Session Abstract: While GM continues to innovate towards an "All EV reality," the importance of securing the digital experience of its customers remains a key priority. We all know that strong identity is at the core of a digital business experience, but how do we build end to end services that secure the user experience while supporting flexibility in the UX ? Identity services that support B2C experiences are different in many ways than workforce identity services, so how should we apply zero trust principles to clients and populations that are "in the wild" by definition? A key aspect of GM's services transformation was a migration to cloud API service. We will define the key API security elements that will make it easier for application teams to build platform services securely and consistently. This session will share best practices on identity-based API services that focus on security and visibility, while keeping alignment with the overall goals of a zero trust architecture. We will dive into some core patterns of API security and recommendations for "bringing everyone along for the ride" when establishing reference architectures that an entire enterprise must understand — and follow.