Amazon Bedrock AgentCore is not a single product. It is a set of six distinct infrastructure services that AWS organized under a single name to address the six specific problems that every team building production AI agents solves manually with custom code. Understanding AgentCore requires understanding each service layer, what problem it solves, and why that problem is hard enough to warrant an AWS managed service rather than a developer-built solution.
The announcement of AgentCore in early April 2026 arrived alongside the OpenAI-AWS partnership, which created some confusion about whether AgentCore is specific to OpenAI models. It is not. AgentCore is framework-agnostic and model-agnostic. It works with any agent framework that can make HTTP requests, including LangGraph, CrewAI, smolagents, custom Python frameworks, and OpenAI’s Responses API. The OpenAI Stateful Runtime Environment, which runs on Bedrock, uses AgentCore’s infrastructure as one part of its architecture. But AgentCore is available independently of the OpenAI partnership and supports any model available in Bedrock, including Claude, Llama, Mistral, and others.
The six services in AgentCore are Runtime, Memory, Tool Execution, Action Gateway, Authorization, and Model Registry. Each one is a production engineering problem that developers building agents have spent months solving in internal infrastructure. Each one is now available as a managed AWS service.
AgentCore Runtime: The Managed Execution Environment
AgentCore Runtime is the execution host for agent code. It provides a serverless container environment where agent logic runs without the developer managing the underlying infrastructure: no EC2 instances to provision, no Kubernetes clusters to configure, no container registry to maintain. The agent code is packaged and deployed to Runtime, and Runtime handles scaling, health monitoring, restart on failure, and the compute infrastructure that the agent runs on.
The specific value proposition of Runtime is that it is an agent-aware execution environment, not a generic serverless function host. Lambda executes short-lived functions with a 15-minute maximum duration and no state between invocations. Runtime is designed for long-running agent workflows that may execute for hours, maintain state within a session, and resume after interruption. The execution model is closer to a persistent process than a stateless function, which is the model that production agent workflows require.
Runtime also provides the identity boundary for agent execution. Each agent running in Runtime has an attached IAM role that scopes its permissions. The agent can only access AWS services and resources that its IAM role permits, and those permissions are enforced at the Runtime level, not in the agent’s own code. This is the technical mechanism that makes Runtime-based agents governable in regulated enterprise environments: the permission boundary is enforced by AWS infrastructure, not by the agent developer’s discipline in writing permission checks.
AgentCore Memory: Four Memory Tiers for Different Access Patterns
AgentCore Memory provides managed persistent memory for agents across four tiers, each designed for a different access pattern and data type.
In-session memory stores the conversation history and intermediate reasoning for the current execution session. This is the working context that the agent carries through a multi-step workflow: the user’s request, the results of prior tool calls, the agent’s intermediate conclusions, and the current state of the task. In-session memory is fast, ephemeral, and scoped to a single execution. When the session ends, in-session memory is not automatically preserved.
Cross-session memory stores information the agent should retain across separate execution sessions. A customer service agent that should remember a user’s previous issues and preferences, a research agent that should know what papers it has already summarized, a coding agent that should remember the conventions used in a specific codebase: these all require cross-session memory. AgentCore stores this as a vector database with semantic search, allowing the agent to retrieve relevant past context using natural language queries rather than exact key lookups.
Semantic memory stores factual knowledge the agent should have persistent access to, separate from its conversation history. This is the knowledge base layer: documentation, product catalogs, policy documents, or domain-specific reference material that the agent retrieves during task execution. AgentCore provides managed RAG infrastructure for this tier, handling chunking, embedding, and vector indexing automatically when documents are added to the semantic memory store.
Episodic memory stores the agent’s record of past tasks and their outcomes: what the agent did, what succeeded, what failed, and what the results were. This is the operational history layer that enables agents to learn from experience and improve over time. It is also the audit trail that regulated deployments require. Each action the agent takes is logged to episodic memory with timestamps, inputs, outputs, and execution context, creating the compliance record that financial services, healthcare, and government deployments must maintain.
AgentCore Tool Execution: Sandboxed Code and API Dispatch
AgentCore Tool Execution provides the managed execution environment for the operations agents invoke: code execution, web browsing, API calls, database queries, and file operations. The service handles two distinct execution patterns.
For code execution, Tool Execution provides an isolated sandbox based on gVisor container security that prevents agent-generated code from accessing the host environment. The agent submits code. Tool Execution runs it in isolation. The results are returned. The agent never has direct access to the execution environment itself. This is the same isolation architecture that Google’s GKE Agent Sandbox uses, providing a managed alternative to self-hosted solutions like SmolVM or E2B without the developer managing the isolation infrastructure.
For API calls and external integrations, Tool Execution manages the connection lifecycle, handles retries and circuit breakers, enforces rate limits on outbound requests, and logs each external call for audit purposes. An agent that calls five different external APIs during a single workflow does not need to implement retry logic, rate limiting, and audit logging for each one separately. Tool Execution provides these as shared services. This reduces the code surface the developer must maintain and centralizes the audit trail for external interactions.
The integration with AgentCore Authorization means that each external service connection has an associated authorization policy. The agent can only call the external services its policy permits. Connections to services outside the policy are blocked before the HTTP request is made. This is the granular permission control that prevents an agent from making unauthorized external API calls even if it is directed to by a prompt injection attack or a malicious tool description.
AgentCore Action Gateway: Connectors to Enterprise Systems
AgentCore Action Gateway provides pre-built connectors to enterprise software systems: Salesforce, ServiceNow, Jira, GitHub, Slack, and dozens of others. The connector library handles authentication, API versioning, and the mapping between natural language actions and the specific API calls those actions require.
The problem Action Gateway solves is that connecting an agent to enterprise software is not a simple integration. Enterprise software APIs change between versions. Authentication requires OAuth flows, API key management, or service account credentials. The same action, create a ticket, works differently across different systems, different versions of the same system, and different organizational configurations of that system. Building reliable agent-to-enterprise connectors requires deep knowledge of each system’s API, handling edge cases in their authentication flows, and maintaining those connectors as the systems evolve.
Action Gateway centralizes this expertise. The developer configures which enterprise systems the agent should have access to and provides the credentials for those systems. Action Gateway manages the connection, handles authentication refresh, maps the agent’s intended actions to the specific API calls required for that system and version, and logs each action to AgentCore’s episodic memory.
The Action Gateway integration with AgentCore Authorization means enterprise system access is governed by the same policy framework as external API calls and code execution. An agent authorized to read Jira issues cannot create Jira issues unless its policy explicitly permits creation actions. An agent authorized to read Salesforce contacts cannot modify them. The permission model is enforced at the gateway level, not in the connector code.
AgentCore Authorization: Policy-Based Permission Control
AgentCore Authorization is the policy engine that governs what each agent is permitted to do. It extends AWS IAM with agent-specific concepts that IAM was not designed for: task-scoped permissions that expire when a specific workflow completes, delegation chains that track which agents authorized which other agents to take specific actions, and audit logs that record every authorization decision in a format suitable for compliance review.
The IAM extension is the key architectural decision. Rather than creating a parallel authorization system, AgentCore builds on the IAM infrastructure that AWS customers already use for service-to-service access control. Agent permissions are represented as IAM roles with additional agent-specific metadata. Authorization decisions are made by IAM with agent-context-aware policy conditions. The audit trail goes to CloudTrail with the same format as other IAM authorization events. Teams that have already built compliance workflows around IAM and CloudTrail can extend those workflows to cover agent actions without adopting a separate governance framework.
The task-scoped permission model addresses the specific problem that MetaComp’s KYA Framework identified as the core gap in current AI agent governance: agent credentials that do not automatically expire when the task completes. AgentCore Authorization can issue credentials scoped to a specific task execution that expire when that execution ends. The agent has exactly the permissions it needs for the duration of the task and no longer. This eliminates the persistent over-privileged service account pattern that creates large blast radii when agent credentials are compromised.
AgentCore Model Registry: Version Control for Agent Components
AgentCore Model Registry provides version control, lineage tracking, and deployment management for the model components that agents use. This includes the foundation models that agents call for inference, the fine-tuned models that agents use for specialized tasks, the embedding models that populate vector databases, and the evaluation frameworks that measure agent behavior quality.
The registry integration with Runtime means that when an agent executes, Runtime knows which exact version of each model component the agent uses. If a model is updated, Runtime can ensure the agent continues to use the pinned version it was tested against, or can apply a controlled rollout to the new version with performance monitoring before fully transitioning. This is the model version management discipline that production ML teams apply to standalone models, now integrated with the agent runtime rather than managed separately.
The lineage tracking capability records which training data, fine-tuning runs, and evaluation results produced each registered model version. For regulated enterprise deployments that must demonstrate their AI systems were developed with appropriate controls, model lineage is not an optional detail. It is the technical substrate of the model documentation that regulators require for AI systems making consequential decisions.
The AgentCore Integration with A2A and MCP
AgentCore provides native support for both the MCP protocol for tool connections and the A2A protocol for inter-agent communication. The MCP integration means that any MCP server, from the 13,000+ available in the public ecosystem or from private internal servers, is connectable to agents running in AgentCore through the Action Gateway’s MCP connector. The A2A integration means that agents deployed to AgentCore can discover and call other A2A-compatible agents, including those running on Google’s Agent Engine or Microsoft’s Azure AI Foundry, through the standard A2A protocol with cryptographic Agent Card verification.
This protocol integration positions AgentCore not as a walled garden but as a cloud-provider-managed runtime for standard protocols. The developer builds agents using standard frameworks, connects them to tools and other agents using standard protocols, and deploys them to AgentCore for managed runtime infrastructure. The managed services handle the operational complexity. The standard protocols ensure the agent is not locked to the AgentCore runtime for its tool and inter-agent connections.
The practical limitation is that the managed services create implicit dependencies. An agent that relies on AgentCore Memory’s vector search for its semantic memory cannot easily migrate to a different managed memory service without re-indexing its entire knowledge base. An agent that uses Action Gateway connectors for its enterprise integrations cannot easily replicate those connectors outside AgentCore. The standard protocol support enables interoperability at the communication layer. The data and state stored in AgentCore’s managed services creates operational dependencies that are harder to move.
What AgentCore Solves and What It Does Not
AgentCore solves the infrastructure engineering problem that every team building production agents faces: too much code to write before the first useful agent ships. Memory management, tool execution isolation, enterprise connectors, authorization policy enforcement, model version control, and agent lifecycle management are all pre-solved in managed form. Teams can focus on the agent logic, the tool selection, and the workflow design rather than on infrastructure plumbing.
AgentCore does not solve the model-level security problems that MCP-SafetyBench documented: the negative correlation between defense success and task success that makes no current LLM simultaneously high-performing and highly secure against tool poisoning and context injection. AgentCore’s Action Gateway can block unauthorized API calls. It cannot prevent an agent from being directed to make authorized API calls for unauthorized purposes through prompt injection into tool outputs. The infrastructure enforcement happens at the permission boundary. The semantic manipulation happens above it.
For teams choosing between building custom agent infrastructure and adopting AgentCore, the decision should be driven by three factors: the speed of the deployment timeline, the importance of the customization and control that custom infrastructure provides, and the scale at which the agent system will run. AgentCore’s managed services are the faster path to production for teams that do not have specialized agent infrastructure expertise. For teams with that expertise and workloads that push against managed service pricing or configuration limits, custom infrastructure built on standard protocols remains a viable alternative. The 86% agent pilot failure rate suggests that most teams benefit from removing infrastructure complexity as a failure mode, which is the core value AgentCore provides.