Enterprise diagnostic

Which of your APIs should agents use first — and what breaks when they try?

The Agent-Ready API Portfolio Diagnostic. In 3 weeks, from documents you export — no system access — a scored, security-approvable answer: which APIs are ready for agents, which must wait, the identity and governance gaps that will stop production rollout, and a 90-day plan your architecture board can fund. Fixed fee. Guaranteed.

Three signs this is your organization:

SIGN 1

An agent pilot is stalled at security review right now — funded, staffed, and parked.

SIGN 2

Someone proposed "let's build an MCP server" and nobody could say for which APIs, under whose identity, with what audit trail.

SIGN 3

The board asked for the agent strategy — and the answer was a slide, not a plan.

Here's the uncomfortable part: agent access to your APIs is already growing without you. Employees' copilots hold API keys. Teams stand up unsanctioned MCP servers. AI tools call internal APIs on human credentials. You are not choosing between "agents now" and "agents later" — you are choosing between governed and ungoverned, and every month of waiting adds ungoverned surface.

The industry numbers say this wall is everyone's wall — Postman's 2025 State of the API (5,700+ respondents): 24% of teams design APIs with agents in mind; 51% name unauthorized agent access a top security risk. But the reason most organizations stay stuck is they start with the wrong question. "Should we build an MCP server?" is a protocol project.

Which API surfaces should agents be allowed to use — in what order, under what identity, with what authorization, cost controls, and audit trail?

That's what this diagnostic answers.

What you get

A defensible answer — with the evidence trail that survives your architecture board and your security committee:

  1. Demand & exposure map — what your pilots and teams actually need, and what AI tools are already calling your APIs with what credentials (from your gateway exports — week 1, routinely surprising)
  2. Agent-Readiness Scorecard — your candidate APIs scored on explicit criteria: design, docs, auth, error behavior, observability, cost attribution. The rubric stays with you — re-score the rest of the portfolio yourselves
  3. The priority 2×2 — demand × readiness: what goes first, what waits and why — the hold-backs with named risks are the incident you don't have
  4. Governance & access gap analysis — agent identity, delegated authorization, gateway/registry posture, auditability, cost attribution — written to hand to your CISO's team as-is
  5. Agent Access Control Plane Map — one vendor-neutral diagram of how agent traffic should enter, authenticate, get metered, and get audited across your actual stack, with a build/buy read on your existing tooling
  6. Surface call per candidate (API vs MCP vs CLI vs Skills) and a 90-day roadmap + 5-slide executive briefing — delivered in a 60-minute readout with your sponsor and security in the room. Delivered this quarter, the roadmap reads as next year's budget line items.

How it works — ~10 hours of your teams' time, zero system access

You send exports. Nothing is installed, no credentials issued, no production data touched. This is a documents-and-interviews engagement, built to clear vendor review in days.

You provideWhoTime
API catalog/inventory exportPlatform~1 hr
Specs for top ~20 candidatesPlatform/domains~1 hr
Gateway config + 30–60 days traffic summaryDevOps~1.5 hr
API consumer identity/authz policiesSecurity/IAM~1 hr
Agent-initiative charter & pilot docsSponsor's office~30 min
5–6 interviews × 45 min (incl. your security lead)~5 hrs

The 3-week clock starts the day your export package lands. And candidly: if your organization cannot produce these ten hours, that is itself the first diagnostic finding about your agent initiative.

Who runs it

Emmanuel Paraskakis, founder of Level 250.

Your architects could self-assess — but a self-graded scorecard is exactly what architecture boards and security committees discount. The independence is the deliverable. One boundary, stated plainly: this maps your identity and governance gaps and hands them to your security team with a named IAM reviewer — it does not replace your security team's judgment.

Ran enterprise API programs (Keysight engagement; developer-experience assessment for Nylas; agent-readiness sessions for Emirates and Heineken engineering).
Trains PMs and engineers at Bloomberg, FedEx, Netflix, and Standard Bank on agent-ready API design.
1.3M
APIs designed with tools he built — Swagger and Apiary
VP Product at API platforms

Is this for you?

Good fit:

  • 20+ production APIs
  • An agent initiative with a pulse (a pilot, a mandate, or a board asking)
  • One of the three signs above happened this quarter
  • And you are the CTO, CIO, or transformation owner — because four teams will need to produce exports and interview slots inside three weeks, and that only happens when the ask comes from the top.

Not a fit:

You want MCP servers built this quarter regardless. That's a different engagement — and before the portfolio question is answered, usually a premature one.

Engagement