AWS Summit Was Not About AWS Taking OpenAI From Microsoft. It Was About Three Companies Carving the Agentic AI Market Into Defined Territories.

Signal correction: "enforce mode," not "act mode"

Secondary coverage of AWS Continuum uniformly describes the product as having "learn mode" and "act mode." The product's actual modes are "learn mode" and "enforce mode." "Act mode" does not appear in any primary AWS source — it is a third-party misquote that propagated from early coverage into subsequent reporting.

The distinction matters for the safety analysis below. "Enforce mode" implies infrastructure-layer policy enforcement. "Act mode" would imply autonomous action. These are different product behaviors, and the framing determines whether Continuum is a safety product or a marketing claim.

What the Summit was actually announcing

Amazon's $50B investment in OpenAI closed in April 2026. The Azure exclusivity clause — which gave Microsoft exclusive cloud hosting rights for OpenAI models — was formally terminated April 27, 2026. OpenAI models arrived on Amazon Bedrock within 24 hours.

AWS Summit New York ran June 17. The OpenAI-on-Bedrock announcements at the Summit are the public-facing commercialization of a structural change that was six weeks old by Summit date. The Summit wasn't where OpenAI moved to AWS; it was where Amazon presented the product architecture that the April deal had already enabled.

Understanding this sequence matters: Summit coverage that framed the announcements as a competitive break from Microsoft was reading a press event as a strategic pivot that had already occurred.

The territorial split, precisely described

The correct framing is not "AWS took OpenAI from Microsoft." The correct framing is that Amazon, Microsoft, and OpenAI negotiated a territorial division of the enterprise AI infrastructure market.

AWS's territory: OpenAI Frontier stateful agentic workflows. "Amazon Bedrock Managed Agents powered by OpenAI Frontier" is AWS-exclusive among third-party cloud providers. Any enterprise that wants to run production stateful AI agents using OpenAI's most capable models must route through Bedrock. Google Cloud, Oracle Cloud, and others cannot offer this.

Microsoft's territory: OpenAI stateless API calls through 2032. Azure OpenAI Service retains contractual exclusivity on standard API inference — the developer market that accounts for the majority of current OpenAI usage. Microsoft also retains first-ship rights: when OpenAI releases a new model, Azure gets it before Bedrock. The Summit announced OpenAI Codex, GPT-5.5, GPT-5.4, and two open-weight variants (gpt-oss-120b, gpt-oss-20b) on Bedrock — but notably no o3. o3 had not yet appeared on Bedrock as of Summit date, consistent with Azure's first-ship rights.

Microsoft's gain from the restructuring: it eliminated its revenue-share payments to OpenAI. The original Azure exclusivity arrangement included ongoing revenue-sharing obligations to OpenAI. The April 2026 restructuring terminated those payments while retaining the valuable contractual rights. Microsoft paid for OpenAI exclusivity in 2019; it now gets partial exclusivity without the ongoing cost.

OpenAI's gain: distribution to AWS's enterprise customer base — the largest cloud platform by revenue — without losing Azure distribution. OpenAI is now infrastructure-neutral across the two largest enterprise cloud platforms, with defined product lanes on each.

The result is not competition between AWS and Azure for OpenAI workloads. It is a market structure where the choice of cloud platform determines which OpenAI capabilities you can access. Enterprises building stateful agentic workflows go to Bedrock. Enterprises building stateless API-driven applications go to Azure OpenAI. Google Cloud serves enterprises committed to Gemini-native architectures. Three platforms, three lanes, minimal direct overlap.

What AgentCore Harness actually is

Every article from Summit coverage described the AgentCore Harness GA as AWS launching "production-grade agent orchestration." Technically accurate, commercially misleading.

AgentCore's seven underlying primitives — memory, state management, tool use, multi-agent communication, human-in-the-loop checkpoints, observability, and security sandbox — went generally available in October 2025. AWS has had production-grade agent orchestration for eight months. The Summit GA announcement was specifically for the Harness layer: a developer-experience abstraction that wraps those seven primitives into a two-API-call interface.

Before the Harness, a developer building a production agent on AWS wrote custom orchestration code integrating all seven primitives. After the Harness, the same agent takes two API calls. This is a developer-experience improvement, not a capability addition.

Microsoft's comparable product — Agent Framework 1.0 — went generally available on April 3, 2026, six weeks before the Harness GA. Any claim that AWS "launched" the first production-grade agent framework is incorrect.

The named AgentCore enterprise customers — Nasdaq, Visa, Experian, PGA Tour, Druva, Swisscom — are production deployments of the October 2025 primitives. The Harness simplifies their existing implementations. It also expands the addressable developer pool to teams that couldn't previously staff the custom orchestration engineering required.

The Unit 42 finding AWS has not responded to

This is the story no Summit coverage covered.

Unit 42, Palo Alto Networks' threat intelligence unit, published a finding that AgentCore's security sandbox contains gaps that allow agents to exfiltrate data through side channels under specific conditions. The finding is on-record. AWS has not published a public response.

AgentCore's enterprise value proposition in regulated industries — financial services, healthcare, legal — rests explicitly on its security sandbox. AWS markets AgentCore to enterprises that cannot run AI agents without audit trails, data isolation, and verified security controls. If the sandbox has exploitable side-channel gaps, the security guarantee is incomplete.

Every enterprise currently deploying AgentCore in a regulated environment should have two immediate questions: does their current AgentCore configuration reproduce the conditions Unit 42 described, and has AWS addressed the underlying vulnerability? AWS's silence — no patch announcement, no public response — is not a signal that the finding was wrong. It is a signal that the finding has not been publicly adjudicated.

AWS Continuum: the real safety claim vs. the marketing claim

AWS Continuum launched June 9, 2026 — eight days before the Summit. The product has two components: a pen-testing agent (GA) and a code vulnerability agent (gated preview, no pricing or GA date published). The Summit named four design partners: Capital One, MongoDB, Rivian, Robinhood. These are design partners for a preview product, not live production customers.

The safety framing is partly real and partly targeted marketing. Here is the part that is real: Continuum's enforce mode operates at the infrastructure layer, not within the model. Policy enforcement happens before model output is acted on — it cannot be bypassed by prompt injection because the model's output passes through infrastructure-level controls before execution. This is technically meaningful. A model that's been jailbroken cannot direct Continuum to skip its enforce-mode checks by including instructions in its output.

Here is the part that is marketing: "earn autonomy incrementally" is a positioning statement against Microsoft's agent frameworks, which give developers more direct control over agent autonomy without requiring a prescribed escalation path. AWS's framing targets enterprise risk officers who need a safety narrative to approve production agent deployment. Both things are true simultaneously — the technical implementation is meaningful and the marketing framing is targeted at a specific audience concern.

The learn mode / enforce mode structure is: Continuum observes in learn mode, building a model of normal infrastructure behavior. In enforce mode, it applies policy based on that learned model. A developer or SOC team reviews and approves the transition from learn to enforce mode per permission category — file access, network calls, IAM actions. "Gradual autonomy" is how AWS describes this; "phased policy enforcement with human approval gates" is what it actually is. Both descriptions are accurate.

Two Summit announcements that secondary coverage missed

Amazon Quick and AWS Context were announced at Summit and received no significant coverage.

Amazon Quick is an autonomous background agent product — continuous agents that run on a user's behalf without requiring interactive sessions. The direct competitive reference is Microsoft Copilot's background task capabilities, which allow AI agents to execute ongoing workflows without user presence. Quick is Amazon's equivalent for the AWS platform.

AWS Context is an organizational knowledge graph with claimed self-learning capabilities. It learns from enterprise data — documents, Slack threads, code repositories, internal databases — to maintain a continuously updated map of organizational knowledge. The competitive targets are Glean (enterprise AI search, valued at approximately $4.6 billion in 2025) and Microsoft Viva Topics (organizational knowledge embedded in Microsoft 365). AWS Context positions Amazon as a player in enterprise knowledge management, not just compute and model hosting.

Neither product was in the Summit's main narrative. Both are significant product moves into adjacent enterprise software categories.

The procurement angle

OpenAI API spend counted toward AWS committed spending commitments is a procurement advantage that deserves attention.

Large enterprises negotiate multi-year AWS committed spend agreements — typically $10 million to $100 million annually. Any dollar of OpenAI API spend running through Bedrock counts toward those commitments. For an enterprise already committed to $50 million in annual AWS spend, routing OpenAI workloads through Bedrock reduces the gap between committed and actual spend. Azure OpenAI Service offers the equivalent for Azure committed spend pools.

The question is which cloud platform has deeper committed-spend arrangements with target enterprises. AWS leads in cloud market share overall. Azure leads in enterprise Microsoft shop penetration. The committed-spend math will differ by enterprise depending on which platform they've already committed to. For the enterprises already deeply in the AWS ecosystem, Bedrock's pass-through pricing (no AWS markup on OpenAI models, confirmed in Summit materials but not contractually guaranteed as permanent) plus committed-spend counting is a real financial argument for routing OpenAI workloads through Bedrock rather than directly through OpenAI's API or through Azure OpenAI Service.

The durable infrastructure question

AWS is executing a platform strategy: if it cannot own the frontier models, it will own the infrastructure and orchestration layer that all frontier models run on — including its competitors' models. Bedrock now hosts OpenAI, Anthropic, Meta's Llama family, Mistral, and multiple Chinese and open-weight models. No model vendor is excluded from Bedrock. The AWS bet is that enterprises will choose cloud platform before choosing model, and that platform lock-in (security controls, identity integration, committed spend, regional compliance) is stickier than model preference.

Google Cloud's equivalent bet is that model preference (Gemini native integration, multimodal-first architecture) drives cloud platform selection. Microsoft's bet is that enterprise Microsoft 365 integration (identity, compliance, workflow) is the stickiest lock-in.

The Summit didn't resolve which bet wins. It established that AWS is a credible enterprise agentic platform with real customers and real OpenAI distribution. The Unit 42 finding is the unresolved risk that could disqualify AgentCore from regulated-industry deployment. That question — whether AWS has addressed the sandbox gap — is more consequential for the platform's enterprise trajectory than any of the Summit announcements.