Amazon Bedrock AgentCore gets Policy for AI agent access control

Amazon Bedrock AgentCore received Policy for controlling access of AI agents

Amazon has described how Bedrock AgentCore now features a separate Policy mechanism to protect AI agents. Its task is to verify access to tools and data not through the "common sense" of the model, but through strict rules that are enforced independently from its reasoning and move security out of prompts into a managed infrastructure layer.

Separate layer of rules

The key idea is that Policy in AgentCore creates a deterministic control layer. Even if the agent decided that to provide an answer it should open an internal service, download a file, or call a tool with elevated privileges, the final decision is not made by it. The request passes through a separate rules system, and only it determines whether the action is allowed or not. This approach reduces the risk when a model misinterprets instructions, understands the user's task too broadly, or attempts to access data it shouldn't see.

AWS also describes a more convenient way to configure such constraints. Business rules can first be formulated in natural language, then translated into Cedar policies — a language designed for precise description of permissions. Instead of a vague prompt like "don't show other people's documents," there is a formal check: to whom, under what conditions, and with what rights can an agent actually open the required tool or dataset. For corporate scenarios, this matters more than yet another layer of instructions in the prompt itself.

For agents, this is especially important in long multi-step scenarios. A model may correctly start a task, then during the chain decide it needs one more tool or broader access. Without an external policy, such expansions are often controlled only by the prompt. Policy in AgentCore offers a more rigid scheme: each new step is rechecked against the rules, even if the agent itself is confident it is acting in the user's interests.

Verification at the gateway

In practice, Policy is applied through the AgentCore Gateway. This gateway intercepts each request from the agent to the tool during execution and verifies it before the action is performed. In other words, this is not a one-time configuration at the start of a session, but runtime control: an agent can make dozens of requests to APIs, databases, file storage, and internal services, and each such step undergoes policy evaluation. This makes protection closer to the actual behavior of the agent, rather than its initial intentions.

• Who exactly initiated the request: a specific user, role, or group
• What tool the agent is accessing and what action it wants to perform
• Whether the user has the right to see this data or run this workflow
• Whether access should be denied, allowed, or narrowed depending on context

The main emphasis here is on identity-aware access. An agent does not receive an abstract permission like "work with CRM" or "read documents," but rights tied to the identity and authority of the user on whose behalf it acts. If an employee has access to only part of customer records, the agent should see the same boundary. If a manager has access to one set of tools and an analyst to another, this too should be enforced automatically. This approach is especially useful where the same agent serves different employees with different access levels.

As a result, Bedrock AgentCore offers not just guardrails for responses, but a stricter model of action management.

What this means

Amazon is moving toward more mature AI agents for companies, where not only an intelligent interface matters, but also predictable rule enforcement. If this approach takes hold, businesses will be able to connect agents to internal systems without constantly relying on the model's carefulness. Access control will become an external and verifiable layer, which means agents can be trusted with real tasks — from data search to running tools on behalf of an employee.