Welcome to week two of steering the API Evangelist newsletter back towards being the more respectable newsletter it used to be back in the day. To do this I am tapping into the signals coming out of all of the companies, organizations, institutions, and government agencies I am profiling as part of API Evangelist.

This week's newsletter is assembled from1,811 posts that were published in the last seven days. When I narrow that to API-focused signals, it landed at 1,296 stories worth a closer look. But this week I want to widen the lens, because the most interesting stories are the ones that are not labeled "API" at all. They are about the layer above the API, the layer beside the API, and the layer that is going to determine whether the API economy gets the next decade right.

Agent Identity Is Quietly Becoming the Next Layer

While everyone is busy publishing MCP servers, a story is forming around which agent is acting as whom, with what credentials, and on whose behalf. 1Password published Credential management for AI agents. Auth0 wrote AI Agents Have Two Souls. You Only Control One, which I have to snicker a bit whenever I read about people using soul AI together. Merge published A guide to authenticating AI agents. VentureBeat covered the Cisco / CrowdStrike RSAC story in An AI agent rewrote a Fortune 50 security policy. Here's how to govern AI agents before one does the same.. Nylas shipped Give your AI agent an inbox: Nylas now has an official OpenClaw plugin, where the agent gets its own communication identity, separate from the human user it represents. Something I am seeing seen other providers do as well.

The MCP conversation continues to dominate, but credentials and identity for agents are the layer underneath that determines whether any of it is safe at production scale. An agent acting as the user it represents inherits all of that user's permissions, including the ones nobody intended the agent to have. An agent with its own scoped identity is a different conversation entirely. We will keep seeing this being the dominant security topic at every conference, and I think the vendors who are publishing on it now — 1Password, Auth0, Merge — are positioning themselves wisely. The credential rotation work I included last week from Truto fits the same shape. Skinny credentials, scoped to the task, rotated automatically, attestable in the audit log. That is the only credential model that survives an agent population that doubles every quarter.

Agents Are Doing the Work, but do the Org Charts Reflect It?

Cloudflare's earnings story made the rounds this week stating that Cloudflare beat earnings, cut 1,100 jobs because AI agents do the work now, but lost a quarter of its stock price in a day. These types of labor v market stories are going to work against the AI realm in the long run. PostHog wrote 4,063 errors closed without a human opening PostHog — here's what we learned, which provides a remarkably specific, audit-friendly number. VentureBeat ran 5,000 vibe-coded apps just proved shadow AI is the new S3 bucket crisis, which I think is an apt comparison. The next compliance failure pattern is going to look like the open S3 bucket era of cloud security, except the "buckets" this time are agent-spawned applications nobody knew existed or care for anymore. Microsoft published Copilot Cowork: From conversation to action across skills, integrations, and devices, which is Microsoft openly framing Copilot as a co-worker — not an assistant. That linguistic shift is a leading indicator of a real shift in how this hustle is evolving.

I always read the "productivity” stories differently than the headlines suggest. The agents are doing some of the work, often the long-tail repetitive work, and that is moving the org chart in real ways (based upon what HR desires). But the agents are also generating new categories of work — auditing what agents shipped, governing which credentials they hold, evaluating which actions to roll back — that are still being done by humans, and will be for quite some time. The teams that are net-shrinking are the teams whose work was already a leading candidate for automation. The teams that are net-growing are the ones supervising it.

The Impact AI Governance is Having on Operations

Dataiku put out three relevant posts this week — AI ethics and governance: operationalizing responsible AI at enterprise scale, AI governance for risk, audit, and regulatory readiness, and Enterprise vibe coding has an AI governance problem. Snowflake published AI Transformation and Governance Inside Snowflake's Ecosystem. Microsoft announced the public preview of the Microsoft 365 Copilot Agent Evaluations tool — that one is meaningful, because evaluation infrastructure is one of the things vendors have to ship before the governance conversation can move past slide decks. Cequence wrote Encoded Prompt Injection: Why LLM Guardrails Are at the Wrong Layer, which is the unglamorous threat-modeling work the governance story actually depends on. Truto added How to Manage Third-Party API Risk for DORA Compliance in EU Finance (2026), grounding the governance conversation in real regulatory frameworks rather than just abstract principles.

I wrote Wrestling With API Complexity and A Roundup of US Federal Agencies and Their APIs this week, both pieces about the surface area we are not paying enough attention to. The API surface is not getting simpler, the agent surface is multiplying it, and the regulatory surface (DORA in the EU, FedRAMP and FISMA in the US, sector-specific frameworks everywhere) are starting to demand things we cannot yet deliver.

MCP Keeps Cresting, and the CI/CD Layer Has Arrived

I am going to keep this short because I covered it heavily last week, but it warrants a callout. MCP is a third of the top thirty stories this week. Truto announced Truto Docs MCP and shipped How to Test and Mock MCP Servers in CI/CD Without Hitting Live APIs. Tyk published Imagine, build, share — how integration testing led me to create the Tyk mock MCP server. Twilio bundled the Twilio MCP Server and Skills into a single launch covering 1,800+ APIs. Merge wrote MCP gateway: how it works, benefits, and solutions. The pattern that matters this week: the test infrastructure for MCP has arrived. CI/CD harnesses for MCP servers, mock MCP runtimes, gateway patterns. You can see teams trying to tame the beast.

The work I am doing at Naftiko is still about closing the gap between "we wrapped our API in MCP" and "we shipped an agent-consumable capability surface." I published Naftiko Capabilities Have Three Parents: AI, APIs, and Domain-Driven Design this week to lay out where the capability shape comes from, because the temptation to just bolt an x-mcp extension onto OpenAPI and call it a day is the path that gives us the next ten years of fragmented agent tooling.

The Boring but Important Drum Beat in the Background

Anthropic doubled Claude Code's 5-hour rate limits and recruited SpaceX's 220,000-GPU Colossus 1 to address the rate-limit complaints. The supply side of agent tooling is becoming a material constraint (or is it?), and the headlines about GPU utilization (VentureBeat ran 5% GPU utilization: The $401 billion AI infrastructure problem enterprises can't keep ignoring this week) tell you why every vendor is chasing compute. Datadog achieved FedRAMP High certification, opening up federal contracts the company would otherwise be shut out of, which my experience puts you into an entirely new category. GitLab published Claude Code and GitLab: Three workflows that ship and SignOz wrote Claude Agent SDK Monitoring & Observability with OpenTelemetry — Claude Code is becoming a first-class member of the development toolchain in a way that cuts across the categories I usually track. The CNCF posted Benchmarking AI agent retrieval strategies on Kubernetes bug fixes, which is exactly the kind of empirical work the CNCF is well-positioned to produce, and we need more of to dampen the hype.

GitHub published How researchers are using GitHub Innovation Graph data to reveal the "digital complexity" of nations — a quiet reminder that GitHub's macro-data tells stories most people are not reading. And on the M&A side, Mirantis wrote On the acquisition, our community commitments, and what we believe about open infrastructure, the kind of post you read carefully because the unspoken parts matter as much as the spoken ones.

What I Am Thinking About Going Into Next Week

The MCP wave is well-covered now. The story I am going to be watching more closely is the agent-identity layer underneath it — credentials, scoped tokens, attestation, audit trails. That is the layer where the next set of vendor moves are going to happen, and it is also the layer where the next compliance failures will originate. The Cloudflare layoffs and the PostHog 4,063 number provide data points on what an agent-doing-the-work workforce looks like, and we are going to see more numbers like those over the next two quarters. The vendors that are publishing useful stuff on agent identity (1Password, Auth0, Merge) and agent governance (Dataiku, Snowflake, Microsoft) are the ones I am watching. This is why I am looking at the source, rather than mainstream tech blogs, and the hype machine.

The question I am asking out of this weeks news is — whose credentials does that agent hold, and on whose behalf is it acting? If the answer is "the credentials of whichever human happens to be logged in," we are running on the agent equivalent of a shared root password. If the answer is "a scoped, rotated, attestable identity dedicated to this agent for this task," we are in a much better place. The work to get from the first answer to the second is where the next year of API governance is going to live. As I talked about in previous stories, we just don’t have the APIs in place to automate all of this at scale across many different providers.

If you are still hungry for more news, head over to APIs.io, as I am automating the publishing of news from across API Evangelist, but getting more specific on topics like MCP, Agent Skills, CLI, and good old API news from across the APIs I am profiling.

"The first principle is that you must not fool yourself — and you are the easiest person to fool." — Richard Feynman