AWS Step Functions now integrates with Amazon Bedrock AgentCore (currently in preview) to allow AI agent reasoning steps — such as document classification and data extraction — to be embedded directly into automated workflows. This enables multiple agents to run in parallel or sequence within a single workflow, with human approval gates and full audit trails via CloudWatch. For security teams, this introduces AI-driven decision-making into business-critical automation pipelines, expanding the attack surface and governance considerations.

Architect’s Take: Review IAM permissions granted to Step Functions execution roles that invoke AgentCore harnesses, ensuring least-privilege access and that per-invocation model/prompt overrides cannot be manipulated by untrusted inputs. Establish logging and alerting on CloudWatch agent turn details from day one, and apply human approval steps before any agent action with write or destructive permissions.

Original advisory: AWS Step Functions adds AgentCore-powered agentic reasoning step

OpenAI’s GPT-5.4 model is now generally available on Amazon Bedrock within AWS GovCloud (US-West), extending access to government and regulated-industry customers. The deployment leverages Bedrock’s isolated inference infrastructure, ensuring prompts and responses remain within the customer’s AWS environment and are not used for model training. This expands the options available for sensitive workloads requiring complex reasoning and document analysis under strict compliance controls.

Architect’s Take: Evaluate data residency and access control policies before enabling GPT-5.4 for sensitive workloads — confirm that Bedrock resource policies, VPC endpoints, and CloudTrail logging are configured to meet your organisation’s compliance requirements, particularly if handling OFFICIAL-SENSITIVE or equivalent data in GovCloud.

Original advisory: OpenAI GPT-5.4 generally available on Amazon Bedrock in AWS GovCloud (US-West)

AWS Config has added support for nine new resource types spanning Amazon Bedrock, Bedrock AgentCore, and SageMaker. This means organisations can now track, audit, and enforce compliance rules against these resources automatically if they have enabled recording for all resource types. The expansion is particularly relevant as AI/ML workloads become a growing part of enterprise cloud environments.

Architect’s Take: Review your AWS Config recording settings to confirm these new resource types are being captured, and consider authoring or adapting Config rules to enforce security baselines — such as network isolation, encryption, and access controls — for the newly supported Bedrock and SageMaker resources before they proliferate across your environment.

Original advisory: AWS Config now supports 9 new resource types

Amazon SageMaker Studio’s quick setup time has been reduced from over two minutes to under twenty seconds. New Studio environments now automatically receive a managed IAM policy granting serverless model customisation permissions, including fine-tuning, evaluation, and deployment to SageMaker or Bedrock endpoints. This reduces friction for ML practitioners but introduces pre-configured IAM permissions that security teams should review.

Architect’s Take: Review the scope of the automatically attached AmazonSageMakerModelCustomizationCoreAccess managed policy against your least-privilege baselines — auto-provisioned IAM policies with deployment permissions to Bedrock and SageMaker endpoints may exceed what individual users or teams require. Consider whether your landing zone or Service Control Policies should restrict or audit automatic policy attachment in SageMaker Studio environments.

Original advisory: Amazon SageMaker Studio now sets up in seconds with model customization ready from the start

AWS has published guidance on securing multi-tenant AI agent deployments using Amazon Bedrock AgentCore resource-based policies. SaaS providers can use these controls to isolate tenants, enforce VPC-only traffic for regulated workloads, and manage cross-account access — all from a shared infrastructure. This matters because poorly isolated multi-tenant AI systems can expose one customer’s data or capabilities to another.

Architect’s Take: If you are building or reviewing a multi-tenant SaaS platform on Bedrock AgentCore, implement resource-based policies now to enforce tenant isolation boundaries — pay particular attention to cross-account trust conditions and VPC endpoint restrictions to meet regulatory obligations such as UK GDPR and financial sector requirements.

Original advisory: Secure multi-tenant AI agents with Amazon Bedrock AgentCore resource-based policies