# Shadow APIs

Suppose an API appears in the production environment but is absent in the documentation. This 'shadow API' scenario poses several challenges:

1. **Incomplete Security Assessments:** The API may not undergo necessary security assessments, leading to incomplete security coverage and potential vulnerabilities going unnoticed.
2. **Limited Visibility:** The absence of documentation restricts visibility, making it challenging to monitor and manage the complete API landscape.
3. **Risk of Undetected Changes:** Without comprehensive coverage, changes made to the API in the production environment may go unnoticed, posing a risk of undetected alterations.
4. **Operational Challenges:** Incomplete documentation hinders efficient operation, as developers may lack crucial information required for successful integration.
5. **Compliance Risks:** The presence of 'shadow APIs' may impact regulatory compliance efforts, as documentation completeness is crucial for assessments.

**Managing Implications**: Conduct thorough audits, document shadow APIs, and implement governance to align production with intended API landscapes.

<figure><img src="https://3462681674-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FZKwBF6q0tAGXlIih38HL%2Fuploads%2F5cgGB70PzMGuEzvvG2Rx%2Fimage.png?alt=media&#x26;token=0bae9e8a-97cf-4cc1-8b99-7b90e648d883" alt=""><figcaption><p>Shadow API</p></figcaption></figure>