June 2026 was the month AWS stopped shipping agent capabilities and started shipping the loop that improves them. The Summit in New York on 17 June was the centre of it: AgentCore gained optimization capabilities that read production traces and tell you what your agents are getting wrong, Web Search went generally available, the managed harness reached GA a day later, and AWS Continuum arrived as an AI-native security service that earns permission to act rather than assuming it. Elsewhere in the month, Anthropic launched and then lost Claude Fable 5 to an export directive, which taught everyone building on a frontier model something uncomfortable about supply chains.

The throughline is a shift from capability to feedback. April put the models on Bedrock. May gave agents a wallet. June asked the question that actually decides whether any of it survives contact with production: how do you know what your agents are doing, and how do you make them better next week than they were this week?

AgentCore optimization: production traces as the input

The most consequential announcement was the least demo-friendly. AgentCore's new optimization capabilities surface failure, intent, and trajectory insights across hundreds of sessions, clustering recurring failure patterns, including silent behavioural failures that no dashboard would flag, and ranking them by how widespread they are. Batch evaluations, recommendations, and A/B tests are generally available across 14 AWS Regions.

The word doing the work there is "silent". The failures teams find are the loud ones: exceptions, timeouts, 500s. The failures that hurt are the sessions where the agent returned something plausible, the user accepted it, nothing threw, and the answer was wrong. There is no error to alert on. You find those by looking at trajectories in aggregate and noticing that a hundred sessions took a shape they should not have, which is exactly the analysis nobody has time to do by hand. Doing it as a managed capability over traces you are already emitting is the right shape for the problem.

It also quietly confirms the thing worth saying out loud: an agent without an eval loop is not a product, it is a demo that happens to be running in production.

The harness reaches GA

On 18 June the managed AgentCore harness went generally available in every Region where AgentCore is supported. Two API calls, CreateHarness to define an agent and InvokeHarness to run it, and you have a production-grade agent with no orchestration code and no container to build. GA brings memory on by default, more model providers through LiteLLM and Bedrock Mantle, the AWS-curated skills catalog, evaluations and optimization, unified observability, versioning and endpoints, and an export path to Strands code.

That last item is the one to notice. Export to Strands means the managed path has a documented exit, which is the difference between a convenience and a trap. The harness previewed in April and spent two months becoming something you can adopt without betting the architecture on it. Whether you should hand your agent loop to a managed harness is the same question managed frameworks always pose, and having an export ramp changes the answer materially.

Web Search, grounded and inside the account

Web Search on AgentCore also went GA at the Summit: a managed tool that grounds agent responses in current, cited web knowledge with zero data egress from your AWS environment. The citation part is table stakes for anything that has to be checked. The zero-egress part is the reason it exists, because "the agent can search the web" is an easy feature and "the agent can search the web without your prompts leaving your boundary" is the version legal will sign.

AWS Continuum: a security agent that earns trust

AWS Continuum for code vulnerabilities launched in gated preview on 17 June, an AI-native service that continuously discovers vulnerabilities, validates which are genuinely exploitable by constructing working exploits in a sandbox, prioritises by whether the component is deployed, reachable, and in a production path, and then remediates inside guardrails you define. AWS is folding in penetration testing, code scanning through the AWS Security Agent, and STRIDE threat models generated from code or design documents.

The design detail that matters is the trust ramp. Continuum starts in learn mode, human in the loop, full reasoning shown for every recommendation, and is promoted to enforce mode category by category as the team builds confidence. That is the first major AWS agent product where "how much autonomy" is an explicit dial rather than a deployment decision you make once and live with. Expect that pattern to spread, because it is the honest answer to a question everybody has been fudging.

Also in the month

  • AWS Context, a knowledge graph so agents know where to get the information a task needs instead of guessing.
  • AWS WAF for AgentCore Gateway went GA, putting familiar web-exploit protection in front of agentic endpoints.
  • Quota increases: active session workloads per account rose to 5,000 in us-east-1 and us-west-2, and the InvokeAgentRuntime rate went from 25 TPS to 200 TPS per agent, per account. AWS says tasks performed by agents on AgentCore grew 15x in six months, which is the number those quota changes are chasing.
  • Kiro on iOS and Release Management in the AWS DevOps Agent, both aimed at steering an agent from wherever you are rather than from a terminal.

The Fable 5 interruption

Outside AWS, the month's most instructive story. Anthropic launched Claude Fable 5 and Claude Mythos 5 on 9 June at $10 per million input tokens and $50 per million output, materially cheaper than the preview generation. On 12 June a US export directive took them offline, prompted by a report from Amazon researchers describing a method of bypassing Fable 5's safeguards. On 30 June the Department of Commerce lifted the controls, with restoration to follow.

Whatever your read on the policy, the engineering lesson is unambiguous and it is not about safety. A frontier model is a dependency that can be withdrawn by someone who is not your vendor, for reasons that have nothing to do with your contract or your uptime. Teams that had pinned every call to one model spent eighteen days finding out what that meant. Teams that could route to a different model behind a gateway spent those days shipping. That is not a hypothetical argument for indirection anymore, it is a dated one.

The throughline

Read the month together and the direction is clear. AWS is building the operations layer for agents: the traces, the evals, the A/B tests, the quotas, the WAF, the graduated trust dial on Continuum. None of it makes an agent smarter. All of it makes an agent something an operations team can own on a Tuesday. The Fable 5 outage lands in the same frame from the other side: the model is the part you do not control, so the value accrues to the layer around it, the routing, the observability, the boundaries. June was AWS building that layer in public, and a US export directive making the case for it by accident.

Read this next

For the infrastructure and platform reading of the same month, the cloud field notes live at ercan.cloud, and the hub is at ercanermis.com.