What should be the first steps for a company looking to establish an API security audit process?

Identify all API endpoints, categorize them based on their sensitivity and functionality, and map their requests and responses. Establish security policies, define roles and responsibilities, and select appropriate tools for conducting the audits. Educate the team about API security best practices and create a schedule for regular reviews.