Amazon Bedrock AgentCore tools-up for agentic AI software development
AWS used re:Invent 2025 to push AgentCore forward with three updates that matter if you're building agents: natural language policy guardrails, built-in evaluations, and episodic memory. The theme is clear-let agents act, but make sure they act inside your rules, prove their behavior, and let them learn from real usage without bloating prompts.
Why this matters for engineering teams
- Guardrails that work at runtime, not just in docs.
- Evaluation as a managed service to validate agent behavior before and after rollout.
- Memory that captures experience in structured episodes, reducing prompt engineering sprawl.
Policy in AgentCore: natural language guardrails with millisecond checks
Policy in AgentCore lets teams set boundaries in plain English-what tools and data an agent can access, which actions it can take, and under what conditions. Supported tools include APIs, Lambda functions, MCP servers, and third-party services like Salesforce and Slack. Policies run inside the AgentCore Gateway to check actions in milliseconds, keeping response times tight.
- Example: "Block all refunds when the reimbursement amount is greater than $1,000."
- Scope by environment: allow write actions in staging, read-only in production for specific tools.
- Constrain data paths: permit CRM reads for account metadata, deny access to PII fields.
- Time/window rules: allow posting to Slack during business hours; queue outside hours.
Treat policies like code. Version them, unit test with simulated tool calls, and log policy hits/misses. The "trust, but verify" principle only works if every decision and override is observable.
AgentCore Evaluations: production-aware QA for agents
AgentCore now ships with 13 pre-built evaluators across correctness, helpfulness, tool selection accuracy, safety, goal success rate, and context relevance. You can also bring your own evaluators using your preferred LLMs and prompts. The service continuously samples live interactions to analyze behavior and can trigger alerts when metrics drop.
- Use offline evals in CI to prevent regressions when prompts, tools, or models change.
- Canary and A/B in production, with alerts on correctness and safety thresholds.
- Track tool-selection accuracy to catch wasted calls and flaky plans early.
- Wire safety evals to automatic rollback if violations breach a hard limit.
Recommended workflow: gate merges on offline evals, ship to a small cohort, monitor for a week, then roll forward. Keep a changelog of prompts, tools, and model versions tied to evaluation reports.
AgentCore Memory: episodic functionality that learns from experience
AgentCore Memory captures "episodes" that include context, reasoning, actions, and outcomes. Another agent analyzes patterns across those episodes so your primary agent can reuse what worked, skip what didn't, and avoid repeating cost-heavy reasoning. When a similar task shows up, it retrieves the most relevant episodes instead of relying on long, brittle prompts.
- Good fits: recurring workflows (refunds, approvals), customer-specific preferences, and task templates.
- Privacy: redact PII on write, set TTLs, and separate personal vs shared knowledge stores.
- Control: give users a reset and opt-out; log memory reads/writes for audits.
- Guard against overfitting: cap memory size, favor recent episodes, and require policy checks before applying learned actions.
AWS gave a travel example: different pickup timing for solo vs family trips months apart. Useful, as long as users can override and policy still covers edge cases.
Architecture notes
- Abstract tools with MCP servers to standardize capability boundaries and audits.
- Make actions idempotent and include dry-run modes so policies and evals can simulate safely.
- Emit structured logs for every tool call, policy decision, evaluator score, and memory event.
- Control cost: cache retrievals, cap tool call retries, and track per-feature spend.
- Define fail-closed behavior for safety events and fail-open read-only fallbacks for availability.
Getting started checklist
- List your agent's allowed tools and data. Write policies in natural language first, then refine.
- Implement deny-by-default for write actions in production.
- Enable the built-in evaluators; add custom ones for domain rules (SLAs, compliance).
- Set alerts on correctness, safety, and tool-selection accuracy. Wire critical alerts to automated rollback.
- Turn on episodic memory for repeat tasks; set retention and redaction policies on day one.
- Run red-team scenarios: prompt injection, tool overreach, stale memory, and ambiguous goals.
Resources
Level up your team
If you're formalizing skills around agent design, evaluations, and guardrails, this can help: AI Certification for Coding.
Your membership also unlocks:
