AWS used its New York Summit to make a broader pitch for enterprise AI agents: they should not just answer questions or write code, but operate inside a governed stack that can reach company knowledge, search the live web, pay for premium information, test its own behavior, and route actions through security controls.
The company’s June 17 announcements centered on new Amazon Bedrock AgentCore capabilities, along with two higher-level services: AWS Context, a knowledge graph for enterprise data, and AWS Continuum, an AI-native security service for managing code vulnerabilities. Several AgentCore features are generally available now, including the managed harness, Bedrock Managed Knowledge Base, Web Search, Guardrails integration, recommendations, and A/B testing. AgentCore insights and payments are still in preview.
That mix matters because most enterprise agent failures are not caused by a weak model alone. They come from missing context, stale retrieval, loose tool access, silent failures, unclear ownership, and security teams that cannot see why an agent chose a particular action. AWS is trying to turn those problems into managed cloud infrastructure rather than custom glue code.
AgentCore Gets Retrieval, Web Search, and a Managed Harness
Amazon Bedrock AgentCore is AWS’s production platform for building and operating AI agents. The newly announced pieces expand it beyond orchestration into a more complete operating environment.
The Bedrock Managed Knowledge Base is designed to reduce the work of building retrieval-augmented generation pipelines. At launch, it includes native connectors for Amazon S3, SharePoint, Confluence, Google Drive, OneDrive, and a web crawler. AWS handles the vector store, embeddings, reranking, parsing, and scaling work that teams would otherwise have to assemble themselves.
The service also adds what AWS calls an agentic retriever. Instead of matching a user question to nearby chunks only, the retriever can infer intent, plan multi-step lookups, connect related concepts across one or more knowledge bases, and rerank intermediate results before returning an answer. For companies trying to make agents useful across policy documents, support notes, product files, and internal wikis, that is the difference between a retrieval demo and a system that might survive real employee questions.
Web Search on Bedrock AgentCore gives agents access to current public information without sending prompts and retrieval queries to an outside search provider. It works as a built-in target on AgentCore Gateway using the Model Context Protocol. An agent sends a natural-language query, and Web Search returns source URLs, titles, snippets, and publication dates the model can use for grounded responses.
AWS says the feature uses Amazon’s search infrastructure and combines web index results with Amazon Knowledge Graph data. It is generally available in the US East (N. Virginia) Region, with no separate feature charge beyond data transfer through the Gateway.
The newly general-available AgentCore harness handles the loop that many teams currently build by hand: model calls, tool execution, memory, context handling, state, error recovery, and session isolation. Customers define the model, tools, skills, and instructions in configuration, then AgentCore runs the agent in an isolated environment with a filesystem, shell, memory, AWS-curated skills, and web browsing. AWS says the harness is model-agnostic and can switch model providers mid-session without changing agent logic.
AWS Context Aims at the Enterprise Data Problem
AWS Context sits above those AgentCore pieces. It automatically builds a knowledge graph from existing business data, including structured data, documents, messages, emails, rules, and domain knowledge. The goal is to help agents understand not just where data lives, but which sources are authoritative, how fields and entities relate, and what business rules matter.
That is a real pain point. A customer-service agent may need purchase history from one system, shipping status from another, and return eligibility from a policy document. A finance agent may need to distinguish between current contract terms and outdated slides. Without a shared context layer, each agent tends to become its own brittle retrieval project.
AWS says Context is built on the same knowledge graph technology behind Amazon Quick and stores metadata from data sources in Iceberg format in S3 Tables. It also includes governance controls so agents only access information they are permitted to use. The more important claim is the feedback loop: as agents use Context, it can learn which sources, paths, and rules produce better answers, then make that learning available across other agents.
The Security Layer Is Moving Into Agent Behavior
The AgentCore updates also push security closer to agent execution. Bedrock Guardrails integration is now generally available in AgentCore policy controls, evaluating agent actions for prompt injection attempts, harmful content, and sensitive data exposure. The checks run at the gateway layer, outside the agent’s own prompt context, which makes them harder for the agent to reason around or ignore.
AWS also plans to let customers feed detection signals from security vendors including Check Point, Zscaler, Rubrik, Netskope, and SentinelOne into AgentCore policies. That points to a likely direction for enterprise agent security: models may reason probabilistically, but final tool access and action approval need deterministic controls that security teams can audit.
AWS Continuum is the sharper security announcement. The gated-preview service starts with code vulnerabilities and works across four phases: discovery, prioritization, validation, and mitigation or remediation. It can ingest existing vulnerability backlogs, scan for more issues, evaluate whether affected components are reachable or business-critical, construct exploit examples in a sandbox, and recommend fixes such as code patches, policy changes, or network changes.
Continuum also includes threat modeling in preview, with outputs in STRIDE format. AWS positions it as a response to AI-assisted vulnerability discovery, where both attackers and defenders can chain findings faster than traditional triage queues can absorb. The service begins in a supervised learn mode, then can graduate to more automated enforcement only where customers define the allowed categories and risk thresholds.
The Hard Part Is Trust, Not Demo Speed
AWS is not alone in trying to make agents more useful inside large companies. Microsoft, Google, OpenAI, Anthropic, Salesforce, ServiceNow, and many smaller vendors are all selling versions of governed workplace agents. The AWS difference is that it is wrapping the problem in familiar cloud primitives: gateways, policies, identity, observability, data stores, deployment pipelines, and security workflows.
That approach is sensible, but it also raises the bar. If an agent can search internal files, browse the web, execute tools, buy access to paid data, write code, and trigger release tests, then every weak permission, stale connector, bad retrieval result, and silent failure becomes operational risk. The useful question for buyers is not whether an agent can complete a polished demo. It is whether the organization can inspect what happened, reproduce why it happened, restrict what the agent may do next, and roll back bad outcomes before they spread.
The AgentCore optimization tools are aimed directly at that gap. Failure insights, intent insights, and trajectory insights are meant to surface recurring agent behavior patterns across many sessions, including failures that do not throw normal errors. Recommendations and A/B testing then let teams test prompt, tool-description, or agent-version changes against evaluation data and production traffic before fully adopting them.
For enterprise teams, the near-term decision is less about replacing workers with autonomous agents than deciding which workflows are structured enough for this operating model. Support lookup, policy research, release-readiness review, vulnerability triage, internal knowledge search, and modernization tasks are natural early candidates because they already have permissions, logs, and validation steps. Higher-risk workflows will need tighter approvals and more evidence before agents are allowed to act directly.
The AWS Summit announcements show where the market is heading. AI agents are becoming less like standalone assistants and more like cloud workloads: deployed, monitored, governed, tested, billed, and improved continuously. That may be less glamorous than the promise of fully autonomous software workers, but it is closer to what companies need before they trust agents with production systems.
