AWS turns agentic DevOps into continuous security and outage prevention under Bedrock AgentCore

AWS Chief AI and Technology Officer Matt Wood wants agentic AI to stop being a thing you “use on demand” and start being something that runs quietly in the background. At AWS’s New York Summit, he framed the new pitch around one barrier that keeps showing up in enterprise rollout conversations: trust. He said AWS’s Bedrock AgentCore updates aim to prevent bad outcomes, including failures that look fine in dashboards but still do the wrong thing.

That framing matters because the new tools are not just chatbots. AWS introduced enhanced agents for DevOps and code security, including previews of Continuum for identifying and fixing application vulnerabilities, plus a new iOS mobile app for Kiro. Wood tied these updates to a “continuous” operating model: AI systems that continually provide security continuity “building on penetration testing and code review.” In practice, AWS is trying to move agents into the daily workflows that produce incidents, outages, and release risk, not just into developer assistance.

Let’s start with Continuum. AWS is running Continuum for code vulnerabilities in closed preview, positioning it as a continuous security agent that performs vulnerability scans of an AWS environment. The claimed differentiator is that it prioritizes findings that are actually reachable in a production path, with exploits demonstrated in a sandbox. It’s also supposed to generate suggested fixes, including network changes or patches for code. Functionally, this is security work that usually requires a human to translate “you might be vulnerable” into “here is what you can fix that matters.” AWS says part of that translation shows up in the new product’s emphasis on reachable issues and demonstrated exploit paths.

Continuum also reshapes AWS’s existing agent lineup. The current AWS Security Agent will be renamed “Continuum pen testing” and “Continuum code scanning.” Meanwhile, on the DevOps side, AWS’s DevOps Agent was first previewed at re:Invent in late 2025 and is billed as an AI tool that can resolve and prevent application outages and optimize application reliability and performance. It became generally available in March. Now it’s gaining release management capabilities in preview, assessing code readiness and running software in an AWS-managed isolated environment to verify builds. AWS also said DevOps Agent supports release management-related enhancements introduced earlier this month.

The more interesting part for operators is how these agents connect. DevOps Agent has long supported calling tools via Model Context Protocol (MCP), but it now exposes its own MCP endpoint so other tools can call the agent API. AWS also highlighted support for Agent2Agent (A2A), a protocol introduced by Google last year to assist agent collaboration. These endpoints sit alongside the standard AWS REST API. DevOps Agent is designed to use observability tools as input, including AWS CloudWatch, Datadog, Dynatrace, New Relic, and Splunk. It can pull code from repositories such as GitHub and GitLab, and it can also connect to Microsoft Azure and Azure DevOps. Translation: AWS is building an ecosystem posture, not a single-agent island.

AWS is also leaning into the “continuous modernization” storyline. Transform, its AI service for migrating and modernizing workloads and application code, gets a new preview feature called continuous modernization. AWS suggests it can cover day-to-day upgrade and patching of libraries, plus larger migrations like moving to a more recent framework or runtime for Java or.NET applications. The point is to turn modernization from a project into a routine, which is exactly the kind of recurring workflow agentic systems are built to optimize.

Now, meet the pocket version of all this: Kiro. Kiro is an IDE and service for specification-driven AI coding. It can be extended with “powers,” which are wrappers for one or more MCP servers available from GitHub. Powers exist for AWS services like DevOps Agent and Lambda, and for third parties like Datadog and Dynatrace. In closed preview, AWS previewed a Kiro mobile app for iOS that can launch and manage remote sessions. It has three modes of interaction: chat, spec for continuing a specification workflow, and autonomy for delegating tasks. The app shows the live state from cloud sessions and renders code diffs as cards that AWS says are legible on a small screen, and AWS claims it is a true native app, not a wrapper for a web application.

All of this is happening under a pricing and reliability reality check. AWS warned that going all-in on agentic AI can be costly. Quick is subscription-based, while DevOps Agent is based on per-second usage, currently priced the same for incident response, evaluations for incident prevention, and on-demand tasks like chat. AWS also said pricing is somewhat opaque because the time an agent will take for a task is unknown, and there are additional charges for AWS services an agent consumes, such as CloudWatch queries. Separately, reliability is the trust question in operational clothing. In an AgentCore post, AWS acknowledged that “the most dangerous agent failures aren't the ones that throw errors. They're the ones that look fine on dashboards,” including examples like confirming an order modification it never executed, fabricating product availability when an API times out, or skipping an approval step while dashboards show a 99 percent success rate. AWS claims new AgentCore features address this with “failure, intent, and trajectory insights across hundreds of sessions,” plus policy capabilities that define what an agent can and cannot do. Bedrock Guardrails run at a gateway layer outside the agent and evaluate actions for prompt injection, harmful content, and data exposure.

The broader platform moves reinforce that AWS is treating agent adoption like an enterprise procurement problem. AWS previewed AWS Context, a service mapping company data into a knowledge graph for agentic search. AWS compared it to search in Amazon Quick, but positioned Context as organizational rather than personal. It publishes metadata into Amazon S3 tables in Apache Iceberg format, and AWS claims queries are identity-aware to prevent users from accessing data they are not authorized to see. Amazon Quick will use the same underlying technology as Context, and Quick is getting the ability to create autonomous agents via voice prompts or from a library of pre-configured agents. AWS also said hundreds of connectors add integrations with third-party services such as Gmail, Slack, and Microsoft Teams and SharePoint. Finally, Bedrock AgentCore adds a managed knowledge base, web search, and the ability for agents to spend money on paid content such as financial market feeds.

So what does this mean for other executives trying to decide whether agentic AI belongs in their stack? AWS is making a very specific bet: the next wave of adoption will depend less on whether agents can do tasks and more on whether they can communicate trusted outcomes, survive real operational failures, and justify their compute and tooling bills. If AWS pulls this off, agentic DevOps and continuous security become normal enterprise infrastructure. If it doesn’t, the “trust gap” stays a board-level blocker.