AI agents need security they can inherit

Agents act autonomously. They access data, call tools, make decisions. Bedrock gives every agent a cryptographic identity, encrypts its memory, gates tool access with consent, and logs every action to a tamper-evident chain.

The problem with agents

Autonomous systems have no built-in security model. Every framework solves a different piece — and none of them solve it together.

No identity

Agents run as anonymous processes. No cryptographic identity, no attestation. You cannot prove which agent did what, or revoke a compromised one.

Plaintext memory

Agent state — context, tool results, user data — sits in cleartext. A memory dump, a leaked token, a misconfigured vector store exposes everything.

Unbounded tool access

Agents with API keys can reach any service. No consent, no scoping, no audit trail. A prompt injection becomes a data breach.

No audit chain

Logs are append-only text files. Anyone with access can modify them. When a regulator asks "who accessed what and when," you have no cryptographic proof.

How Bedrock secures agents

Five security primitives, one SDK. Your agent inherits all of them.

Your Agent (LangChain, CrewAI, AutoGen, custom) | Bedrock SDK identity | encryption | consent | audit | licensing | Bedrock Core (self-hosted, your infrastructure, your keys)

Cryptographic identity

Every agent registers as a node with a signed key pair. Revoke the certificate, the agent is done. No anonymous access.

Encrypted memory

Agent state is encrypted per-field before storage. Context, tool outputs, PII — all ciphertext. Compromise the store, you get nothing readable.

Consent-gated tools

An agent cannot access data in another silo without a cryptographic consent token. No token, no data. Scoping is enforced, not policy.

Tamper-evident audit

Every action — read, write, consent grant, revocation — is SHA-256 chained. Verify the chain at any time. Prove compliance cryptographically.

Step-by-step: Secure an agent

From zero to a cryptographically-identified, consent-gated, fully-audited agent.

1

Install and get a license

Start the Bedrock server and generate a free 30-day trial license. No credit card.

Terminal
$ pip install bedrock-core $ bedrock init ./agent-project Initialized Bedrock project in ./agent-project $ bedrock trial --licensee "agent-dev@company.com" License generated (TRIAL, 30 days) Key: 1:TRIAL:agent-dev@company.com:20260628:... Save to /etc/bedrock/license.key or set BEDROCK_LICENSE_KEY $ bedrock serve Bedrock API running on https://localhost:8443
2

Register the agent as a node

Every agent gets a cryptographic identity. This is the foundation — no anonymous processes, no implicit trust.

Python
from bedrock_sdk import BedrockClient client = BedrockClient( base_url="https://localhost:8443", license_key="1:TRIAL:...", ) # Register your agent as a node with a signed identity agent = client.nodes.register( name="support-agent-v1", node_type="application", ) # Issue a certificate — scopes what this agent can access cert = client.certificates.issue( node_uuid=agent["node_id"], scope=["customer-records", "billing"], )
3

Create data silos for isolation

Agent memory goes into silos — encrypted containers separated by category. A billing agent cannot read medical data. Not policy. Cryptography.

Python
# Silo for customer PII customers = client.silos.create( name="customer-records", display_name="Customer Records", categories=["pii", "contact"], ) # Silo for billing data billing = client.silos.create( name="billing-records", display_name="Billing Records", categories=["financial"], )
4

Encrypt agent memory before storage

Every piece of data the agent touches — context, tool results, user inputs — is encrypted with per-field keys derived from the silo, record, and scope. Your database stores ciphertext.

Python
# Encrypt a customer SSN before storing ciphertext = client.encryption.encrypt( plaintext="SSN-123-45-6789", silo=customers["silo_id"], record_id="customer-001", scope="ssn", operation="store", ) # Store the ciphertext in your vector store, Postgres, whatever # vector_db.upsert(id="customer-001", embedding=embed(ciphertext["ciphertext"]))
5

Gate cross-silo access with consent

The billing agent needs customer data? It needs a cryptographic consent token. No token, no access. The patient (or data owner) grants it. Bedrock enforces it.

Python
# Customer grants consent for the agent to read their data consent = client.consent.request( requester_id=agent["node_id"], target_id="customer-001", silo_id=customers["silo_id"], purpose="billing-support", scope=["contact", "ssn"], ) # Data owner approves client.consent.approve(consent_id=consent["consent_id"]) # Now the agent can decrypt — and only the scoped fields plaintext = client.encryption.decrypt( ciphertext=ciphertext["ciphertext"], silo=customers["silo_id"], record_id="customer-001", scope="ssn", operation="read", )
6

Verify the audit chain

Every action is SHA-256 chained. Verify integrity at any time. Prove to regulators, auditors, or your own security team that the log has not been tampered with.

Python
# Query recent actions by this agent entries = client.audit.query(limit=50) for entry in entries["entries"]: print(f"{entry['timestamp']} {entry['action']} by {entry['actor']}") # Cryptographically verify the entire chain verification = client.audit.verify() print(f"Chain valid: {verification['valid']}") print(f"Entries checked: {verification['entries_checked']}")

Agent framework integration

Bedrock is framework-agnostic. It is an SDK your agent calls, not a runner it lives inside. Works with anything.

Framework Identity Encrypted memory Consent-gated tools Audit chain
LangChain / LangGraph Yes Yes Yes Yes
CrewAI Yes Yes Yes Yes
AutoGen / AG2 Yes Yes Yes Yes
OpenAI Agents SDK Yes Yes Yes Yes
Custom agent loop Yes Yes Yes Yes
LangChain integration example
from langchain.agents import AgentExecutor, create_react_agent from bedrock_sdk import BedrockClient # Initialize Bedrock alongside your LLM bedrock = BedrockClient( base_url="https://localhost:8443", license_key="1:...", ) # Register the agent as a Bedrock node agent_node = bedrock.nodes.register(name="langchain-agent", node_type="application") # Create a silo for agent memory agent_memory = bedrock.silos.create(name="agent-memory", categories=["context"]) # In your tool wrapper, encrypt sensitive data before storage def bedrock_tool(tool_fn): def wrapper(*args, **kwargs): result = tool_fn(*args, **kwargs) # Encrypt tool output before it goes into agent memory encrypted = bedrock.encryption.encrypt( plaintext=str(result), silo=agent_memory["silo_id"], record_id="tool-output", scope="memory", operation="store", ) return encrypted["ciphertext"] return wrapper

Architecture: how it fits together

Your agent calls the SDK. The SDK calls Bedrock Core. Security is inherited, not bolted on.

Agent Loop LangChain / CrewAI / AutoGen / custom | Tool Layer @bedrock_tool wraps each tool call Encrypt inputs, decrypt outputs, enforce consent | Bedrock SDK (Python or TypeScript) nodes.register() --> identity encryption.encrypt() --> ciphertext consent.request() --> token or denial audit.query() --> tamper-evident log | Bedrock Core (self-hosted, your infra, your keys) Identity Fabric | Encryption Engine | Consent Gate Audit Chain | Key Management | Licensing

Self-hosted. No Bedrock cloud.

Your agents run on your infrastructure. Your keys never leave your network. There is no Bedrock SaaS. There is no third-party data route. The only data path is your agent to your Bedrock instance.

Your infrastructure

Run Bedrock Core on any host — bare metal, VM, container. Docker and docker-compose configs are included.

Your keys

HKDF-derived per-field encryption keys. Master key stays on your server. No key escrow. No third-party access.

Your data

Agent memory, silo data, audit chain — all encrypted at rest in your storage. Bedrock never sees it.

Your audit

SHA-256 chained audit log. Verify integrity at any time. Export for HIPAA, HITRUST, FedRAMP compliance.

Use cases

Where autonomous systems meet regulated data.

Healthcare AI agents

Agents processing PHI need consent-gated access, encrypted memory, and a tamper-evident audit trail. Bedrock provides all three. HIPAA and HITRUST ready.

Financial automation

Agents handling financial data — account numbers, transactions, PII — get field-level encryption and per-silo isolation. SOX and PCI-DSS audit trail included.

Military and defense

Agents operating on classified or CUI data require cryptographic identity, zero-trust access, and tamper-proof logging. FedRAMP and IL4+ alignment.

Multi-tenant SaaS

Agents in multi-tenant platforms need tenant data isolation. Bedrock silos enforce it cryptographically — not just logically — with consent tokens for cross-tenant access.

Start building secure agents

Free 30-day trial. No credit card. Self-host everything.

View on GitHub Read the Docs