Require that OWASP API security top ten has been applied as part of API security.
OWASP
Strategies
API Data Is Classified and Protected
Not all data is created equal, and if you are treating PII the same as public reference data, you have a problem. Every piece of data flowing through your APIs needs to be classified by sensitivity...