AWS Unveils Governed Data Mesh Architecture for Agentic AI

AWS Unveils Governed Data Mesh Architecture for Agentic AI

AWS has published a reference architecture that addresses a critical gap in agentic AI deployments: how to enforce fine-grained access control when autonomous agents query databases, construct SQL, and synthesize data from multiple sources across an organization.

The architecture, detailed in a new AWS Machine Learning blog post, represents a significant evolution from retrieval-augmented generation (RAG) systems. While RAG enforces governance at a single checkpoint—filtering vector search results by metadata—agentic AI requires authorization decisions at every step of a multi-stage chain that includes table discovery, schema inspection, query construction, vector retrieval, and response synthesis.

Why it matters

As enterprises move from RAG to agentic AI patterns, they face a governance challenge that metadata filters alone cannot solve. Agents that autonomously discover and query data sources need real-time permission enforcement at each interaction layer, not periodic synchronization of access rules. This architecture provides a blueprint for production deployments where authorization failures at any step prevent unauthorized data exposure—critical for regulated industries and customer service applications handling sensitive information.

Three core architectural changes

The AWS design makes three key modifications to earlier RAG architectures, according to the blog post first reported by AWS.

First, it replaces Amazon OpenSearch Serverless with Amazon S3 Vectors for knowledge bases, which AWS says can reduce vector storage and query costs by up to 90 percent in moderate query-frequency workloads. S3 Vectors supports up to 2 billion vectors per index with strong write consistency, meaning newly added vectors are immediately queryable.

Second, the architecture substitutes general-purpose S3 with Amazon S3 Tables, which includes built-in Apache Iceberg support and integration with AWS Lake Formation. AWS claims S3 Tables delivers up to 10 times higher transactions per second compared to self-managed Iceberg tables, with automatic compaction and snapshot management. Lake Formation enforces row, column, and cell-level security through data filters that restrict queries regardless of how an agent constructs its SQL.

Third, the data mesh is exposed through Model Context Protocol (MCP) tools via AgentCore Gateway, with Lambda-backed interceptors enforcing deterministic access control at every agent-to-tool invocation.

Four-layer governance model

The architecture implements authorization across four distinct layers. The agent layer runs within AgentCore Runtime, a serverless hosting environment with isolated microVM sessions. The gateway layer includes request interceptors for JWT validation and scope enforcement, plus response interceptors for tool filtering and data redaction. The tools layer provides four Lambda-backed MCP functions: get_user_tables, get_schema, run_query, and kb_search. The governed data mesh layer combines S3 Tables registered in AWS Glue Data Catalog, Amazon Athena with workgroup cost controls, Lake Formation security policies, and S3 Vectors powering Bedrock Knowledge Bases.

Interceptor pattern for real-time control

AgentCore Gateway interceptors execute as Lambda functions at two stages in the request-response lifecycle. A request interceptor validates tokens and blocks unauthorized tool access before the gateway calls the target function. A response interceptor filters tool lists and redacts data after the target responds but before results reach the caller. Each token includes an "Act: Agent" field establishing a clear chain of responsibility across service boundaries.

The architecture supports tag-based access control through Lake Formation, allowing administrators to assign LF-Tags like classification=PII or department=customer_service to resources and grant permissions dynamically based on those tags.

The complete reference implementation, including Lambda function source code and IAM policies, is available in the AgentCore Gateway interceptor samples repository. AWS published the architecture details in its Machine Learning blog.