This talk was presented at the AI The Docs 2025 online conference. We are thrilled to share the recording and the summary with you.
Visit the talk summary page to see all of the presentations from the conference.
presentation
Stefan Mesquita (Co-Lead API Banking at Deutsche Bank) and Timothy Goodwill ( VP & Domain Architect, API Platforms at Deutsche Bank)
Summary
How can banks prepare their APIs for agentic AI?
In their presentation, Stefan Mesquita (Co-Lead API Banking at Deutsche Bank) and Timothy Goodwill (Enterprise and Domain Architect for API Banking at Deutsche Bank) explore how financial institutions can adapt their API ecosystems to the emerging world of agentic AI.
AI is already delivering value in real-time fraud detection, automated cash flow forecasting, customer chatbots that move beyond Q&A into transactions, overnight portfolio rebalancing, and Deutsche Bank’s own “Next Best Offer” system, which recommends financial products based on portfolio analysis.
The next frontier is agentic AI, supported by new protocols. The Model Context Protocol (MCP) allows AI to import data from APIs, databases, or file systems, while the Agent-to-Agent (A2A) protocol enables AI systems to communicate directly. These developments are powerful but immature. MCP, in particular, raises risks: unpredictable behavior, new security vulnerabilities such as tool poisoning, limited governance (its JSON RPC schema is too permissive), and unresolved questions about scalability. Like REST APIs, it may take years to reach maturity.
The presenters argued that organizations don’t need to start from scratch: they already have strong REST API governance. Existing practices around security (e.g., OWASP top 10 risks), integration with identity providers, granular access controls, versioning, and threat monitoring can be applied to MCP. For now, their advice is to “back-end your MCP services with REST governance.”
To prepare APIs for AI, they outlined several principles. APIs should be designed for composability, with stable interfaces aligned to business domains rather than specific use cases. Developer experience should take precedence over client-specific assumptions, leaving room for diverse AI applications. Documentation must be crystal clear (not only for humans but also for AI) defining schemas, data semantics, and granular security. Stronger data governance is critical, encompassing classification, semantics, lineage, GDPR compliance, and fine-grained access controls, supported by OAuth 2.1. Domain-driven design practices, such as stakeholder workshops and event storming, help capture business knowledge and generate accurate specifications directly from validated models.
Finally, Stefan and Timothy emphasized the role of API platforms as enablers of AI strategies. Platforms provide centralized security, decouple backend changes from consumers, enforce standards, handle rate limiting and load balancing, and maintain a central catalog of APIs. Just as importantly, they deliver visibility and analytics to track how AI agents interact with APIs.
Key takeaway: MCP and agentic AI face the same governance, security, and documentation challenges APIs have long grappled with. By extending proven API platform practices, organizations can make their APIs (and their businesses) AI-ready.
Sign up to our Developer Portal Newsletter so that you never miss out on the latest API The Docs recaps and our devportal, API documentation and Developer Experience research publications.
