Pop Goes the Stack

Your APIs were designed for humans and orderly machines: clean request, tidy response, stateless, rate-limited. Then along came agentic AI—recursive, stateful, jittery little things that retry forever, chain calls together, and dream up new query paths at 3 a.m.

The result? Your APIs start looking less like infrastructure and more like trauma patients. Rate limits collapse. Monitoring floods. Security controls meant for human logins don’t make sense when the caller is a bot acting on its own intent.

The punchline: enterprises aren’t serving users anymore, they’re serving swarms of other AIs. If you don’t rethink throttling, observability, and runtime policy, your endpoints are going to get steamrolled.

Join host Lori MacVittie and F5 guest Connor Hicks to explore how enterprises can adapt and thrive—hit play now to future-proof your APIs!

Read AI Agentic workflows and Enterprise APIs: Adapting API architectures for the age of AI agents: https://arxiv.org/abs/2502.17443

Creators and Guests

Host

Lori MacVittie

Distinguished Engineer and Chief Evangelist at F5, Lori has more than 25 years of industry experience spanning application development, IT architecture, and network and systems' operation. She co-authored the CADD profile for ANSI NCITS 320-1998 and is a prolific author with books spanning security, cloud, and enterprise architecture.

Guest

Connor Hicks

Connor has been working in cloud security for over a decade, starting with building enterprise security products at 1Password. He then founded a company called Suborbital focused on securing untrusted code in the cloud with WebAssembly which was acquired by F5 in 2023, where he now works on AI security as an Architect.

Producer

Tabitha R.R. Powell

Technical Thought Leadership Evangelist producing content that makes complex ideas clear and engaging.

What is Pop Goes the Stack?

Explore the evolving world of application delivery and security. Each episode will dive into technologies shaping the future of operations, analyze emerging trends, and discuss the impacts of innovations on the tech stack.

00:00:05:03 - 00:00:31:19
Lori MacVittie
Hi everyone. Welcome to Pop Goes the Stack, the emerging tech podcast that pulls no punches and reads all the patch notes. I'm Lori MacVittie, and no buzzwords were harmed in the making of this episode, yet. Yet. So, today we wanted to talk about agents and APIs. And we're doing this because there was a paper, and I'm going to have to read the title because it's very long.

00:00:31:19 - 00:01:06:24
Lori MacVittie
You know how those academic papers get right? AI Agentic workflows and Enterprise APIs: Adapting API architectures for the age of AI agents. It's actually very descriptive, and it describes exactly what the title, you know, says it describes, which is hey, APIs, agents, stop we have a problem. So what the paper posits is that agents, AI agents in specifically are a new class of caller of APIs.

00:01:06:24 - 00:01:39:00
Lori MacVittie
They're not humans. They're not software. They're something in between, a strange mix. And that existing enterprise APIs were written for specific, known, understood, users and traffic and therefore ergo and thusly APIs have to change. Because problems. And then they enumerate all of the problems. So to expand on the problems, at least a few of them, and dig a little deeper.

00:01:39:02 - 00:01:42:21
Lori MacVittie
Connor Hicks, welcome. I'm really excited you're here.

00:01:42:23 - 00:01:56:09
Connor Hicks
Hello. Thanks for having me. I'm looking forward to it. This is a topic that comes up in my daily work all the time, so it's something I've had to contend with all, all sorts of different ways.

00:01:56:12 - 00:02:17:20
Lori MacVittie
He dreams in APIs people. He does,

Connor Hicks
That's right.

Lori MacVittie
He dreams in APIs. And I know we're missing Joel. He's off on a fine-tuning run, getting a lot of information so that, you know, he can come back and and astound us with his new knowledge. So he'll be back soon. So, you'll just have to to suffer through me.

00:02:17:20 - 00:02:43:17
Lori MacVittie
So, I'll kick it off, right. AI agents are a different class of caller. And if we were to be honest with APIs, mobile changed it, web changed it, integration changed it. These are all slightly different variations on the same thing. But the core premise in all of those APIs has always been, it's very predictable.

00:02:43:17 - 00:03:01:06
Lori MacVittie
We know what the traffic looks like. We know what the traffic coming out is supposed to look like. So it's very predictable. And when we move to AI, and agents specifically, that goes out the window, right? So yes, they are a new class. What do you think about that?

00:03:01:08 - 00:03:43:15
Connor Hicks
I, absolutely. I've found, at least 5 or 10 different real world scenarios just working with our customers where they have showed me a graph, said this is what our data access patterns looked like a year ago and here's what they look like today. And the graphs are completely different. You know what I mean? It's it's the kind of thing where if you allow something that resembles an intelligent something to go run, you know, run amuck in your cloud system or run amuck in your data system, you get not just different, but also like completely unexpected patterns that emerge and sometimes not even patterns at all.

00:03:43:15 - 00:04:04:09
Connor Hicks
Sometimes there's an aspect of randomness to it that you just have to accept because these things are not fixed. They are not predictable. They are, you know, they are changeable, they are not deterministic, and our APIs are not designed for that world.

00:04:04:12 - 00:04:27:24
Lori MacVittie
They're not. Well, that's the premise of the paper. And I, I would agree. I mean, there's all sorts of different concerns about it, right: stateless versus stateful, the authentication methods. A lot of the security around APIs today and how we deal with that is not sufficient for AI is it?

00:04:27:26 - 00:05:02:08
Connor Hicks
Yeah. That's right. So there's always going to be an authentication and authorization problem in the work that we do. But agents just amplify it by at least two fold, if not ten fold, because some agents are acting completely autonomously. Other agents have been triggered on behalf of a human. Others are part of a third party system that we don't even control, that are just pecking at us trying to access our data and our context and perform actions that we may or may not have intended them to perform.

00:05:02:08 - 00:05:26:09
Connor Hicks
So, you know, the traditional security controls, the traditional observability, and the traditional kind of best practices around least privilege and all of these things need to be reconsidered when you have these things that aren't quite a person, but also not quite a predictable, you know, Python script that does the same thing every time you execute it.

00:05:26:12 - 00:05:55:02
Lori MacVittie
So I like, yeah, Python. Scripts are very, they're constrained. Right, same thing with most software. They're very constrained by the code. There are a fixed set of actions that they can take and we know which ones they are. And those are further constrained by authentication and authorization and access rights. And one of the things we miss is, yes, an agent might be stopped from accessing a system because it says, hey, you're not authorized.

00:05:55:05 - 00:06:20:05
Lori MacVittie
But this starts to feel a little bit like, you know, TCP retransmit storms. Like, oh, I couldn't get through there; let me try something else. Let me try something else. So then you get a storm of of traffic and it just can overwhelm the network. So, that's also a problem for enterprises in the way that we authenticate and authorize access to APIs.

00:06:20:07 - 00:06:50:04
Connor Hicks
Yeah and then there's, you know, the actual access patterns themselves, right? The the way that an agent goes about completing a task is itself non-deterministic. You could ask it to perform the same task three times in three different days, and it might actually go about doing it completely differently. So the order in which it gathers the context it needs, accesses the list of tools that it has available, and then actually goes and executes its plan;

00:06:50:06 - 00:07:14:16
Connor Hicks
it is non-deterministic. And so you have to be able to contend with: Can my APIs handle the load? Can the access layers actually cooperate amongst each other to make sure that this thing is only accessing and performing actions that it is allowed to do? And if something goes wrong, which it will, can I reliably determine what went wrong and where?

00:07:14:16 - 00:07:21:06
Connor Hicks
And can I then actually effectively correct it? Because that's actually not even a given?

00:07:21:09 - 00:07:45:26
Lori MacVittie
That's yes, very, very true. Is the, is the answer then rewrite your APIs? Change them. Just do it differently. What does, what does that mean? We're, we have APIs. We know, right, the rest for the most part. We understand that there's, they're not it's not necessarily a standard. But everybody follows the same kind of best practices around CRUD, which is a whole 'nother discussion,

00:07:45:26 - 00:08:04:22
Lori MacVittie
right? APIs today are written for CRUD, right? Create, read, update, delete. And agents actually need things like, you know, run, query, execute. Right? They need a host of different types of actions that HTTP and APIs just don't support. So there's, that's a different issue there.

00:08:04:24 - 00:08:22:06
Connor Hicks
Absolutely. Yeah. You you, if it was me, you would even have, you would add an E on the end of that: CRUD-E. You know you sometimes want to be able to, they want to be able to write a Python script and then execute that Python script, because that's sometimes how agents solve a problem, right? And so there's all these kinds of new paradigms.

00:08:22:06 - 00:08:41:04
Connor Hicks
So do you need to rewrite or rebuild or redesign your APIs? I think that it is inevitable. But also the reality of the world is that not everybody is capable of doing that all at once. And so is there a middle ground? Or does it have to be all or nothing into this new agentic world? That's not an answer that I have,

00:08:41:10 - 00:08:51:07
Connor Hicks
you know, that's or rather, that's not a question that I have the answer to. But I think there has to be some kind of change, because what we have now is not going to work.

00:08:51:09 - 00:09:20:02
Lori MacVittie
And I think you just like hit on the the legacy versus modern apps. Didn't we have this discussion about applications like the 20 years ago? Oh, we can't upgrade everything. We can't make it all modern. So we have to figure out how to glue these together. And it looks like what AI is doing is creating that moment again for APIs and all of the things that came before it. Just draw a line and say, okay, everything behind here is is not going to work the same,

00:09:20:02 - 00:09:53:25
Lori MacVittie
so we have to figure out some glue. Now,

Connor Hicks
That's right.

Lori MacVittie
we didn't talk about this before show, right, and and prep you for it. So this is coming out of left field. But I have heard people positing that MCP as a wrapper around existing APIs, and then using tool restrictions would help with both authentication, authorization, scaling out the APIs, and some of the access problems, thereby kind of making the traffic, if not predictable, at least a little less chaotic.

00:09:53:28 - 00:10:29:21
Connor Hicks
That's right. I see MCP kind of like a a choke point in the agentic workflow. It is a, if not predictable, at least understandable subset of what agents want to do. Right? They might want to be able to do more than what MCP allows, but at least MCP gives them a window into our existing APIs that they can understand the agents and we can control, because it's a set of messages and, you know, access controls that at least we can reason about and exert some control over.

00:10:29:21 - 00:11:07:13
Connor Hicks
Now, MCP doesn't actually define a built in AuthN AuthZ strategy. So there's a bit of a Wild West going on in that regard. And there is the delegated identity problem, wherein some agents are acting completely autonomously, but others are acting on behalf of a human. So the question becomes, if I trigger an agent to do something, does that agent assume my identity and all of my access? Versus an agent that is running, you know, maybe as a nightly or weekly job, does it have a completely different method of authenticating and authorizing itself within these systems?

00:11:07:15 - 00:11:16:27
Connor Hicks
These are all questions that nobody has one single answer to. Lots of people have ideas, but there's no one single standard that everyone's agreed on yet.

00:11:17:00 - 00:11:43:00
Lori MacVittie
Well that, it's too early for that. And I think it's moving too fast. So the best practices are kind of emerging out of many, many mistakes and missteps; we find the right answer. And that's always been true. I think it's just mostly been, you know, behind the scenes. And this is really out in the open between like open source and this, you know, build in the open and everybody, you know, share everything.

00:11:43:02 - 00:11:54:18
Lori MacVittie
It's kind of changed that environment. So now we see the mistakes and we we can all adapt in real time. And we almost have to because the AI is just, it's moving so fast. At least for the adoption, right.

00:11:54:21 - 00:12:23:17
Connor Hicks
Absolutely. And one of the things that I really liked about the paper is that it related agents to GraphQL a couple of times. Now GraphQL, love it or hate it, you can have all sorts of opinions about GraphQL, but there is a lot of conceptual similarities with what we need to do here. GraphQL gave you a set of standardized, you know, APIs and data structures and whatever else to access a whole myriad of different back end data stores and then do rewrites against it.

00:12:23:17 - 00:12:50:03
Connor Hicks
And agents need to be able to do the same thing, but in a less structured and more flexible way, I suppose. And GraphQL had the problem of, hey, if I'm going and running queries across ten different disparate systems in order to come up with a final, you know, result, that can be inefficient. There's really ways that you can mess that up and you can have these cascading system interaction failures that come along with that by simplifying it in this, in this way.

00:12:50:11 - 00:13:07:28
Connor Hicks
But agents need to be able to do that. They need to be able to query multiple back end systems and data stores. They need to be able to formulate responses and come up with execution plans. And then they need to be able to take action, using tools or some other method. And so there are a lot of similarities to GraphQL.

00:13:07:28 - 00:13:31:20
Connor Hicks
And so the paper posits this need for an AQL, an agent query language. And do I think that's a great idea? Hm, maybe. But is it going to be something that we can, you know, reason about and implement as humans? I think we could. And then the question is, do we go down a lot of the same problems that GraphQL had? Or have we learned our lesson?

00:13:31:20 - 00:13:49:20
Connor Hicks
Could we maybe architect it a bit differently? Use, you know, the lessons we've learned from MCP? Use the lessons that we're learning from the A2A protocol and come up with kind of this new generation of query language? I think that would be very interesting, but it would take an industry wide effort to make that, you know, a reality.

00:13:49:23 - 00:13:54:17
Lori MacVittie
Well, and that that won't happen. Right? It's just,

00:13:54:19 - 00:14:19:21
Lori MacVittie
very, very infrequently do we see that kind of. You know, HTTP is probably one that everybody, they got behind. Just like once TCP won, everybody embraced it, went yes, we're going that way. Until, till they started to go, maybe there's other options. And then we started seeing some some interesting things happen. So it's, you know, complete standards probably not going to happen.

00:14:19:21 - 00:14:46:02
Lori MacVittie
But convergence on a set of best practices for the enterprise often happens. We saw that with with APIs. Like we said, there's no standard. There's no specification for here's how to write an API. But there is consensus around best practices and approaches that enterprise has, enterprises have adopted. And then that kind of becomes the de facto standard. So I think we'll see the same kind of thing.

00:14:46:02 - 00:15:20:03
Lori MacVittie
We see that with MCP right now. It's it's going to be the thing. Now is it in its final form? Probably not, right. But it's a it's a good start and everyone seems to go this is a good base to build on, so let's go with it. So that's good because what I'm hearing is maybe we don't have to rewrite all of our APIs, but maybe we have to start supporting the tools that will leverage those APIs, like MCP or what other protocols are coming up.

00:15:20:03 - 00:15:29:25
Lori MacVittie
Even maybe, maybe it is GraphQL. Maybe we do, you know, integrate that and use that. Or do you think we should rewrite everything?

00:15:29:28 - 00:16:07:08
Connor Hicks
I am not usually the one recommending that you rewrite everything. It's never going to be the answer because as soon as you're done rewriting it, some new shiny thing will come along. So I totally agree that best practices are usually the way to go. I think in the end we are going to have, you know, something along the lines of react. Where react in itself is a core set of components and, you know, style of SDK and style of, you know, APIs in order to interact with a lower level set of browser capabilities.

00:16:07:10 - 00:16:26:27
Connor Hicks
But then there's a whole ecosystem of things that have popped up around react that extend it or make it easier to develop with or connect it to other systems. I think, and I hope that we will see something similar come up around agents and, and generative AI that gives you, you know, a solid foundation to build upon.

00:16:26:27 - 00:16:55:28
Connor Hicks
And then a community or an ecosystem of related and interconnected tools will pop up around it. And being able to choose, how do I do my AuthN AuthZ? How do I do my rate limiting? How do I do my, you know, tool selection and all of this kind of stuff? These will all be pluggable and interconnected units that you can choose from, so that you can achieve the goals that your particular team or your particular product or whatever it is needs.

00:16:56:01 - 00:17:22:15
Lori MacVittie
I like that approach and it also makes it that easier, I shouldn't say better, but easier for the industry to develop solutions around things like security. Because API security as it exists today is not enough to deal with this context and semantic, right, issues notwithstanding. Right. There's just between stateful-state, the whole the whole mess is just not enough.

00:17:22:15 - 00:17:47:08
Lori MacVittie
It's a good start. It's a good foundation, but we need more in order to secure that traffic from the the agents or just GenAI apps in general. So starting with something and then building on that is a lot easier once you have consensus around this is how we're going to build it. Here's the kind of, you know, traffic that you can expect to see, even if you can't predict where it's going.

00:17:47:11 - 00:18:01:21
Lori MacVittie
And then you can build solutions that are better at securing it, directing it, steering it, you know, all of the things that delivery and security lives to provide. So I think that's a good step. I like that.

00:18:01:26 - 00:18:19:15
Connor Hicks
Absolutely. We jokingly call it Layer 8, right? We think it goes beyond Layer 7 in the OSI stack. Call it the semantic layer or the agentic layer or whatever you want to call it, but we do believe that there's a a paradigm here that is so fundamental to the next, whatever decades of software, that it deserves its own layer of the OSI stack.

00:18:19:15 - 00:18:30:27
Lori MacVittie
Okay, now we have harmed a buzzword. So I hope everyone is happy we've said paradigm shift. I think that that gets counted somewhere. I'm just saying. We, we

00:18:30:27 - 00:18:31:17
Connor Hicks
I know.

00:18:31:19 - 00:18:51:18
Lori MacVittie
yeah, we keep track of that, so. But it is true. It is it is different. A lot of things have been called Layer 8 in the past: APIs, the business, people, now it's, you know, semantic. And that's been brought up before in the context of the semantic web. You know, Web3 was all about semantics, right?

Connor Hicks
Right.

00:18:51:18 - 00:19:06:27
Lori MacVittie
The semantic web. So, this is not a new concept and it's it's kind of an evolution. So, whether it's Layer 8 or it's some other term, it definitely is a a thing shift. I can't say it cause I'll, I'll be on a list. Yeah.

00:19:06:29 - 00:19:08:27
Connor Hicks
I know, I know, I know.

00:19:09:00 - 00:19:25:00
Lori MacVittie
So we're almost at time and now is when we like to, you know, what are the three things you should take away? Hopefully we were clear enough. But in case we weren't, like what's the three things an enterprise should take away from this paper, from this discussion?

00:19:25:03 - 00:19:58:20
Connor Hicks
I think the first thing would be, you know, use the learnings of all of your compatriots in the industry to start coalescing around some kind of best practice for, most importantly, access and security. And if you can lay a great foundation for that, then everything else on top of it becomes easier and less fraught with peril. The second thing would be, don't rush to go and rewrite everything to run some agentic stack,

00:19:58:20 - 00:20:22:07
Connor Hicks
you know. You don't need to go and rip everything out and replace it with, you know, I'm going to only write MCP servers from here until the end of time. That's, I don't think going to be useful to, to anybody. And then the third is prepare, you know, your design thinking and your system's thinking for this non-deterministic future.

00:20:22:07 - 00:20:48:19
Connor Hicks
We have to be prepared to, you know, put the guardrails and put the access control and the observability in place to be able to contend with non-determinism and not let it overrun, you know, our applications and ruin all the hard work that we put into reliability and security and, you know, all the things that make enterprise software tick.

00:20:48:21 - 00:21:14:15
Lori MacVittie
Awesome, awesome. I think I I'd echo those, right. Agents are a new kind of caller and they do create chaos in your environment. Don't rewrite your APIs, yet. They're going to have to coexist just as legacy and modern had to coexist for the last, you know, 20, 30, okay, for a long time they've had to coexist.

00:21:14:15 - 00:21:44:21
Lori MacVittie
So you don't need two. There are, you know, other options, other ways to approach it, right. And three, I just, you know, be ready for that security side. Right, the access and how you're going to view it. And, you know, perhaps consider what that model is. Is it on behalf of users? Does that matter? Does it not? Ultimately organizations have to set a standard around that for their environment, their applications, their business, and then be able to implement it.

00:21:44:21 - 00:22:05:12
Lori MacVittie
So, don't rush out and get rid of your APIs just yet. They're still useful.

Connor Hicks
That's right.

Lori MacVittie
So, awesome. Well, thank you very much, Connor. That is a wrap for Pop Goes the Stack. If we spared your brain cells, subscribe. If not, file a ticket. We'll, we'll triage the sarcasm later.

00:22:05:14 - 00:22:10:12
Connor Hicks
I'm sure I'll ask, access that, that Jira ticket sometime.

00:22:10:15 - 00:22:11:12
Lori MacVittie
Awesome.

More episodes

Chapters

Creators and Guests

What is Pop Goes the Stack?