AWS Summit New York 2026 opened at the Javits Center on June 17 with a keynote from Dr Swami Sivasubramanian, Vice President of Agentic AI at AWS, joined by Chet Kapoor, Vice President of Security Services and Observability. The 90-minute session, livestreamed globally to an audience that exceeded in-person capacity weeks before the event, was structured around a single theme: AWS is now shipping a complete infrastructure stack for running AI agents in enterprise production environments, and three products define that stack.
The announcements are significant not just as product launches but as a signal about where AWS sees enterprise cloud architecture heading. The assumption embedded in every announcement is that AI agents will become a standard component of production infrastructure over the next two to three years, and that the security, observability, and governance requirements they create are distinct from those of conventional application workloads.
Amazon Bedrock AgentCore: the agent runtime
Amazon Bedrock AgentCore is a suite of seven managed services designed to handle the infrastructure concerns that arise when AI agents need to run reliably in production. The seven components are AgentCore Runtime, AgentCore Memory, AgentCore Identity, AgentCore Gateway, AgentCore Core Interpreter, AgentCore Browser Tool, and AgentCore Observability.
AgentCore Runtime provides the managed compute environment in which agent workloads execute, with support for short and long-running agent tasks and session management. AgentCore Memory handles persistent state across agent sessions, a significant gap in earlier agent architectures where context was lost when a session ended. AgentCore Identity manages the authentication and authorisation layer for agents, providing a mechanism for an AI agent to assume an IAM-scoped identity when it needs to interact with other AWS services or external APIs.
AgentCore Gateway is the component that enables agents to call tools, including APIs, AWS Lambda functions, MCP servers, and other agents, through a managed proxy that enforces access controls. AgentCore Core Interpreter allows agents to execute code safely in an isolated environment. AgentCore Browser Tool provides cloud-hosted browser access for agents that need to interact with web content, without exposing that browsing activity from a customer’s own network. AgentCore Observability captures traces, logs, and metrics from agent runs in a format that integrates with existing observability platforms.
The model-agnostic architecture is a notable design choice. AgentCore is not limited to models available on Bedrock. AWS positioned it explicitly as an open orchestration layer, meaning organisations are not required to standardise on Amazon or Anthropic models to use the managed infrastructure.
Kiro: the spec-first developer environment
Kiro, which launched internationally in May 2026 as the formal successor to Amazon Q Developer, received its first significant public showcase at the Summit. Built on the VS Code open-source base, Kiro differs from other AI-assisted coding tools in one structurally important way: it generates a formal specification before writing any code.
When a developer describes a feature or task in natural language, Kiro uses EARS (Easy Approach to Requirements Syntax) notation to produce three structured documents: requirements.md, design.md, and tasks.md. These documents define the intended behaviour, the architectural approach, and the implementation steps before code generation begins. The agent then works through the task list sequentially, with the specification as a grounding reference.
The intent is to address a known failure mode in AI-assisted coding: large language models generating syntactically valid code that satisfies a vague prompt but does not actually match what the developer intended. By requiring a specification first, Kiro creates an artefact that can be reviewed, revised, and approved before implementation starts, similar in concept to a design document in a conventional engineering process.
A Kiro Pro Max tier is now available, offering higher usage limits, access to the latest frontier models, and additional agentic capabilities for engineering teams with sustained high-volume use.
Amazon Quick: enterprise search and answers
Amazon Quick was introduced as the replacement for Q Business, AWS’s existing enterprise search and question-answering platform. Quick is positioned as an answer agent for enterprise environments, connecting to internal data sources, documents, and business applications and providing natural language answers grounded in an organisation’s own data.
The renaming and repositioning reflects a broader shift in how AWS is framing its enterprise AI products. Where Q Business was positioned primarily as a productivity and search tool, Quick is framed as an agent that can take actions, not just surface information.
The security implications for engineering teams
The architecture that AgentCore represents creates new security requirements that are distinct from those of conventional application workloads. An AI agent that can call external APIs, execute code, browse the web, and assume IAM roles is a more complex security surface than a stateless API or a container running a defined process.
AgentCore Identity addresses the most immediate concern: the authentication and authorisation layer for agent actions. Giving each agent a scoped IAM identity, rather than running agents under a broad service account, applies least-privilege principles to agent workloads. AgentCore Observability addresses the audit and forensics requirement: organisations running agents in production need records of what an agent did, what tools it called, and what data it accessed.
The AgentCore Browser Tool deserves specific attention for security teams. Cloud-hosted browser access for agents is a sensible design: it isolates browsing activity from the customer’s own network and avoids the credential and data exposure risks that arise when an agent browses from a build environment or developer machine. But it also means that an agent’s browsing behaviour needs to be scoped and monitored, because an agent with unrestricted web access and the ability to execute code presents a significant attack surface for prompt injection through web content.
What this means for European cloud architecture teams
The announcements at Summit New York 2026 do not create immediate compliance or operational requirements for European organisations, but they set a direction that infrastructure and security teams need to evaluate. If AI agents become a standard component of production cloud architecture over the next two to three years, the security, observability, and governance frameworks that organisations put in place now will determine how manageable that transition is.
European organisations using AWS also face a specific consideration that the Summit did not address directly: data residency. AgentCore Memory, which stores persistent agent state, needs to be evaluated against GDPR requirements for personal data if agent sessions process user data. AgentCore Gateway, which may route tool calls through managed infrastructure, raises similar questions depending on the data involved.
If your engineering or security team is evaluating AWS’s agentic AI stack, assessing how AgentCore components fit into your existing cloud governance framework, or working through the data residency and compliance questions that agentic workloads raise for European operations, contact Excello Digital. We help European organisations adopt cloud capabilities in a way that is operationally sound and compliant with applicable data protection requirements.