api-governance
How to Build an API Governance Framework That Works
Summarize with
How most teams approach governance? Create a style guide, add spec validation to the CI/CD pipeline, document the naming convention, and consider it done.
A year later, to everyone's shock, the team discovers that production APIs are unversioned, internal microservice traffic runs over HTTP, and a third of the endpoints in the catalog haven't received traffic in months.
Something failed, but it wasn't the style guide. It was the framework.
An API governance framework is the structured combination of standards, enforcement mechanisms, runtime observability, and lifecycle controls that ensures APIs meet defined quality, security, and consistency requirements throughout their operational life, not just at the point of initial design.
The word "throughout" is doing real work in that definition.
Governance that only operates at design time produces policies without a feedback loop. It hopes for the best and as we already mentioned, hope isn't a strategy.
You can write the best style guide in the industry and still end up with 46% of production APIs running without a versioning strategy. Why?
Because nothing in the design-time framework detects or corrects the drift that occurs afterward. That's exactly what Treblle's analysis of 1 billion API requests found in 2025.
Standard layers ≠ whole framework.
Sure, you need to have design standards such as: naming conventions, versioning format, authentication requirements, and error response structure. They're the necessary foundation.
But there's no enforcement or visibility there. Your developer can agree with every single rule in the style guide and yet ship an API that violates half of them. When deadlines get close, the non-enforced things are the first on the chopping block.
There's no automated gate checking compliance before deployment and no runtime monitoring catching what slips through. So following through on standards becomes a nice-to-have and most developers don't have time for the nice-to-haves.
An API governance framework that operates only at design time lacks a mechanism to detect what diverges in production. The result is an invisible governance program.
The problems aren't standards. They are there even in organizations whose API traffic runs over unencrypted HTTP (42%). The enforcement and observability layers need to be there to catch when things don't follow the standards.
One more stalling pattern is scope. Governance programs always start with new APIs, but almost always ignore the existing, large, and old API surface. The gap is ignorable until a problem happens and then organizations realize that they have 17% zombie endpoints.
A governance framework that works in production needs four distinct layers, one for each phase where compliance problems originate and are caught.
| Layer | What it addresses | Where it operates |
|---|---|---|
| Standards | Design rules, security baseline, naming, versioning policy | Before code is written |
| Enforcement | CI/CD gates, spec validation, gateway policy | At deployment time |
| Observability | Runtime monitoring, governance scoring, schema drift detection | In production, continuously |
| Lifecycle | Versioning management, deprecation process, and decommissioning | Throughout and at the end-of-life |
Most governance frameworks implement the standards layer.
Some extend to enforcement.
Few reach the observability and lifecycle layers.
That's why the production failures persist even in organizations with mature design practices.
Rules need to be written with enforcement in mind. "APIs should use versioning" is not a governance standard. "All APIs must include a version identifier in the URL path, enforced by a CI/CD spec validation checks" is.
The enforcement layer translates standards into automated gates. Spec linting in CI/CD, OpenAPI validation, gateway-level policy for authentication and rate limiting, and required security checks before deployment. Enforcement gates mean that non-compliant APIs can't be deployed without an explicit exception, which makes compliance visible and exceptions deliberate.
The observability layer is where most frameworks stop short. Runtime monitoring means continuously checking that:
Treblle's governance scoring computes A-F grades across Security, Design, Performance, and AI Readiness from live request data, giving teams a continuous, per-endpoint view of production compliance rather than a snapshot from the last audit.
The lifecycle layer deals with APIs over time. That means versioning and decommissioning.
With version management, it's about following through on the defined policy without silent breaking changes and communicating changes to consumers. Decommissioning means actually removing zombie endpoints rather than letting them accumulate. The 17% zombie endpoint rate in the 2025 dataset is entirely a lifecycle governance failure.
API Governance Checklist
A strategic guide for software architects, platform engineers, and API leadership looking to solve or upgrade their API Governance Programme.
Download Ebook
People don't rise to the occasion, they fall to the level of their preparation.
That's why the most reliable governance is built into the defaults. Compliance needs to be the path of least resistance rather than an additional step that requires conscious effort.
Framework selection is a governance decision, and the data makes this concrete.
NestJS-based APIs score 83 on Treblle's governance scale; raw NodeJS APIs score 54. The difference isn't that NestJS teams care more about governance - it's that NestJS enforces authentication patterns, module structure, and security defaults at the framework level, so developers get compliance for free without having to make individual decisions about each endpoint. Choosing an opinionated framework is a governance investment that pays returns on every API the team ships.
The same principle applies at the policy level. Keep the enforceable rule set small.
A governance framework with five specific, tool-enforced rules will produce better compliance than one with fifty documented guidelines that teams are expected to apply manually. Rules that rely on developer memory or goodwill work in a small team with shared context. They don't survive team turnover, time pressure, or scale.
Policies also need a legible rationale. Developers who understand why a rule exists will apply it correctly in edge cases and flag conflicts with it when something doesn't fit. Developers who see governance as arbitrary compliance overhead work around it. "All APIs must use versioning because 46% of production traffic is currently unversioned and breaking changes silently take down integrations" is a rule with a reason. "APIs must follow the versioning standard" is a rule without one.
A governance framework that applies only when an API is being built misses most of the lifecycle in which governance decisions actually matter. The sequence that Treblle's 2025 data supports is:
That sequence matters because each stage depends on the previous one. You can't remediate security gaps you haven't discovered, and you can't standardize governance across APIs you haven't inventoried.
At the design stage, governance means spec validation, security review, and style guide compliance checks. At build and deployment, it means CI/CD enforcement gates. At the operational stage, continuous runtime monitoring and governance scoring detect drift as it emerges rather than in the next audit cycle.
The lifecycle stage most frameworks miss entirely is retirement. Zombie endpoints accumulate because there's no process for decommissioning: no formal deprecation timeline, no consumer notification, no automated detection of endpoints that have stopped receiving legitimate traffic. Building a decommissioning process into the governance framework directly addresses the 17% zombie endpoint rate.
A governance framework without named ownership is a set of recommendations. The mechanism that turns standards into enforced reality is accountability: specific teams and individuals who are responsible for specific parts of the framework and are measured against compliance.
The minimum viable ownership model assigns three roles.
The platform or API team owns the framework itself: the standards, tooling, enforcement gates, and governance scoring baseline. They define what "passing" means and maintain the benchmark over time.
The API owners are the engineering teams responsible for specific APIs. They're accountable for their API's compliance. They receive governance scores per endpoint, manage exceptions, and own the remediation plan when their score declines.
A security function owns the security baseline such as the minimum authentication requirements, encryption mandates, and vulnerability standards. They ensure those standards are incorporated into the governance framework rather than maintained separately.
The hardest ownership problem in practice isn't new APIs, but the existing surface.
APIs that predate the governance program often have unclear ownership, their original team may have changed, and the product they served may have been deprecated. Assigning ownership to legacy APIs requires an explicit audit with a named outcome: either the API is assigned an owner and a remediation plan, or it is decommissioned.
At larger organizations, an API Center of Excellence formalizes the governance ownership model. It's a cross-functional group consisting of platform engineers, security, product management, and sometimes legal, that sets policy, adjudicates exceptions, reviews the governance scorecard on a regular cadence, and ensures that design-time standards are informed by what the observability layer shows in production.
The measure of a governance framework isn't whether the policies are documented, but whether production APIs are actually meeting them.
Effective measurement requires three things: coverage (all APIs in scope, not just the recently deployed ones), granularity (per-endpoint scores, not just an aggregate pass/fail), and trend data (scores over time, not just a point-in-time snapshot).
Treblle's governance scoring provides all three.
Each API receives a continuous 0-100 score across Security, Design, Performance, and AI Readiness, computed from live traffic rather than static analysis. The industry baseline for 2025 was 58/100, a useful benchmark for comparing your API surface to the broader ecosystem. SDK-level scores (NestJS at 83, NodeJS at 54) give teams a reference point for what's achievable with opinionated framework defaults.
Two warning signs indicate a framework isn't working as intended. The first is a declining governance score despite active policy investment. The observability layer is catching drift that the enforcement layer isn't preventing, and the gates need tightening. The second is large score variance within the same organization, where some teams are at 80, while others are at 40. This indicates inconsistent ownership and APIs outside the framework's reach.
A governance framework that's working produces a slow, consistent improvement in the aggregate score over time, a narrowing variance between teams, and a declining zombie endpoint rate.
API Governance Checklist
A strategic guide for software architects, platform engineers, and API leadership looking to solve or upgrade their API Governance Programme.
Download EbookWhat is an API governance framework?
What should an API governance framework include?
What are API governance best practices?
What is an API governance model?
How do you connect API governance to the API lifecycle?
All Systems Operational
Gartner: Magic Quadrant, 2025
Gartner AI API Strategy, 2025
Everest Group: Enterprise App Integration Platforms, 2026
