Hi Michael,
We're facing exactly the same issue, too many false positives e.g. for SQL injection so we generally need to turn it off. A "learning mode" as suggested by you with logging only would be great.
We see our API Gateway similar to a WAF for webapplication, both are exposed directly to the internet and must be capable of performing advanced threat protection. But today we don't have the same possibilities on CA API Gateway as on WAF's. So our customers challenge us to put the gateway behind a WAF which introduces operational issues like because two components must be adjusted for API deployments, mutual SSL is not possible anymore, etc.