Secure AI agents with Policy in Amazon Bedrock AgentCore
News/2026-03-12-secure-ai-agents-with-policy-in-amazon-bedrock-agentcore-news
Cybersecurity AI Breaking NewsMar 12, 20266 min read
Verified·First-party

Secure AI agents with Policy in Amazon Bedrock AgentCore

Featured:Amazon

Practical focus

Detect threats and suspicious behavior

Guideline angle

Using AI in SOC workflows

Secure AI agents with Policy in Amazon Bedrock AgentCore

Amazon Launches Policy in Bedrock AgentCore to Enforce Strict Boundaries on AI Agents

Key Facts

  • What: Amazon Web Services launched Policy in Amazon Bedrock AgentCore, a deterministic enforcement layer that intercepts agent-to-tool requests using Cedar-based policies.
  • How it works: Converts natural language business rules into Cedar policies for fine-grained, identity-aware access control independent of the agent’s own reasoning.
  • Integration: Applied through AgentCore Gateway, evaluating every tool call at runtime before execution.
  • Purpose: Prevents AI agents from taking unauthorized actions even when their reasoning fails, addressing a critical safety gap in production agent deployments.
  • Context: Part of a broader layered security approach that includes micro-VM session isolation and standard AWS security controls.

Lead paragraph

Amazon Web Services has introduced Policy in Amazon Bedrock AgentCore, a new capability that creates hard guardrails around AI agents by intercepting and evaluating every tool call against predefined business policies before they can execute. The feature converts natural language descriptions of organizational rules into Cedar policies, ensuring agents can only access tools and data that their specific users are authorized to use — regardless of what the agent’s reasoning model decides. Launched as part of a set of new AgentCore capabilities, the move addresses a growing concern in enterprise AI: even carefully prompted agents can make dangerous mistakes with real-world consequences.

How Policy in AgentCore Works

According to the official AWS announcement, Policy in Amazon Bedrock AgentCore operates as an independent enforcement layer separate from the agent’s core reasoning engine. This design is critical because it removes reliance on the large language model’s ability to follow instructions — a known weak point in agentic systems.

The process begins with business or security teams describing rules in plain natural language. These descriptions are then translated into Cedar policies. Cedar is Amazon’s open-source policy language originally developed for its authorization services. Once defined, these policies are enforced through AgentCore Gateway, which sits between the AI agent and any tools or data sources it might call.

Every time an agent attempts to invoke a tool — whether accessing a database, calling an API, or performing an action on behalf of a user — the gateway intercepts the request. It evaluates the request against the relevant Cedar policies, taking into account the identity of the end user, the agent’s context, and the specific action being requested. Only if the policy explicitly allows the action does the request proceed.

This deterministic approach contrasts sharply with traditional prompt-based guardrails that attempt to influence an agent’s behavior through instructions. As noted in coverage of the launch, AWS intends Policy to serve as a reliable safety net “when something doesn’t quite work as planned.”

Layered Security for AI Agents

Policy is not a standalone security feature but part of a broader defense-in-depth strategy for AI agents. AWS positions it on top of several existing security layers already present in Bedrock AgentCore.

The foundation includes session-level isolation using micro virtual machines that provide strong runtime boundaries between different agent sessions. This is further strengthened by standard AWS security services including IAM, encryption, and network controls. Policy adds a new authorization layer specifically tailored to the dynamic, reasoning-driven nature of AI agents.

AWS emphasizes that agents often need to act on behalf of users with delegated credentials. The new Policy capability supports identity-aware controls, meaning authorization decisions consider not just what the agent wants to do, but who the human user is and what permissions that user possesses.

This is particularly relevant for enterprise use cases such as insurance claims processing, financial services, or HR systems where agents interact with sensitive data and must strictly adhere to compliance requirements.

Competitive Context and Industry Need

The launch comes as enterprises increasingly experiment with autonomous AI agents that can take actions beyond simply answering questions. While retrieval-augmented generation (RAG) agents have become relatively common, fully agentic systems that can call tools, make decisions, and execute workflows introduce new risks.

Industry observers have noted that even sophisticated prompting techniques cannot fully eliminate the possibility of an agent hallucinating an action or misinterpreting instructions in ways that could expose sensitive data or violate policy.

By providing a policy enforcement mechanism that is independent of model behavior, Amazon is attempting to make agent deployments safer and more trustworthy at scale. The feature is currently available in preview as part of Amazon Bedrock AgentCore.

Impact on Developers and Enterprises

For developers and organizations building with Amazon Bedrock, the introduction of Policy represents a significant step toward production-ready AI agents.

“Businesses need to be able to trust their agents if they want to get any real value out of them,” an AWS executive noted in coverage of the launch. “This additional safety net will get them there and allow them to rely on the agent’s reasoning capabilities more because it will be there when something doesn’t quite work as planned.”

The ability to express complex business rules in natural language and automatically convert them into enforceable Cedar policies lowers the technical barrier for security and compliance teams. Instead of requiring deep coding expertise in policy languages, teams can describe rules in business terms.

This should accelerate adoption of agentic AI in regulated industries where strict controls are non-negotiable. Developers can now focus more on agent capabilities and reasoning while relying on the Policy layer to enforce boundaries.

The feature also complements other new capabilities launched alongside it, including custom quality evaluations that help organizations measure and monitor agent performance beyond traditional observability tools like CloudWatch and X-Ray.

What’s Next

Policy in Amazon Bedrock AgentCore is currently available in preview. AWS has not yet announced a general availability date or detailed pricing for the feature.

Looking ahead, the company is expected to expand the types of policies that can be enforced and potentially integrate the capability more deeply with other AWS services. The use of Cedar as the policy language suggests potential for interoperability with other AWS services that already support Cedar, such as AWS Verified Permissions.

As agentic AI moves from experimentation to production, features like Policy will likely become table stakes for enterprise platforms. Amazon’s move positions Bedrock as a leader in secure, governed agent deployments, potentially giving it an advantage against competitors offering agent frameworks with weaker built-in guardrails.

Organizations interested in the preview can explore the implementation details in AWS’s technical documentation and blog posts, which include examples of converting natural language rules into working Cedar policies.

The launch underscores a broader industry trend: as AI capabilities grow more powerful, the focus is rapidly shifting from pure performance to verifiable safety, control, and trustworthiness.

Sources

Original Source

aws.amazon.com

Comments

No comments yet. Be the first to share your thoughts!