AWS re:Invent 2025 - Keep Your Agents Out of Trouble with Amazon Bedrock AgentCore (AIM3330)

Keeping AI Agents Safe and Controlled with Amazon Bedrock AgentCore

Overview

• Presentation by Sarakandanda (Principal Product Manager) and Vive Badurya (Principal Engineer) on ensuring the safety and control of AI agents in production environments.
• AI agents are a powerful new class of software that can understand user intent, plan actions, and execute multi-step workflows to achieve goals.
• While agents offer great flexibility and adaptability, they also introduce new risks if not properly contained and controlled.

The Challenges of AI Agents

• Unpredictable runtime behavior: Agent decisions depend on evolving context, which is hard to predict during design.
• Potential for unauthorized actions: Agents may attempt to trigger workflows or access data beyond their intended scope.
• Misalignment with policies: Agents may take actions aligned with user intent but not with internal company policies.

The Agent Safety Framework

The presenters describe a layered approach to agent safety:

1. Runtime Isolation

• Agents execute in a fully isolated environment to prevent interference between user workloads.
• Uses AWS technologies like Firecracker microVMs to provide strong security boundaries.

2. Controlled Tool Access

• Agents access external tools and services through a gateway that enforces fine-grained access policies.
• Policies can restrict actions based on factors like user identity, data thresholds, and business rules.

3. Observability and Evaluation

• Comprehensive tracing of agent decisions, tool calls, and outcomes provides visibility into agent behavior.
• Automated evaluation of agent performance against custom criteria allows continuous monitoring and verification.

4. Deterministic Policy Enforcement

• Policies defined using the open-source Cedar policy language are enforced deterministically at the gateway level.
• Ensures agents cannot take unauthorized actions, even if they attempt to do so.

Technical Details

• Agent Core runtime provides the isolated execution environment for agents.
• Agent Core Gateway implements the MCP (Model Context Protocol) for tool discovery and invocation.
• Agent Core Identity manages user authentication and credential management for on-behalf-of agent actions.
• Agent Core Observability tracks all agent activity, including tool calls and policy decisions.
• Agent Core Evaluation allows defining custom criteria to automatically assess agent performance.

Business Impact

• Enables organizations to safely deploy AI agents in high-stakes, mission-critical workflows.
• Provides the necessary controls and visibility to scale agent-based automation while mitigating risks.
• Allows developers to focus on agent capabilities rather than low-level safety mechanisms.

Use Case Example: Insurance Agent

• Agents can automate insurance application processing, risk assessment, and approval workflows.
• Policies can restrict application creation to coverage amounts under $5 million, and limit risk modeling access to users in the finance department.
• Observability and evaluation tracks agent actions, policy decisions, and overall performance to ensure alignment with business requirements.

Key Takeaways

• AI agents offer powerful capabilities but also introduce new risks that must be carefully managed.
• The layered agent safety framework in Amazon Bedrock AgentCore provides comprehensive controls to contain, govern, and verify agent behavior.
• Deterministic policy enforcement, observability, and automated evaluation are critical to scaling agent-based applications in production.
• The technical capabilities demonstrated can be applied to a wide range of agent-based use cases across industries.