2026-05-27 · aws-security
AWS published a new security post explaining why Amazon Bedrock AgentCore chose Cedar as its policy language for agentic workflows. The core theme is straightforward: if AI agents can invoke tools, authorization needs to be enforced outside the model, not inside it. The post is relevant to anyone building production agents because it frames policy as the control layer that keeps autonomous systems within a safe envelope. AWS is also making the case that formal analysis and partial evaluation matter when policy sets grow large.
AWS says AgentCore Policies use Cedar so organizations can define tool access rules in a human-readable but machine-analyzable way. The post emphasizes that agent decisions are non-deterministic, so the enforcement boundary must sit in the orchestrator and gateway layer rather than inside the LLM.
Without a hard authorization boundary, an agent can overreach, leak sensitive context, or invoke tools outside its intended scope. In practical terms, that can turn an automation win into a data-exposure event, a policy violation, or a costly incident response cycle.
The lesson for high-value systems is to separate intent generation from value movement and data access. Cold-storage-style controls, strict approvals, and auditable policy checkpoints reduce the blast radius when an agent or token is compromised, which is the same principle hardware wallets use for private keys.
Read Original Post →