Cancel
Join the waitlist
Get early access and help shape the platform.
Oops! Something went wrong while submitting the form.
The Future of API Governance Is Guidance — And It Lives in Markdown Files
Kin Lane
February 6th, 2026

API governance has always had a branding problem. The word "governance" conjures images of gatekeeping, enforcement, and pipeline failures. But the most effective governance has always been about something simpler: helping developers make good decisions before they make bad ones. What we're seeing now is a fundamental shift in how that help gets delivered — and it's converging on a pattern that should feel familiar to anyone who's ever written a README.

From Enforcement to Inline Guidance

For the better part of a decade, the API governance playbook has looked roughly the same. You write linting rules using tools like Spectral or Vacuum. You apply them against your OpenAPI definitions. You run them in the IDE, maybe in a web editor, and definitely in the CI/CD pipeline. You set severity levels. You hope people read the style guide. They mostly don't.

The rules themselves aren't going anywhere — they're essential. But the model of "write rules, enforce rules, hope for compliance" has a ceiling. The organizations seeing the best results are the ones treating governance as guidance: meeting developers where they already work, providing context at the moment of decision, and reducing the friction between "what we want" and "what gets built."

This is what I've been calling inline guidance. Your governance program is only as good as the guardrails and education you deliver directly into developer workflows. Documentation that lives in a wiki nobody visits isn't governance. A linting error with no explanation isn't governance. Governance is the knowledge that reaches people at the right time, in the right place, in a form they can actually use.

A New Surface Area for Governance

The rise of AI-assisted development has created a new and surprisingly powerful surface area for delivering that guidance. Over the past year, a clear pattern has emerged across every major AI coding tool: a markdown file, placed in your repository, that tells the AI how to behave in the context of your project.

The implementations vary by tool, but the concept is universal:

CLAUDE.MD is Anthropic's project-level configuration for Claude Code. Drop it in your repo root, and Claude reads it at the start of every session. It holds project conventions, preferred tech stacks, build commands, coding style rules — anything you'd tell a new developer during onboarding.

RULES.MD serves the same purpose for Cursor. Placed in a .cursor/rules/ directory, it shapes how Cursor's AI assistant generates code suggestions and responds to questions, all scoped to your project's specific conventions.

.github/copilot-instructions.md is GitHub Copilot's version. It lives at a predictable path in your repository and automatically provides context for Copilot's suggestions and chat responses. GitHub also supports more granular instruction files scoped to specific tasks like code review or commit messages.

GEMINI.MD is Google's equivalent for Gemini CLI and Gemini Code Assist. Same pattern: a markdown file at the repo root that acts as a persistent, project-scoped prompt.

SKILL.MD takes a different angle. These files teach Claude best practices for specific output types — creating documents, spreadsheets, presentations — with battle-tested instructions on formatting, library usage, and common pitfalls.

AGENTS.MD extends into multi-agent workflows, defining roles, responsibilities, and coordination rules when multiple AI instances collaborate on complex tasks.

Every major platform has independently arrived at the same idea: a markdown file in your repo that shapes AI behavior. The format and location differ, but the pattern is now universal.

Why This Matters for API Governance

Here's the connection that most people are missing. These files aren't just about telling an AI which test framework you use or how you name your variables. They're a delivery mechanism for organizational knowledge — and that includes API governance.

Think about what you'd put in a CLAUDE.MD or RULES.MD for a team building APIs:

  • How your organization structures API endpoints and names resources
  • Which HTTP methods map to which operations, and when to deviate
  • How errors should be formatted and what status codes to use
  • What security schemes are required and how authentication flows work
  • How pagination, filtering, and versioning are handled
  • Which lifecycle stage an API is in and what that means for stability guarantees
  • How to structure an OpenAPI document that passes your linting rules

This is governance content. It's the same knowledge that lives in your style guide, your Spectral rulesets, and your onboarding decks. But now it can be injected directly into the tool a developer is using to write code, at the exact moment they need it.

The traditional governance stack — Spectral rules, Vacuum rules, JSON Schema validation — still lives at the IDE, CLI, and pipeline levels. That doesn't change. What changes is that you now have an additional layer upstream of all that, shaping how code gets written in the first place rather than just catching problems after the fact.

The Real Value Is the Knowledge, Not the Agent

There's a lot of noise right now about agents and agentic workflows. Set that aside for a moment. What matters here isn't the agent — it's the artifact. The markdown file. The codified knowledge.

When an organization sits down to write a CLAUDE.MD or a set of SKILL.MD files, they're doing something that has been stubbornly difficult to achieve in enterprise software: they're making tacit knowledge explicit. They're taking the things that senior engineers know intuitively — how this project works, why we do things this way, what mistakes to avoid — and writing it down in a form that's both human-readable and machine-consumable.

That's valuable regardless of what happens with the AI hype cycle. If every AI coding assistant disappeared tomorrow, you'd still have a collection of well-written, well-organized project knowledge in your repository. That's useful for onboarding. It's useful for code review. It's useful for cross-team alignment. The AI just happens to be a particularly effective consumer of it.

Governing Across the Lifecycle

The most interesting implications show up when you think about this pattern applied across the entire API lifecycle — not just at the design or implementation stage.

Consider the surface area: design guidance for how APIs should be structured, implementation rules for how SDKs and integrations should be generated, testing expectations for contract tests and integration suites, deployment conventions for how APIs get versioned and released, operational standards for monitoring, security, and deprecation. Each of these stages can have its own set of guidance files, its own skills, its own rules — all expressed in markdown, all living in the repository alongside the code they govern.

This also works from both directions. Producer-side governance tells teams how to build APIs. Consumer-side governance tells teams how to integrate with them. Most organizations today only think about the producer side. But the consumer perspective — how do you ensure that the people building on top of your APIs are doing it well — is equally important and has been much harder to address. These guidance files offer a path.

What Comes Next

If you're responsible for API governance in your organization, here's the practical takeaway: start thinking about your governance artifacts as things that need to be expressed in multiple formats for multiple audiences.

Your Spectral rulesets aren't going away. Your JSON Schema validation isn't going away. Your OpenAPI specifications aren't going away. These are the essential nutrients. But layered on top of them, you now need governance content that can be delivered as CLAUDE.MD files, as RULES.MD files, as Copilot instructions, as Gemini configuration — as whatever format the next tool adopts, because the pattern is clear and it's only going to proliferate.

The organizations that figure this out early will have a meaningful advantage. Not because they're using AI better, but because the process of writing these governance artifacts forces a clarity of thought about how your APIs should work, why they should work that way, and how to communicate that effectively. That clarity is the real product. The markdown files are just the packaging.

Governance is becoming guidance. And guidance, it turns out, fits very naturally into a .md file at the root of your repository.

Table of contents

More articles

Kin Lane
January 6th, 2026
Is MCP Coming Up Against Your Internal Enterprise Security Policies?
Kin Lane
February 5th, 2026
Are Agent Skills the Real Game-Changer? A Conversation with Kevin Swiber on MCP, Context Engineering, and What Actually Matters
Kin Lane
February 4th, 2026
The Hidden Costs of Ungoverned APIs: Why Reuse Metrics and MCP Server Governance Matter More Than Ever
Kin Lane
February 3rd, 2026
The Hidden Cost of Copilots: When APIs Become MCP Server Sprawl
Kin Lane
February 3rd, 2026
What is the Role of the Gateway?
Kin Lane
February 2nd, 2026
Why We're Considering Fair Source for Our Licensing Strategy
Kin Lane
January 30th, 2026
API Reusability Is Not a Metric Problem — It’s a Discovery, Context, and Trust Problem
Kin Lane
January 29th, 2026
After the Spec: A Conversation with Fran Méndez on AsyncAPI, Burnout, and Building What You Actually Want
Kin Lane
January 28th, 2025
Running Into the Limits of Example Naming in API Sandboxes
Kin Lane
January 27th, 2026
How Markdown Accidentally Became the Control Plane for AI
Kin Lane
January 27th, 2026
Turning API Chaos Into Business Capabilities: How Naftiko Is Rethinking Enterprise Integration for the AI Era
Bringing Order to Architectural Chaos: A Conversation with David Boyne of Event Catalog
Kin Lane
January 20th, 2026
JSON Schema as the Foundation for API Design
Kin Lane and Claire Barrett
January 19th, 2026
What is a Capability?
Kin Lane
January 15th, 2026
Using Hypermedia to Automate Capabilities in this AI Moment
Claire Barrett
January 14, 2025
Getting On The MCP Bullet Train Without Leaving Governance Waiting At The Platform
Claire Barrett
January 12th, 2026
We've Been Wrong About API Reuse All Along
Kin Lane
January 7th, 2026
Introducing Naftiko Signals: Gathering the Signals That Matter Across the Enterprise
Kin Lane
January 6th, 2025
Welcome to the Naftiko Capabilities Podcast
Kin Lane
January 5th, 2026
Our Partners and Customers Need an AI Copilot
Kin Lane
Dec 2, 2025
Reframing how we integrate software with capabilities
Kin Lane
Dec 2, 2025
Introducing a new foundation for capability-driven integration – The Nafitko Engine
Kin Lane
Dec 2, 2025
From web APIs to a web of capabilities: The architecture AI is needing
Kin Lane
Embrace your API legacy and integrate your AI future using Naftiko
Building the future of API integration
About
TeamCareersContact
Resources
NewsletterGlossary

© 2025 Naftiko. All rights reserved.

Made with waves of 🤍 + code by duo&co
Privacy PolicyTerms & Conditions