuth only for user logins and are unable to properly control access token behaviors. In the AI era, these basic OAuth solutions provide insufficient security context to APIs. As a consequence, organizations may be unable to meet their AI security requirements, which has the potential to derail their AI initiatives.

Review API Foundations

AI initiatives do not require new security techniques. Instead, they amplify the need to follow existing, mature zero-trust API security best practices. Once you have the right security foundations, you are well-placed to design AI solutions that operate on customer data.

The current reality is that many enterprises pay insufficient attention to data security. Too often, political decisions rank delivery above security. For the AI era, automation will continue to grow. Enterprises will need to better organize their resources. They will also need to secure access to those resources at scale, stay up to date with threat mitigations, federate with other organizations, and ensure that humans remain in control of agent behaviors.

APIs and token intelligence are the data security building blocks for the AI era. Correctly designed access tokens are centered on business attributes. All stakeholders should understand the main attributes, which can help to enable stakeholder agreement. Token intelligence integrates multiple flows from the OAuth family of specifications. Done right, the integration provides interoperable security, vetted by many experts, to safely enable many AI use cases.