Morgan Stanley's API Program Evolution for AI Agents with CALM
Morgan Stanley has significantly rethought its API program to support AI agents, moving beyond traditional "dumb pipes" to incorporate business context and enforce compliance. The firm leverages CALM (Common Architecture Language Model), an open-source framework, to define architectures as code, automate deployments, and manage API estates at scale, drastically reducing deployment times and improving consistency. This approach allows for rapid adaptation to new interaction protocols while maintaining stable API contracts and codified controls.
Read original on InfoQ ArchitectureThe Shift to AI-Agent API Consumption
The emergence of AI agents and the Model Context Protocol (MCP) has fundamentally changed how APIs are consumed. Business users now demand natural language interaction with data, requiring APIs to be more intelligent and context-aware. This shift presents challenges like disambiguation and increased costs due to agent "chattiness," pushing the industry towards specialized API gateways that can embed business context, rather than just acting as simple pass-throughs. The design implication is a need for API layers that can interpret and manage complex, dynamic requests from autonomous agents, requiring robust semantic understanding and efficient routing mechanisms.
CALM: Architectures as Code for API Management
Morgan Stanley addresses the complexity of managing a large-scale API estate for AI agents using CALM (Common Architecture Language Model), an open-source project under FINOS. CALM enables defining entire architectures as code using a JSON schema, acting as a single source of truth for system configurations and deployments. This approach facilitates consistency, reduces human error, and allows for automated provisioning of infrastructure and services based on predefined patterns.
Infrastructure as Code Beyond Basic Provisioning
CALM exemplifies an advanced form of Infrastructure as Code (IaC) where not just infrastructure, but entire architectural patterns, security controls, and deployment pipelines are codified. This moves beyond simple resource provisioning to defining the *intended state and behavior* of complex distributed systems, including their compliance and operational characteristics.
Automated Deployment and Compliance Guardrails
With CALM, developers select pre-defined architectural patterns and fill in configurations, leading to the automatic generation of all necessary deployment artifacts. This includes not only the API endpoints (REST or MCP servers) but also integrated compliance guardrails, such as denied-symbols lists, enforced at deployment time. This shifts security and compliance left, catching issues before they reach production. Build-time validation using Spectral rulesets for structural validation further ensures architectural completeness and adherence to standards, dramatically cutting deployment times from years to weeks.
Platform Evolution and Zero-Downtime Operations
The platform team centralizes operational rollouts, patching, and security rotations across hundreds of deployments. By treating platform updates as bundles deployed through the same codified gates, they achieve zero-downtime infrastructure upgrades across the entire production estate. CALM Hub provides a visualization tool, acting as the golden source for deployed architectures, ensuring transparency and control. This demonstrates a robust platform engineering approach where developers gain a fully compliant, production-ready baseline from day one, albeit with some loss of flexibility in how they wire components, which is often a preferred trade-off for speed and consistency.
The article highlights that while new interaction protocols like Agent-to-Agent (A2A) will emerge, the underlying APIs remain the stable contract. Codified controls and pipelines allow organizations to swap interaction layers without rebuilding the entire system, emphasizing the importance of architectural adaptability and robust governance in an evolving technological landscape.