AWS Ships Agent Governance: Bedrock AgentCore Policy Goes GA Ahead of RSAC 2026

Here’s the state of enterprise AI agent governance in one sentence: everyone is building agents, almost nobody is governing them, and the vendors are racing to fill the gap before the inevitable breach headlines.

Amazon Bedrock AgentCore Policy, now generally available across 13 AWS regions, is Amazon’s answer. It’s a centralized governance layer that sits outside agent code, intercepting and evaluating every tool call against enterprise-defined rules. And it just shipped with perfect timing — days before RSAC 2026 makes “agent security” the hottest buzzword in cybersecurity.

How AgentCore Policy Works

The architecture is straightforward and, importantly, code-independent:

1. Security teams write policies in natural language — “Agents cannot access customer PII without manager approval” or “Financial data queries must be logged and rate-limited”
2. Policies are automatically converted to AWS’s open-source Cedar policy language — a declarative, auditable format
3. Policies are stored in a centralized engine managed by security/compliance teams, not developers
4. An AgentCore Gateway intercepts all agent-tool traffic — every tool call is evaluated against applicable policies before execution
5. Violations are blocked, logged, and alerted — the agent never touches the forbidden resource

The critical design decision: policies operate outside the agent’s code. Developers build agents. Security teams write governance rules. Neither needs to modify the other’s work. This separation of concerns is what makes it enterprise-viable.

Natural Language → Cedar → Enforcement

The natural-language-to-Cedar pipeline is the user-facing innovation. Cedar is AWS’s open-source authorization language (also used in Amazon Verified Permissions), designed to be:

• Human-readable — policies look like English sentences with formal structure
• Machine-enforceable — deterministic evaluation, no LLM interpretation at enforcement time
• Auditable — every policy decision logged with the rule that triggered it

This means a compliance officer can write “no agent may access health records outside business hours” and the system enforces it deterministically — not probabilistically. The LLM helps author the policy; it doesn’t evaluate it. That’s an important distinction that some competing approaches get wrong.

Memory Streaming: Real-Time Audit Trails

Announced alongside the Policy GA (March 12), AgentCore Memory Streaming adds push notifications for long-term memory changes via Amazon Kinesis:

• Every time an agent updates its persistent memory, downstream systems are notified in real-time
• Enables audit workflows, compliance monitoring, and anomaly detection without polling
• Available in 15 AWS regions

For enterprises worried about agents accumulating knowledge they shouldn’t retain — say, customer credit card numbers stored in agent memory — this provides the visibility layer to detect and respond.

The RSAC 2026 Context

AgentCore Policy’s timing is deliberate. RSAC 2026 (March 23-27, San Francisco) is shaping up as the first major security conference where agentic AI dominates the agenda:

• Bedrock Data — Daily sessions on AI agent data governance, including “Building an MCP-Sensitive Data Sentinel for AI Agents”
• OWASP GenAI Security Summit — Full day on agentic security risks, including the Top 10 for Agentic Applications
• Fortinet — “Agentic AI for Coordinated Cybersecurity Defense” keynote
• Mitiga — Trends report naming Agentic AI as the #1 cybersecurity shift
• TrojAI, Cyware, Token Security, Reco, Menlo — Five agent security companies launched on the same day in the pre-conference wave

The pattern is clear: agent governance is graduating from “nice to have” to “conference keynote.” Every major cloud provider and security vendor is positioning for this market. That’s consistent with NIST’s own push toward formal standards for agent security, identity, and auditing.

The Competitive Landscape

Agent governance is becoming a product category:

Provider	Product	Approach
AWS	AgentCore Policy	Cedar-based, gateway enforcement, natural language authoring
Microsoft	Foundry IQ + Purview	Permission-aware retrieval, sensitivity labels
Singulr AI	Agent Pulse	Runtime governance, MCP server monitoring
AvePoint	AgentPulse	Shadow agent discovery, kill switch
Okta	Okta for AI Agents	Identity-based agent governance (Apr 30)
Mimecast	Guardian Runtime	Per-user adaptive policies for agent actions

The differentiation is in where governance sits in the stack:

• AWS — at the tool-call layer (gateway interception)
• Microsoft — at the knowledge layer (permission-filtered retrieval)
• Singulr/AvePoint — at the discovery layer (find agents, then govern them)
• Okta — at the identity layer (who is this agent, what can it do?)

Enterprises will likely need multiple layers. An agent governed by AgentCore Policy at the tool level still needs identity management (Okta) and data governance (Purview) to be fully controlled.

What This Means for OpenClaw Users

OpenClaw agents operate outside these enterprise governance platforms — which is both a strength and a limitation.

The strength: You control everything. Your agent’s permissions are defined by your system prompt, your skills, and your tool access. No enterprise platform taxes your interactions or limits your flexibility.

The limitation: You’re your own governance team. If you need audit trails, you build them. If you need policy enforcement, you configure it. If you need compliance documentation, you generate it.

Practical takeaways for OpenClaw users:

1. The Cedar policy model is worth studying. Declarative, auditable authorization rules that separate policy from code — this pattern works for any agent framework, not just AWS.

2. Gateway-based enforcement is the enterprise pattern. If you’re deploying OpenClaw in a business context, consider routing tool calls through a policy-checking proxy. The architecture applies regardless of the agent framework.

3. Memory auditing matters. AgentCore’s memory streaming highlights a gap in most self-hosted setups. What does your agent remember? When did it learn it? Can you audit the full memory state? OpenClaw’s file-based memory (MEMORY.md, daily logs) is actually more transparent than most — but systematic monitoring is worth adding.

4. RSAC will set the enterprise narrative. Whatever emerges from next week’s conference will define how enterprises evaluate agent platforms for the rest of 2026. OpenClaw’s positioning as the “transparent, auditable, self-hosted” option becomes more valuable as governance concerns intensify.

The Bottom Line

Agent governance is no longer optional — it’s infrastructure. AWS shipping AgentCore Policy as GA (not preview, not beta) signals that the cloud providers consider this production-ready and enterprise-critical.

The agents are autonomous. The governance has to be too. And the vendors that figure out how to make governance invisible to developers while comprehensive for security teams will own the next layer of enterprise AI infrastructure.

RSAC 2026 starts Monday. Expect the agent governance drumbeat to get a lot louder.

Resources

• AWS AgentCore Policy GA Announcement
• AgentCore Memory Streaming
• Cedar Policy Language (Open Source)
• RSAC 2026 Conference