At its New York Summit, AWS shipped and previewed a stack of background running AI tools that act on their own, but most of the load bearing pieces are still in closed preview, leaving engineering teams to weigh always on automation against the blast radius of a wrong action.
For most of the past two years, AI coding and security tools have been framed as on-demand assistants: a developer types a prompt, the model answers, the human decides what to do with the output. At the AWS New York Summit on 17 June 2026, the company pushed a different posture. "Agentic" tools, in AWS's telling, are no longer assistants waiting for a prompt. They are background workers that scan, patch, test, and release on a continuous loop, with a human approving after the fact rather than directing the work in real time.
That shift is the story. The individual product names matter mainly as a map of what is shipped, what is preview, and what is still vapor.
The product map, as of 17 June 2026, is fragmented in a way that matters for anyone deciding what to test. Continuum is in closed preview. AWS Continuum is a set of security agents that "continually provide security continuity using artificial intelligence, building on penetration testing and code review," per Matt Wood, AWS's chief AI and technology officer, as reported by The Register's Tim Anderson. Access is gated, and behavior in customer environments is still AWS-curated, which is a different category of product from a generally available release. The older Security Agent line has been split into two sub-products, Continuum pen testing and Continuum code scanning, and the underlying DevOps Agent base product hit general availability back in March 2026. On top of that GA surface, AWS is now previewing DevOps Agent release management, which automates the path from merged code to production, and shipping new endpoints that expose MCP (Model Context Protocol) and A2A (Agent2Agent) so other tools and other agents can call into AWS's agents and vice versa. Kiro, AWS's coding assistant, is now also available as an iOS app, putting code generation and review on a phone.
The interoperability line is the part most worth slowing down on. MCP and A2A are standards for how agents hand work to each other. Exposing them means an agent inside AWS's stack can be invoked by a third-party tool, and an AWS agent can call out to a third-party agent, without a human writing glue code. That is a different shape of integration than the typical vendor product with a chat box. It is also the part that turns "agent" from a marketing word into an actual industry surface, with all the version-skew, identity, and trust issues that implies.
The marketing argument deserves its own paragraph. Wood used the Summit to make a price-per-intelligence claim. "While the cost of a token at the frontier continues to go up, if you normalize for a particular point of intelligence, the cost continues to decrease year by year." The line is built to justify always-on agent spend: if each unit of useful work is getting cheaper, paying for agents that run continuously becomes a defensible line item. It is also a soft claim. Which "point of intelligence" benchmark, and over what time window? AWS did not name one. Vendor cost-per-intelligence arguments have a long history of being true in the chosen denominator and useless outside it. The right way to read Wood's line is as a directional marketing argument that engineering teams should test against their own workloads before they sign a multi-year commitment, not as a measured economic fact.
The practitioner question that actually matters is the blast radius. An agent that runs continuously in a production path changes the consequence of a wrong action. A chatbot that hallucinates a snippet costs the developer ten minutes. An agent that is allowed to push a release, rotate a credential, or open a firewall rule costs the on-call engineer the rest of their week. That is the real reason "closed preview," sandboxed exploit demos, and Bedrock AgentCore guardrails are doing more load-bearing work in AWS's pitch than they look like they are. Trust, in Wood's framing, is the largest barrier to AI adoption, and AWS is using preview gating as the trust answer.
The choice surface for engineering teams as of today looks like this. Continuum closed preview and DevOps Agent release management preview are opt-in, meaning a team has to request access before any agent touches their code. The MCP and A2A endpoints, by contrast, are on by default for new Bedrock AgentCore customers: once a team turns on the GA DevOps Agent, the interop surface is part of the package, not a separate decision. The DevOps Agent base itself has been generally available since March. Kiro on iOS is shipping today, useful for review and quick edits but not a substitute for a desktop environment.
Three things are worth watching through the rest of 2026. The first public Continuum customer references will set the trust bar: closed previews are where vendors find their best-case scenarios, and the first wave of customer case studies is where the actual ceiling of the tool shows up. The second is whether AWS ever names a denominator for "cost per intelligence." Until it does, the falling-cost framing should be read as a sales argument, not a forecast. The third is the blast-radius story itself. When the first always-on agent misfires in a real production path, the postmortem will define the trust ceiling for the rest of the category, and AWS is currently the most exposed vendor to that first incident, by virtue of being furthest along the always-on curve.
The agentic DevOps pitch is no longer a research demo. It is a set of shipping products with a clear architectural claim: AI moves from prompt-and-answer to continuous background action. The interesting work for the next quarter is on the receiving end. Engineering teams that adopt any of this need to decide, in writing, where an agent is allowed to act unobserved and where it has to ask, what telemetry they expect from a continuous run, and what the rollback path looks like when the agent is the one who pushed the change.