AWS Public Sector Blog

A faster, more resilient digital repository: Migrating DSpace to AWS

Kai Xu — Sat, 16 May 2026 15:33:43 +0000

Automated bot traffic has surged across academic digital repositories, creating real performance problems for institutions that make research openly accessible. At Johns Hopkins University (JHU), the problem was compounding an already difficult situation. The Sheridan Libraries’ installation of DSpace—an open-source digital repository system used by thousands of institutions worldwide—was running on on-premises infrastructure that the team could no longer update without significant manual work. The system was many versions behind the latest release, and the single-server setup required significant dedicated resources to handle frequent traffic spikes.

These challenges made modernizing DSpace a necessity to support the university community. The Digital Research and Curation Center (DRCC), the group within the Sheridan Libraries that builds and manages digital infrastructure for open scholarship, migrated DSpace to the cloud with Amazon Web Services (AWS). Using Amazon Elastic Container Service (Amazon ECS) with AWS Fargate, the team achieved a faster, more scalable repository without the operational burden of maintaining on-premises infrastructure.

Frozen infrastructure and surging traffic

DSpace, known at Johns Hopkins as JScholarship, is the central repository for the university’s research and cultural collections, housing over 150 collections that include research papers, theses, dissertations, historical documents, newsletters, articles, images, audio, video, sheet music, and maps.

“JScholarship users range from students depositing theses, to government employees researching state land maps, to musicians searching for historic sheet music compositions,” said Digital Repositories Manager for the Sheridan Libraries, Allison Fischbach. JScholarship also supports the university’s open-access policy, providing faculty with a place to make their research publicly discoverable. “DSpace is used to maintain a permanent record of university scholarship,” said Hodson Director of the DRCC and Open Source Programs Office, Bill Branan.

But running DSpace on-premises had become unsustainable. Recent licensing changes resulted in increased hosting costs, and much of the maintenance and administration for supporting DSpace relied on manual processes. Pushing code updates into production took months.

“Updates hadn’t really been done to DSpace for a very long time because there was a lack of confidence in the process,” explained Senior Cloud Engineer in the DRCC, Steven Miklovic.

Meanwhile, automated bot traffic—driven largely by AI companies scraping open-access research—had surged, and the infrastructure needed frequent manual intervention to keep up.

Before the migration, the DRCC team evaluated whether to replace DSpace entirely. They determined that the software was still the right fit, but it was necessary to increase the speed of moving software changes into production, and the deployment environment needed to be able to scale to meet demand without manual intervention. These requirements pointed to a container-based deployment with an automated build pipeline.

“Given the on-premises architecture, deploying changes in a timely manner would have been very difficult,” said Senior Software Engineer in the DRCC, Russell Poetker.

Building on an existing modernization effort

The DRCC team brought relevant experience to the project. Engineers on the team had already modernized the Public Access Submission System (PASS), a custom application that allows researchers to deposit articles into DSpace, using a similar containerized architecture. The team also drew on experience with DSpaceDirect, a hosted service run through Lyrasis, the organizational home of the DSpace open-source project. That prior work showed that hosting DSpace in the cloud could deliver consistency, repeatability, and resiliency.

Throughout the project, the DRCC team worked with AWS through a consultation-based approach, meeting at key milestones for architectural reviews. Those sessions validated the architecture and surfaced important security features and optimizations.

Six months from architecture to production

The technical implementation spanned about six months. The first three to four months focused on defining the initial architecture, including a significant data migration sub-project. The on-premises environment for DSpace stored files differently than Amazon Simple Storage Service (Amazon S3), so the team went through several iterations of migrating data, validating it, and refining scripts.

“Steps like that are how you build the confidence in the cloud for people,” Miklovic noted.

This phase also included the DRCC’s creation of infrastructure as code (IaC) to automate the deployment process, laying a repeatable foundation for future migrations.

Once the production environment was created using IaC tooling, the team performed testing and validation prior to a final production launch on January 12, 2026. Post-launch, they tuned scaling policies and optimized resource allocation to handle bot traffic spikes, followed by additional efficiency improvements.

A serverless architecture built for maintainability

Moving to a serverless architecture was more complex than a straightforward lift-and-shift, but the DRCC team chose that path deliberately. An earlier attempt at JHU to run a different application in a more advanced container orchestration environment had proven too burdensome. Amazon ECS with AWS Fargate offered a managed middle path.

“We wanted to really simplify the operational burden of an advanced architecture and focus on the developers being the primary support for the application,” said Miklovic. By shifting infrastructure management to AWS-managed services, the team could redirect their focus from operational maintenance to development, effectively adopting a DevOps model where the engineers who build the application also own its deployment and observability.

DSpace naturally breaks into several components, including a front end, back-end API, search index, and scheduled jobs, which the team split into separate containers so each can scale independently. The architecture includes Amazon Relational Database Service (Amazon RDS) for PostgreSQL configured for high availability; Amazon S3 for the DSpace asset store; AWS WAF in combination with Cloudflare for application security and bot traffic management; Elastic Load Balancing using Application Load Balancers for public and internal traffic; Amazon EventBridge for scheduled tasks; and Amazon CloudWatch for monitoring. The team also used Amazon Q Developer for the first time to support architectural decisions.

The migration also gave back to the open-source community. The team found that DSpace’s Amazon S3 storage integration relied on an outdated version of the AWS software development kit, upgraded it, and contributed the fix upstream.

“That’s one of the nice things about working in open source,” said Branan. “If we find something that’s a problem, not only can we fix it, but we can push it back up for anyone else who needs to use it.”

Faster performance, faster deployments, and greater confidence

Since launching, the new environment has reached stable performance after an anticipated tuning period. The public-facing load balancer typically averages 400,000 to 500,000 requests per day, while a second, internal load balancer handles over 2 million, which reflects the volume of communication between DSpace’s internal components.

The difference has been immediate for the people who use DSpace every day. Students searching for dissertations, faculty accessing research, and staff managing collections all noticed faster response times as soon as the cutover happened. Where the old single-server setup left the repository vulnerable to bot traffic spikes, the new architecture absorbs surges without degrading the experience for real users.

Centralized logging and alerts now give the DRCC team real-time visibility across the environment, replacing the reactive troubleshooting of the old setup. The serverless nature of the deployment also gives engineers more time to focus on improving the application itself.

The new deployment pipeline has also shortened the path from code change to a testable environment.

“Verification of application changes in a pre-production environment now happens within a few minutes after a PR is merged. This is a big improvement for our development and test cycle,” said Poetker.

With faster performance for users and a streamlined workflow for developers, the DSpace migration has given the DRCC team confidence that they can apply the same approach with other applications in their portfolio. Stakeholders for other library systems are eager for similar transitions.

A roadmap for other institutions

The DRCC team is already migrating more applications into a similar architecture and exploring how AI can support DevOps visibility over time. Other academic libraries and cultural institutions considering this type of migration can draw on the team’s experience: start with a managed service like Amazon ECS as a pathway into the cloud; take small steps to build confidence; and use what others have built.

To that end, the DRCC team published an open-source reference architecture for DSpace on AWS on GitHub, which also breaks out components that other institutions can reuse for different applications, so they don’t have to build it all from scratch.

With bot traffic continuing to grow and on-premises infrastructure increasingly difficult to maintain, modernizing digital collections in the cloud is becoming a practical necessity. Explore how AWS helps institutions build secure, scalable solutions for higher education.

Read related stories on the AWS Public Sector Blog

How to effectively use AWS Support for public sector organizations

Caleb Grode — Thu, 14 May 2026 23:03:48 +0000

For public sector organizations running workloads on Amazon Web Services (AWS), AWS Support helps troubleshoot issues and provides expert technical guidance. Getting the most out of AWS Support goes beyond merely opening a ticket. Knowing how to choose the right severity level, communicate through the right channel, and provide the right information can significantly reduce your time to resolution. In this post, we explore ways to best use your AWS Support.

Choosing the right severity level

AWS Support can be contacted through three channels: web (email), live chat, and phone. Each method will open a support case. AWS addresses support cases based on severity of the reported issue and the human response times for your support tier.

The severity level you choose signals the time and mission or business sensitivity of your issue. Understanding these levels is important because customers frequently underestimate the severity of their cases, which can delay response.

The severity levels are:

General guidance [low] – You have a general question about an AWS service or feature.
System impaired [normal] – Noncritical functions of your application are behaving abnormally, or you have a time-sensitive development question.
Production system impaired [high] – Important functions of your application are impaired or degraded.
Production system down [urgent] – Your business is significantly impacted. Critical functions of your application are unavailable.
Business-critical system down [critical] – Your business is at risk. Critical functions of your application are unavailable.

Choosing the correct severity helps your case be prioritized appropriately. If your situation worsens after opening a case, you can and should increase the severity.

Selecting your communication channel

Engaging support through live chat or phone will connect you to the next available support engineer. For both high-severity and low-severity but blocking issues, we recommend contacting support over live chat or phone. This can significantly reduce initial response time and lead to a faster time to resolution. The AWS Support team has engineers who are assigned directly to monitor the queues for live chat and phone. During a mission-impacting event, this can further accelerate the time to response in addition to case severity. For issues that aren’t high severity, live chat or phone support can reduce time to response from hours to minutes even if the event doesn’t impact production or the organization as a whole.

Escalating to service teams

Support engagements can sometimes involve complex solutions. Issues that can’t be solved through direct support engineer troubleshooting or are of the highest urgency can escalate to a service’s engineering team. Service team engagement is driven and prioritized by issue criticality. Your support engineer manages escalation to service teams acting as an intermediary and advocate.

Providing business impact information

When creating a support case for a critical issue, it’s important to provide the right data on business impact so your support agent can accurately advocate for you. Providing this information proactively can also save vital time for the support agent in determining impact when it becomes clear an issue needs to be addressed by the service team.

For a support case that might require escalation or is of the highest priority, be sure to include the end user impact, scale, mission and monetary impact, and internal visibility level. For example, a law enforcement agency supporting a large metro area might include the following data:

400 officers across 12 precincts unable to access real-time crime center feeds impairing all active patrol and dispatch operations. The issue constitutes a direct public safety risk across the state capital region supporting 2.3 million constituents. The agency’s CIO and superintendent have been briefed and are monitoring for resolution.

At the time of an incident, impact might not be fully measured, but including as much information as available will allow our teams to best prioritize the request.

Sharing the right troubleshooting data

In addition to providing data on impact, providing the right data for troubleshooting is also important. Make sure to provide the Amazon Resource Name (ARN) of any impacted resource, and providing relevant service logs is also crucial. Copying and pasting the logs is more useful than providing screenshots because the engineer can interact with the text directly. Finally, including the time(s) of when incidents occurred and the observed behavior at those times will assist with troubleshooting.

Keeping your case active

After a support case is opened, keeping it active is important. Cases that go without updates can stall, and support engineers might deprioritize them if there is no indication the issue persists. If you haven’t received a response within a reasonable window, update the case with any new information or increase the severity if the situation has worsened. Additionally, if an issue resurfaces after a case has been marked resolved, you can reopen the case rather than starting from scratch. This preserves the troubleshooting history and context from the original engagement.

Using self-service resources first

Before opening a support case for nonurgent issues, it’s worth checking AWS self-service resources. The AWS Health Dashboard can tell you whether your issue is part of a known service event, saving you time and giving you useful context to include if you do open a case. Similarly, AWS Trusted Advisor can surface configuration issues or service limit concerns that might be the root cause. For general questions or common errors, AWS re:Post, AWS documentation, and AWS generative AI–powered tools such as Amazon Q can often provide faster answers than waiting for a support case response. Checking these resources first can either resolve your issue outright or give you better information to include when you do engage support.

Using support proactively

AWS Support is not only for break-fix issues. Support provides a way for you to directly engage domain and service experts. AWS customers who effectively use AWS Support create support cases often and even for small issues. When building or working with AWS services, if a problem has been blocking progress for even an hour, use support as an additional troubleshooting resource. In addition to service-specific expertise, support agents can search internally for similar issues that have been observed and solved. This high frequency utilization of AWS Support is an excellent strategy to combine with the selection of chat or phone communication channels for low-severity issues that benefit from quick engagement.

Conclusion

In this post, we discussed ways to effectively use AWS Support that might not be commonly known. Choosing the right communication channel and severity level can speed time to resolution. Checking self-service resources such as AWS Health Dashboard, Trusted Advisor, and Amazon Q before opening a case can save time or provide better context. Providing clear business impact along with comprehensive ARNs and logs can reduce back-and-forth exchanges. Keeping cases active and reopening them when issues resurface keeps continuity. Using support beyond break-glass issues can accelerate development and give insight into how to best use AWS services.

To explore your support options and find the right plan for your organization, visit the AWS Support plans page. To get started with the self-service tools mentioned in this post, refer to the AWS Health Dashboard documentation, the AWS Trusted Advisor documentation, and Getting started with Amazon Q.

Scouting America transforms youth enrollment with generative AI assistant powered by AWS

Nicolaas Botes — Wed, 13 May 2026 22:54:24 +0000

For 115 years, Scouting America has shaped generations through service, leadership, and outdoor adventure. Their mission is to prepare young people for lives of impact by instilling values, teaching life skills, and fostering character, through adventure and service in a safe, inclusive environment. With over 1 million youth participants and 628,000 volunteers, they’re not just teaching skills, they’re building character.

In May 2025, Scouting America launched Scoutly, a generative AI-powered, multilingual AI assistant built on Amazon Web Services (AWS). Scoutly has streamlined their enrollment process by providing conversational support in multiple languages, answering questions, helping families find local units, and guiding them through enrollment with contextual awareness. The platform has delivered remarkable results, reducing registration time from 25 minutes to just 5 minutes through agentic workflows. Scoutly currently averages 2,000 users per day and has answered over 1.9 million questions from visitors.

In this post, we share how Scouting America used this AI assistant to transform youth enrollment.

Removing barriers to youth development

The organization faced significant challenges with their registration process that hindered their ability to serve families effectively. The lengthy and confusing enrollment journey led to high abandonment rates, with families often giving up before even starting their Scouting experience. Between parental authorizations, complex pricing structures, and static forms, the registration process was disjointed and frequently abandoned.

Every abandoned form represented one less future Scout ready to serve their community. With limited staff serving an audience of 1.5 million people (between members, volunteers, and alumni), Scouting America sought to use technology strategically to make registration easier and more accessible.

They also wanted to achieve a strategic goal: ensure relevance to today’s youth as a 115-year-old organization. They needed a tech platform that was straightforward to use and could facilitate digital experiences comparable to modern platforms that young people regularly use.

Building an intelligent solution with AWS

Scoutly is a powerful AI assistant that provides instant, reliable support to leaders, volunteers, parents, and scouts through a comprehensive knowledge base of Scouting America resources. Users can access this interactive assistant around the clock on Scouting.org and BeAScout.org, which provides a safe, child-friendly experience. Scoutly also fits into Scouting America’s broader technology strategy, which prioritizes service design, enterprise architecture, data governance, platform thinking, and simplified user experiences. The organization’s business strategy calls for a unified technology foundation, stronger governance, and a data architecture that can support real-time operations and analytics at scale.

Working with partner Myridius, Scouting America built Scoutly on Amazon Bedrock and a comprehensive suite of scalable services, including AWS Lambda, Amazon Elastic Compute Cloud (Amazon EC2), Amazon Relational Database Service (Amazon RDS), Amazon DynamoDB, Amazon Simple Storage Service (Amazon S3), and Amazon Kendra.

The solution is designed to be fast, resilient, and built to scale while engaging users with relevant, accurate, real-time information.

Working alongside AWS, Myridius served as the lead architecture and delivery partner for Scoutly, focusing on the technical foundations required to make the experience reliable, scalable, and safe. The team defined the enterprise architecture and integration patterns that enabled real-time orchestration across systems, while confirming the solution could scale seamlessly on AWS.

A key focus area was data governance and content control. Myridius helped design the processes to curate, validate, and manage source content, so responses remained accurate, consistent, and aligned with Scouting America’s policies. Guardrails were implemented to control how information is used by the assistant, with a strong emphasis on privacy, safety, and youth protection. The team also led application quality and release readiness, including rigorous testing and a phased rollout approach to minimize risk at launch. This meant that Scoutly could handle production-scale usage from day one while maintaining a high standard of trust and performance.

Together, these elements established Scoutly not just as an AI assistant, but as a governed, production-grade digital service aligned with Scouting America’s broader strategy around enterprise architecture, data, and service design.

The quality and governance of source content were also critical to the solution’s performance. The content was carefully curated, controlled, and validated before being exposed to users, with safeguards designed to protect privacy and maintain response integrity.

Transforming the Scouting experience

The results exceeded expectations both quantitatively and qualitatively. During the pilot phase, Scouting America experienced a 45% spike in web traffic, demonstrating strong user engagement with the new platform. The agentic workflows successfully reduced the registration process from 25 minutes to just 5 minutes, dramatically improving the user experience.

Scoutly now has an average of 2,000 daily users and has successfully answered over 1.9 million questions from nearly 108,000 unique visitors. The platform has established itself as a widely used resource within the Scouting America community, handling substantial query volume while serving a large and diverse user base.

Scoutly provides live, natural conversational support in English, Spanish, Arabic, French, and additional languages, making Scouting more accessible to communities across America.

Additionally, some interesting and unexpected usage patterns emerged. Although it was originally designed primarily for registration assistance, Scoutly users regularly engage the platform for scouting knowledge, merit badge information, safety guidelines, and operational questions. Users range from youth asking about rank advancement and Eagle Scout requirements to adult volunteers seeking operational guidance for camping events, unit formation, and safety training requirements.

Key insights for nonprofit technology implementation

Mike Bullock, CIO of Scouting America, emphasized the importance of starting with a genuine organizational problem rather than seeking ways to implement AI technology for its own sake. Their approach of arriving at AI as a solution, rather than looking for AI applications, contributed significantly to the project’s success.

This problem-first methodology helped the technology truly serve the organization’s mission.

Supporting strategic transformation

Scoutly supports Scouting America’s strategic shift from systems-focused to service and customer experience-focused operations. The platform helps the 115-year-old organization remain relevant to today’s youth by providing familiar digital experiences comparable to modern platforms.

Most importantly, Scoutly is making it straightforward for purpose-driven youth to find their way into Scouting and stick with it. By removing usual hurdles and offering quick, helpful support, the platform helps prevent future Scouts or leaders from being left behind. This is more than just making registrations; it’s also about building the next generation of leaders ready to serve, grow, and make a difference in their communities.

To learn more about Scouting America and experience Scoutly, visit Scouting.org.

If you are feeling inspired by Scoutly, your nonprofit can harness the power of technology to accelerate your mission too. Learn more about the AWS Imagine Grant, a program designed to empower nonprofits to innovate and scale. Applications are open now through June 5, 2026.

How governments adopt the cloud for national security and defense in Asia-Pacific

Neil Beet — Wed, 13 May 2026 21:23:30 +0000

Governments in the Asia-Pacific region are modernizing their national security operations to maintain strategic advantage in an increasingly complex threat environment. Cloud adoption offers them unprecedented opportunities for innovation, operational effectiveness, and resilience.

As noted in the International Institute for Strategic Studies (IISS) paper, Cloud Adoption for National-security and Defence Purposes: Four Case Studies from the Asia-Pacific, which was supported by Amazon Web Services (AWS), decision advantage through data mastery is a compelling driver of cloud adoption.

Researchers from the IISS Cyber Power and Future Conflict program looked at approaches to cloud adoption by Japan, the Philippines, Singapore, and Thailand and considered implications and recommendations for other governments.

Why national security and defense agencies are embracing cloud technology

National security and defense (NS&D) organizations need to process vast quantities of data, integrate operations across multiple domains, and respond to rapidly evolving threats. Traditional IT infrastructure such as on-premises data centers struggle to elastically scale and integrate multidomain data at the pace required in today’s threat environment.

Modern defense operations generate enormous volumes of intelligence from satellites, sensors, communications intercepts, and open sources. Cloud technology can enable advanced threat detection by using artificial intelligence and machine learning (AI/ML) capabilities for signal prioritization and anomaly detection. It can also support controlled, policy-driven intelligence sharing between allied agencies.

Cloud architecture distributes data across multiple locations, reducing vulnerability to both physical attacks and cyber incidents while enabling distributed command and control capabilities. Cloud infrastructure and services are highly scalable and highly available, meaning government agencies can acquire, process, and analyze data at an unprecedented speed and scale.

The cloud is an on-demand service that provides dynamic scalability without requiring upfront capital expenditure on physical infrastructure. Agencies benefit from cloud providers like AWS investing in cloud security maintenance and emerging technologies like AI. Organizations responsible for national security and defense can instead focus their resources on mission objectives while relying on defense-in-depth security controls aligned to NS&D requirements.

Four national approaches to cloud adoption

The IISS paper describes how Japan, the Philippines, Singapore, and Thailand tailor cloud adoption to their unique security requirements and digital maturity:

Japan is modernizing its NS&D strategy with hybrid cloud environments, focusing on cross-domain integration and alliance interoperability.
The Philippines is in the early stages of cloud adoption across the government, aiming to enhance interservice coordination and secure cloud management through its Digital Transformation Strategy.
Singapore is developing a secure hybrid cloud solution for defense, linking military readiness with national resilience through its Smart Nation and Total Defence initiatives.
Thailand is modernizing its government digital infrastructure by using AWS for policing solutions while building internal governance capacity for sensitive data protection.

Strategic recommendations for NS&D leaders

The IISS report offers guidance for defense and national security leaders embarking on cloud adoption journeys:

Redefine sovereignty-assured governance with transparent control mechanisms rather than technological isolation. Experience demonstrates that cloud services can equip governments to maintain effective governance, security, and control over their critical and sensitive data. Governments can use global cloud providers while retaining full visibility and lawful control through technical and governance arrangements including data classification, encryption, and strong access controls. This calibrated approach allows for appropriate levels of protection for different data types. It balances sovereignty and resilience considerations, maximizing the benefits of commercial innovation and maintaining security for the most sensitive operations.
Build institutional maturity and domestic expertise. Technical solutions alone can’t bring about successful cloud adoption. Governments must develop the appropriate organizational depth, regulatory clarity, and technical capabilities. For example, they can establish dedicated and resourced cloud adoption teams to drive implementation. Investment in domestic technical expertise strengthens strategic autonomy and effective oversight.
Prioritize securely sharing data with allies. We recommend that cloud solutions are designed with international interoperability in mind, facilitating rapid data exchange with trusted partners. This capability has become essential for coalition operations and intelligence sharing. Joint approaches across security agencies can break down silos between military branches and intelligence organizations, creating more effective whole-of-government responses to threats.
Design for resilience and operational continuity. Cloud architecture must support operations continuing during crises, including potential relocation of critical data if necessary. Core security controls including encryption, multi-factor authentication (MFA), and zero trust principles serve as the security foundation for all systems, with specialized additional controls implemented based on data sensitivity and classification.

Access innovation and maintain control for national security

For NS&D leaders, cloud adoption is the way to maintain a strategic advantage in an increasingly contested global information environment. Success requires using global expertise and technical capabilities, engineering resilience, and boosting domestic institutional capacity. Governments that master this balance are positioned to protect their citizens and interests in the digital age.

To learn about how AWS helps global national and security organizations deliver mission-driven solutions, connect with our global public sector team today.

University-cloud collaboration in action: Columbia University students transform ideas into AWS powered startups

Ayush Tripathi — Wed, 13 May 2026 19:31:51 +0000

The Columbia X Amazon Bedrock Innovation Challenge brought together 173 students to develop innovative solutions using Amazon Bedrock generative AI and agentic capabilities. On November 7, 2025, 47 teams created prototype applications that used foundation models (FMs) to address real-world challenges across five critical industries: Financial Services, Technology & Software, Media & Entertainment, Healthcare & Life Sciences, and Retail & Consumer Goods. To help teams could build sophisticated solutions in this compressed timeframe, we structured the challenge around six strategic tracks: Intelligent Document Processing, Conversational AI Applications, AI-Powered Content Generation, Retrieval Augmented Generation (RAG), Agentic AI, and an Open Innovation Track for boundary-pushing ideas.

In this post, we share the winning projects, lessons learned, and how the experience continues to shape participants’ cloud careers.

The challenge: Empowering the next generation of AI builders

The hackathon was designed to provide hands-on experience with Amazon Bedrock, a fully managed service on Amazon Web Services (AWS) for building generative AI applications. Students learned to work with FMs, create AI agents using Amazon Bedrock AgentCore, and integrate various AWS services to build production-ready prototypes. The challenge emphasized not just technical implementation, but also practical business applications and user-centered design. Beyond the technical challenge, the event connected students with AWS professionals across a range of roles, from Solutions Architects to Customer Solutions Managers, giving them a window into diverse career paths in cloud technology. AWS awarded $5,000 in AWS credits to each of the three winning teams, supporting them in their journey to experiment with the AWS environment and kickstart their startup ideas.

AWS provided support throughout the event, including:

Technical mentorship from AWS Solutions Architects, Customer Solutions Managers, and Software Development Engineers
Hands-on workshops covering Amazon Bedrock capabilities and best practices
Pre-hackathon office hours for troubleshooting and account setup
Access to AWS services and resources for rapid prototyping
Guidance on building secure, scalable, and efficient AI applications

Innovative solutions from student teams

Judges selected three winning projects based on effective use of Amazon Bedrock and its FMs, solution architecture quality and scalability, technical complexity and completeness of implementation, business impact and market viability, and user experience and deployment readiness.

MyCFO.ai

MyCFO.ai is an agentic AI orchestration system that acts like a CFO to analyze, optimize, and predict business finances in real time. It solves the problem of manual financial analysis by using a multi-agent system (supervisor and specialized collaborator agents) that processes raw financial data and compliance documents to automatically generate structured insights and real-time visualizations. Key technical features include Amazon Bedrock multi-agent orchestration, Amazon API Gateway for secure request routing, AWS Lambda for backend logic, and a knowledge base with Amazon Simple Storage Service (Amazon S3) for storing company documents and financial data.

Figure 1: MyCFO.ai team: Ritvik Sharma, Aditya Unnikrishnan, Sahethi Depuru Guru, Tejal Bedmutha

ROBIN AI

Robin AI is an AI-powered platform developed by Columbia Engineering students that democratizes quantitative trading by automating the translation of financial research into executable trading strategies. Built on Amazon Bedrock with RAG technology (Amazon Titan and Anthropic’s Claude), it features a conversational interface requiring zero coding skills, modular architecture supporting multiple asset classes (equities, crypto, futures), and automated backtesting with verifiable citations. The platform addresses the $50 billion quant research market by reducing strategy development time from weeks to minutes, helping smaller hedge funds and retail investors compete with institutional players while maintaining cost-effectiveness through serverless, pay-as-you-go pricing.

Figure 2: ROBIN AI team: Amine Roudani, Martina Paez Berru, Alessandro Massaad

PosturePal

PosturePal is an AI-powered posture monitoring system that combines hardware and software components. The solution features a smart chair equipped with four pressure sensors and an IMU sensor that detects user posture in real time. Raw sensor data is transmitted to API Gateway, processed through Lambda functions, and stored as events in Amazon DynamoDB. The system integrates with Amazon Bedrock to provide ergonomic feedback and enable conversational interactions about posture patterns throughout the day.

Figure 3: PosturePal team: Sahasra Kokkula, James Zhang, Meona Khetrapal, Anh Lam

More than just a hackathon

Although the hackathon competition was the centerpiece of the event, participants also benefited from a rich array of professional development opportunities:

AWS Career Panel with Angela Helfrich (Principal Sales Executive), Freeda Johnson (Customer Solutions Manager), Gary Lu (Data Scientist), David Ding (Customer Solutions Manager), and Alexa Perlov (AI Engineer)
Columbia Engineering Alumni Panel with Professor Hsing-Hsing Li
Builder Studio Tours with Danny Mason, Chris Cassin, and Julia Defilipis
Networking Happy Hour with Columbia Alumni

Impact and next steps

Three months after the Columbia X Amazon Bedrock Innovation Challenge, we reconnected with the winning teams to understand the lasting impact of the hackathon.

Q: How have you been using your $5,000 AWS credits since the hackathon?

“I plan to continue building the project and play around with the other services.”

“Utilized the credits for coursework and other projects … also was interested in potentially pursuing the project as a startup opportunity.”

Q: What did you appreciate most about the hackathon experience?

“Technical support. They were able to understand our requirements and what we might want. As participants, we are still in our learning phases, and we won’t be able to communicate issues as well, but the technical support was able to understand what we were saying.”

“The judgment panel was good … they asked decent follow-up questions. That is sometimes missing in hackathons. Sometimes judges just walk around and then choose the winner they feel like, but they were very involved and gave good feedback.”

“They gave us a lot of freedom to build anything. We were not given too many constraints.”

Looking ahead, AWS is committed to expanding relationships with Columbia University and other academic institutions across the country. As Professor Li from Columbia University noted, “The hackathon allowed students to collaborate in an interdisciplinary manner and it was exciting to see the ideas they came up with. The Engineering Alumni Panel gave students, alumni, and the AWS team an opportunity to interact, network, and discuss future collaborations.”

She also highlighted that “It was fantastic that AWS team members, who are also Columbia alumni, got so involved. It showcased how our communities come full circle to support each other.”

We plan to host additional innovation challenges that provide students with hands-on experience using cutting-edge AWS technologies while creating meaningful connections between academia and industry. For the winning teams, we’re excited to offer continued mentorship opportunities and technical guidance as they transform their prototypes into viable startups. These university collaborations represent a strategic investment in developing the next generation of cloud innovators who will shape the future of technology.

Conclusion

AWS is deeply invested in helping develop the next generation of cloud innovators through hands-on learning experiences with cutting-edge technologies. Are you interested in establishing similar collaborations with your university? For future hackathons with AWS, fill out our interest form to explore how we can work together to create innovative learning experiences for your students.

Learn more

AWS Health Equity Initiative accelerates modern public health access with SmartTracker

Dr. Dawn Heisey-Grove — Tue, 12 May 2026 14:44:25 +0000

Jose Dueñas grew up in South Florida, the son of migrant working parents who knew what it meant to navigate a health system that wasn’t built for families like theirs. Long waits, language barriers, stacks of disconnected paperwork, and missed appointments because reaching the clinic was too difficult were regular features of his childhood experience with the healthcare system. Challenges like these can often determine whether a family ends up in crisis or gets the help they need in time.

After 16 years as a technology architect redesigning large-scale health and human services electronic health record (EHR) systems, Dueñas recognized that many of these barriers were baked into the technology. Public health departments across the United States were working to protect vulnerable populations from disease outbreaks while relying on fragmented legacy systems that weren’t designed for the speed and complexity the modern public health environment demands. Paper-based intake, manual referral processes, and disconnected data silos trapped critical health information in systems that couldn’t communicate with one another.

The COVID-19 pandemic exposed these gaps at an unprecedented scale. Spreadsheets and standalone databases buckled under the simultaneous demands of patient registration, vaccine tracking, and real-time reporting, making it clear that incremental fixes weren’t sufficient. Addressing the crisis required modern cloud infrastructure, purpose-built software, and the institutional commitment to match.

Dueñas founded SmartTracker to meet that need. It’s a modern, cost-effective solution designed specifically for public sector health organizations operating with limited budgets and small teams. Built entirely on Amazon Web Services (AWS), Dueñas created SmartTracker for departments that serve communities like the one he grew up in.

In 2025, AWS recognized the importance of that mission by selecting SmartTracker for the AWS Health Equity Initiative, a commitment to supporting organizations developing solutions to advance health equity worldwide.

From emergency response to everyday operations

SmartTracker is a Health Insurance Portability and Accountability Act (HIPAA)-compliant health and human services solution that unifies real-time disease surveillance, outbreak detection, case management, vaccine tracking, and contact tracing in a single system. With SmartTracker, health departments can track, report, and share data across their entire operation without the manual handoffs and siloed workflows that slow traditional systems down.

SmartTracker’s impact is most visible in how quickly public health organizations can respond when conditions change. The Kansas City Health Department (KCHD), which serves more than 500,000 residents, is one of the company’s most compelling proof points. When Mpox emerged as a public health concern, KCHD used SmartTracker to configure vaccine events within days, including patient self-registration, electronic consents, and automated appointment reminders.

When KCHD needed Ebola monitoring, SmartTracker deployed a tracking system in 7 days. When measles resurfaced nationally, KCHD was already prepared, running outbreak detection, case management, and communicable disease tracking on the same solution that had powered their COVID-19 and Mpox responses.

“SmartTracker is an excellent tool for public health emergency preparedness,” says Tobias Liu, administrative officer of communicable disease and public health preparedness at KHCD. “By deploying SmartTracker for our COVID vaccine rollout, we were able to register patients, complete screenings, and schedule appointments without the need for dedicated staff support. During our Mpox response, we expanded the functionality to allow for symptom tracking and case management by our epidemiologists.”

The same solution supports daily operations across the full spectrum of public health services, from clinic scheduling with patient self-service and program management to vaccine and supply inventory, billing and reimbursement, and automated email and SMS outreach powered by Amazon Simple Email Service (Amazon SES) and AWS End User Messaging, which are configurable to meet state and federal reporting requirements. Every form and communication automatically converts to the patient’s preferred language at registration.

That flexibility extends to implementation. When The SPOT, a youth-centered health clinic operated by the Washington University School of Medicine in St. Louis, urgently needed a modern EHR system with specialized workflows and sufficient administrative capacity, SmartTracker delivered a fully customized deployment in 90 days. An intelligent self-scheduling engine guides patients through a brief intake before booking, automatically routing them to the correct service and collecting all required consents and documentation electronically.

“On day one, it was amazing to watch the schedule fill up without the phones ringing,” says Allison Phad, coordinator of quality improvement at The SPOT. “The SmartTracker team answered every question and resolved every issue during go-live. We couldn’t have done it without them.”

Recognized by AWS, certified for the future

The collaboration between SmartTracker and AWS extends beyond credentials. Powered by AWS through cloud computing credits, architectural guidance, and hands-on technical expertise, SmartTracker has the infrastructure and insight to build what public health departments actually need faster and at greater scale than would otherwise be possible.

That support is powering the development of SmartTalk, a telehealth tool to deliver more secure video consultations, encrypted video storage, and medication administration tracking. Amazon Transcribe handles automated transcription, and Amazon Bedrock generates clinical insights from patient interactions. Together, these capabilities address the gaps in access, documentation, and treatment compliance that can arise when serving rural and low-income populations.

SmartTracker has also achieved the Office of the National Coordinator (ONC) for Health Information Technology Certification of Health in IT, meeting the critical federal compliance standards for interoperability with healthcare providers and state registries. This positions SmartTracker to deliver direct registry connections for real-time public health reporting and transition care across providers.

Infrastructure as a mission

Dueñas set out to build something the market hadn’t prioritized: modern, cost-effective technology built for the public health organizations that serve overlooked communities. SmartTracker is the result of that commitment, shaped as much by his personal experience as his technical expertise.

AWS has been central to building that vision. Cloud computing credits removed the financial barriers that have historically kept enterprise-grade infrastructure out of reach for public sector organizations. Architectural guidance and hands-on technical expertise have accelerated development at every stage, from the core solution to SmartTalk. With AWS, SmartTracker has the building blocks to deliver capabilities that would otherwise require resources beyond what a mission-driven startup could sustain.

“We’re not trying to replace the systems built for large hospital networks,” Dueñas says. “We’re trying to make sure that a county health department with a fraction of the budget can still protect its community with modern, real-time technology. That’s the mission.”

For public health organizations looking to modernize their operations and expand access to care, SmartTracker demonstrates what becomes possible when mission-driven software is built on AWS.

Learn more how AWS supports health equity innovation.

Transforming federal IT with Datadog’s FedRAMP Class D (High) solution

Gina McFarland — Tue, 12 May 2026 14:15:30 +0000

Federal agencies are modernizing their digital services to better support citizens, improve reliability, and meet cybersecurity requirements. This involves upgrading legacy applications, implementing zero-trust architectures, accelerating cloud adoption, and maintaining compliance with frameworks such as the Federal Risk and Authorization Management Program (FedRAMP).

Datadog, an Advanced Technology Partner in the Amazon Web Services (AWS) Partner Network, provides AI-powered observability and security. With AWS Competencies that validate their expertise in 11 categories, Datadog provides comprehensive visibility across hybrid and multicloud environments. Agencies can use this solution to understand and secure their full technology footprint.

Modernization requires visibility across evolving infrastructure—from legacy systems to cloud-based services. Agencies must monitor application performance, validate security controls, track resource utilization, and identify risks across distributed systems. Unified observability helps teams to make faster, more informed decisions and maintain a consistent security posture.

In this post, we explore how federal agencies can accelerate modernization, improve cybersecurity incident response, and support continuous compliance monitoring using Datadog’s FedRAMP Certified – Class D (High) observability and security platform.

Meeting federal agency needs with Datadog’s FedRAMP Class D (High) platform

With Datadog’s FedRAMP Class D (High) certification, federal agencies can use Datadog solutions to bring sensitive, mission-critical workloads into a unified, secure observability platform. IT, DevOps, and security teams gain real-time visibility across their full infrastructure. Teams can detect issues faster, improve reliability for citizen-facing applications, and align modernization efforts with federal security standards.

Datadog supports key agency requirements through enhanced visibility, integrated security operations, and modernization-focused capabilities.

Datadog provides comprehensive infrastructure visibility through:

Unified monitoring across on-premises, hybrid, and multicloud environments
High-resolution metrics, logs, and traces
Automated service discovery and dependency mapping for hosts, containers, and services
Correlated telemetry to accelerate root-cause analysis and reduce mean time to resolution

With Datadog, agencies can enhance their security operations and compliance monitoring with:

Cloud Security Information and Event Management (SIEM) for real-time threat detection and investigation across AWS, on-premises, and containerized workloads
Built-in FedRAMP Class D (High) dashboards for monitoring NIST 800-53 controls
Integrations with AWS Config, AWS CloudTrail, and AWS Security Hub
Continuous audit trail collection for accountability and traceability
Unified interface for operational, security, and compliance signals to reduce alert fatigue

Datadog helps agencies accelerate modernization initiatives by offering:

Application Performance Monitoring (APM) and distributed tracing for microservices, APIs, and serverless workloads
Deep visibility into containerized and Kubernetes environments
Built-in integrations with 100+ AWS services including Amazon Elastic Compute Cloud (Amazon EC2), Amazon Elastic Container Service (Amazon ECS), Amazon Elastic Kubernetes Service (Amazon EKS), AWS Lambda, and Amazon CloudWatch
Service-level objectives (SLOs) and performance baselines to guide modernization decisions

These features help agencies accelerate modernization, validate controls, and maintain audit readiness while navigating evolving requirements. The following screenshot shows the Datadog Cloud Security dashboard tracking NIST 800-53 compliance.

Figure 1: Datadog Cloud Security dashboard

AI-driven insights for federal modernization

Datadog applies AI-driven analytics, such as Watchdog anomaly detection, to help teams identify issues earlier. Watchdog automatically flags outliers in metrics, logs, and traces, highlighting unusual patterns that can indicate performance or security risks. It correlates signals across services to accelerate root-cause analysis. These insights help agencies maintain resilient operations for mission-critical workloads.

Reference architecture: AWS and Datadog integration for federal workloads

Federal agencies modernizing on AWS require consistent visibility across cloud and hybrid environments. Datadog provides cross-platform observability that unifies these environments in a secure interface.

A key component of the reference architecture is the Datadog Agent, deployable through AWS CloudFormation templates or AWS Systems Manager. Agencies can use these options to manage the agent securely and at scale across multiple AWS accounts and Regions. The agent collects detailed metrics, logs, and traces from AWS services, offering comprehensive insight into cloud infrastructure performance. The following diagram shows the solution architecture.

Figure 2: Datadog for Government integration with AWS Cloud and customer data center environments

Datadog’s own FedRAMP journey provides a repeatable model for federal agencies. Datadog’s blog post, How We Use Datadog to Further Our FedRAMP® Compliance, outlines best practices—including standardized tagging, centralized telemetry pipelines, and automated monitoring of control families—that agencies can adapt to strengthen their own compliance operations.

To meet FedRAMP’s logging and auditing requirements, Datadog integrates with Amazon CloudWatch Logs. This centralized log ingestion helps agencies satisfy controls such as AU-2: Audit Events. Tagging strategies can enhance reporting, filtering, and compliance monitoring. The following screenshot shows the Datadog Log Explorer dashboard, integrated with CloudWatch Logs.

Figure 3: Datadog integrates seamlessly with CloudWatch Logs

The following screenshot is the Datadog Log Explorer dashboard showing real-time monitoring and log analysis capabilities, with built-in search and filtering for compliance monitoring.

Figure 4: Datadog’s Log Explorer

Datadog’s Cloud SIEM adds real-time threat detection across AWS services, supporting controls such as SI-4: Information System Monitoring. Agencies can create custom rules aligned to FedRAMP-mandated event types and integrate automated alerts with internal incident response workflows. Datadog’s Audit Trail captures platform activity to support accountability and auditing processes.

Visit the AWS FedRAMP page to learn more about the comprehensive requirements to achieve FedRAMP compliance.

The evolution of federal cloud security: FedRAMP 20x and beyond

Federal cloud security is shifting toward automation and continuous validation through the FedRAMP 20x initiative. FedRAMP 20x introduces five major changes:

Automated validation – Aiming for 80% automation of security requirement validation
Industry alignment – Commercial frameworks to streamline assessments
Continuous monitoring – Replacing periodic checks with continuous validation
Direct agency relationships – Strengthening collaboration for improved outcomes
Innovation acceleration – Streamlined certification for new services through continuous validation

Datadog supports these goals through automated controls monitoring, integrations with commercial frameworks, and built-in continuous validation capabilities. This automation-first approach helps agencies to focus on mission impact while sustaining strong security.

USDA DISC: FedRAMP-compliant monitoring implementation

When the U.S. Department of Agriculture (USDA) Digital Infrastructure Services Center (DISC) needed to modernize monitoring and comply with the Executive Order to Improve Cybersecurity, it partnered with ECCO Select to implement Datadog’s observability platform.

As a federated data center serving 14 departments and bureaus, DISC required a secure, compliant solution capable of supporting a complex hybrid environment. In only 75 days, the team deployed monitoring across thousands of hosts and containers—achieving 95% coverage across cloud and on-premises systems. The implementation included transitioning more than 1,000 monitoring templates while maintaining operational continuity.

The impact was clear. As Chris Condon, Director of Enterprise Observability at ECCO Select, explains,

“We now have a comprehensive solution that not only speeds up root-cause analysis when there’s an issue but continuously provides the visibility we need to keep our systems secure and resilient.”

DISC’s experience demonstrates how federal agencies can meet rigorous security requirements while accelerating modernization with FedRAMP-compliant observability.

Transform your agency’s observability and security posture today

Federal agencies can modernize efficiently with Datadog’s FedRAMP Certified – Class D (High) platform. Visit Datadog for Government in AWS Marketplace to begin a trial or connect with Datadog’s federal team to strengthen operational resilience, improve security visibility, and support mission-critical workloads.

Learn more

Datadog solutions in AWS Marketplace
Why FedRAMP High Observability Matters for Government IT Teams
Datadog for Government
AWS integration guides in Datadog documentation

A governance framework for nonprofit agentic AI on AWS

Mike George — Mon, 11 May 2026 18:13:54 +0000

Every business leader is being asked to do more with less, and agentic AI promises to help organizations be more productive without requiring additional staff. However, nonprofit organizations face a unique set of challenges, such as high volunteer and staff turnover, board accountability, and compliance and reporting requirements. Accountability and trust problems arise when agents run under uncontrolled accounts, an agent’s decision or action can’t be explained, or an organization is unable to demonstrate that sensitive data was handled appropriately. In this post, I outline a governance framework that addresses these problems through features of Amazon Bedrock AgentCore. By following the practices outlined here, you can gain confidence to run your agentic AI workloads in highly demanding situations.

Overview

Governance frameworks for agentic AI exist, but many of those tend to be burdensome to implement, and many don’t tie governance directly to the technology being used. The framework I’ll introduce aligns governance concerns directly with the technology used to solve the concern.

At its core, governing agentic AI really comes down to four questions you, your leadership, or your board will want to understand:

What is the agent allowed to do?
When an agent runs, who is it acting for?
What did the agent do?
What happens when the agent gets something wrong?

These are questions that leadership or the board might ask after an agent sends an unintended donor communication, a large donor requests an audit, or you notice that an agent used the access credentials of a former volunteer that hadn’t been revoked.

Being able to answer these questions builds trust in agentic AI and your team’s ability to manage it within the organization. This trust framework consists of four pillars that directly map to a capability in Amazon Bedrock AgentCore:

Boundaries – This is what agents can and can’t do, and an agent is denied when it attempts to perform an unallowed action.
Identity – Agents are designed to act on behalf of an authorized person. When the individual is no longer with the organization, their access must also automatically expire.
Visibility – Maintaining a trail of the actions the agent takes is essential.
Evaluation – When an agent behaves unexpectedly, you should be able to detect it, stop it (through alerting), and be able to explain it.

The order here is important. You create boundaries to define what an agent can and can’t do before you identify who can authorize it to do those things. Identity must be defined before visibility so you can record the actions initiated by the authorized user. Finally, visibility happens before evaluation because you can’t respond to events that you’re unable to see. Together these pillars can give you and your leadership confidence in moving from a generative AI prototype to production.

The following graphic illustrates these four pillars and the order they should be enacted.

Figure 1: Agentic AI trust framework

Pillar 1: Boundaries

Most agentic system failures aren’t caused by models doing unpredictable things. Rather, they’re often due to agents doing exactly what they were told to do, but in contexts or with data that was unexpected. For example, a donor outreach agent might work perfectly fine for a list of 50 lapsed donors but might do something unexpected when it’s run against the full member database.

These sorts of problems can be solved by Policy in Amazon Bedrock AgentCore. You can use policies to define what an agent can and can’t do in natural language. The natural language boundary is converted into Cedar, an open source policy language from Amazon Web Services (AWS) for fine-grained permissions. As an example, you might write a boundary statement such as: “This agent may draft donor communications but may not send to more than 100 recipients.” This natural language boundary is converted into a Cedar policy that is validated against your gateway’s Model Context Protocol (MCP) tool schema, enabling the policy to map to actual tool parameters and actions.

Policy integrates with Amazon Bedrock AgentCore Gateway, which is a straightforward and secure way for developers to build, deploy, discover, and connect tools at scale. Whenever a tool is called through AgentCore Gateway, the policy is evaluated in real time. This prevents the agent from exceeding its authorized scope regardless of how it was invoked or what it was asked to do. Policies follow the basic pattern of who (which users or roles can perform the action), what (which operations or tools can they use), and when (under what conditions or constraints). You can configure enforcement mode to one of the following:

LOG_ONLY – Where the policy engine logs whether the action would be allowed or denied without enforcing the decision. This is a great option to track what would happen if you’re not ready to block actions.
ENFORCE – Where the policy engine evaluates the action and enforces the decision by denying agent operations.

The “who” in this pattern is where the policy connects to identity, which is pillar 2. Policies can be scoped to specific identities or roles, so a board treasurer’s agent might have broader access to financial tools than a volunteer’s agent.

You can also use Amazon Bedrock Guardrails to filter harmful user inputs and toxic model responses. For example, you might want your agent to redact personally identifiable information (PII) from the large language model (LLM) output to protect the privacy of your users or members. You can use a guardrail with the Amazon Bedrock Converse API or the ApplyGuardrail API.

Pillar 2: Identity

Through inconsistent identity management, you could end up in a situation where a volunteer is granted access to the donor customer relationship management (CRM) tool to help with a campaign. They leave the organization and a month later someone discovers that a caller that was provisioned during the campaign is still accessing the CRM agent with the volunteer’s old credentials. Without identity governance, this is a problem that unfortunately many nonprofits experience.

Amazon Bedrock AgentCore Identity uses OAuth-based authorization so agents are designed to act on behalf of a specific, verified identity. That identity can be scoped, audited, and revoked. Nonprofit organizations can use enterprise identity providers such as Okta, Microsoft Entra, and many others. Organizations without an enterprise identity provider can use Amazon Cognito. When someone leaves the organization, disabling their identity will automatically disable any agent’s authorization to act on their behalf.

With AgentCore Identity, you can control both inbound authentication and outbound authentication. With inbound authentication, a nonprofit organization can provide callers with the right access to an agent, tool, runtime, or gateway. With outbound authentication, organizations can use an API key or OAuth to allow agent, tool, or gateway access to downstream resources, such as third-party systems.

Pillar 3: Visibility

To have trust in your AI systems, you need to know what an agent did at each step of its invocation. Amazon Bedrock AgentCore Observability helps you trace, debug, and monitor agent performance across each step of the agent workflow.

AgentCore services automatically emit a set of metrics for agents, gateway resources, and memory resources. You can enable log data and spans for memory resources, and you can instrument your custom agents to provide custom trace data. With this observability data, you can troubleshoot performance problems, validate agent tool selection, and identify hard-to-reproduce issues. For example, when a board member asks what the agent did with donor data on a specific date, you can trace the exact sequence of tool calls, inputs, and outputs to provide a complete answer.

Pillar 4: Evaluation

A fundamental feature of agentic systems is that they’re nondeterministic. This property can be frustrating because it can lead to inconsistent results, but nondeterminism is the fundamental property that makes agentic AI useful. Consider a situation where an agent is generating outreach messages to members that are tonally off and inconsistent with the organization’s voice. It’s important to be able to detect that this is happening.

Amazon Bedrock AgentCore Evaluations provides automated assessment tools to measure how well your agents are performing their tasks. AgentCore Evaluations uses LLM-as-a-judge or code-based evaluators to determine how your agentic workload is performing. AgentCore Evaluations generates a series of evaluation metrics such as Goal success rate, Harmfulness, and Stereotyping. These metrics are created as Amazon CloudWatch metrics that you can monitor and alert on like any other metric.

For example, if the agent’s harmfulness evaluator average (whether the agent’s response includes potentially harmful content, such as insults or hate speech) falls below 1 (meaning the content is harmful), you can alert on the metric and take action to disable the agent while you investigate. Nonprofit organizations can use this approach to quickly respond to events and have confidence in the output of their agents.

Conclusion

Amazon Bedrock AgentCore provides the technology that supports the four pillars of this framework. It places boundaries on what your agents can do, helps verify that your agents are authorized to do what they’re asked to do, provides visibility into their actions, and gives you the tools to set alerts for when something unexpected happens.

Two common concerns I hear about generative AI applications are:

How do we get started?
How do we build the experience to run generative AI workloads in production?

Both concerns are addressed by starting small. When building an AI agent, a best practice is to start with something that is internal facing. Start with something that is low risk but provides value.

At Amazon, we like to say that there is no compression algorithm for experience. By starting with a small, low-risk application, teams can gain operational experience running agentic AI workloads while keeping the risk low. As an example, an organization might deploy an internal knowledge base agent.

When you have one workflow operating under the full framework outlined, expand your efforts to other higher-stakes workflows that generate value. At this point, you understand the framework, so your work shifts from a governance problem to following the same pattern you’ve already established. The framework I outline in this post can be incorporated into the regular work of an organization’s Cloud Center of Excellence (CCoE).

The Amazon Bedrock AgentCore services I talked about in this post are charged based on how much you use. For complete details, refer to the Amazon Bedrock AgentCore Pricing page.

As a next step, get started by adding Amazon Bedrock AgentCore features to your agentic workloads. Depending on your use case, review the AgentCore code examples, which provide a deeper dive into the concepts I outlined here.

Stakeholder management for mission-critical cloud migrations: Lessons from the public sector

Mark Scutch — Wed, 06 May 2026 22:40:02 +0000

When public sector organizations embark on large-scale migration and modernization efforts, particularly those involving regulated workloads, multiple organizational entities, and implementation teams, one of the primary determinants of success is stakeholder management. Stakeholders are individuals and teams who have a vested interest in the success of the migration. These stakeholders include executive sponsors, technical teams, contracted organizations, compliance officers, and end users who will ultimately interact with the modernized system. Mission-critical systems directly impact essential operations. If these systems fail or experience downtime, they can disrupt critical services, affect end users and the population they serve, or create operational or financial consequences. Public sector organizations have been migrating their mission-critical systems to Amazon Web Services (AWS), spanning multiple government entities, system integrators, independent software vendors (ISVs), and AWS teams. Although these migrations ultimately delivered improved scalability, resiliency, and operational efficiency, the most impactful lessons emerged from how stakeholders were aligned, governed, and engaged throughout the journey.

According to Accelerating your return on cloud investment in AWS Prescriptive Guidance, the stakes of getting stakeholder management right are high. Research cited by AWS shows that 88% of cloud transformations that don’t prioritize culture-centric changes fail to result in sustained performance gains after 3 years, underscoring why structured stakeholder engagement isn’t a soft skill but a mission-critical discipline.

For organizations preparing for a similar mission-critical migration or modernization, the following stakeholder management principles can significantly reduce risk and improve outcomes.

Establish stakeholder alignment before finalizing architecture

Early stakeholder alignment sets the foundation for delivery success. In complex environments, ambiguity around ownership and decision rights can quickly create downstream delays, even when technical plans are sound. Although speed matters in cloud migrations, rushing architectural decisions without stakeholder alignment often creates costly delays later. The key is establishing rapid decision-making processes up front so that collaboration accelerates rather than impedes progress.

In practice, “early” means during the initial planning phase (typically the first 30–60 days of the program), before architectural decisions are locked in and before migration waves begin. This is when you’re still defining the scope, identifying workloads, and establishing governance structures. Prioritize early agreement on:

Clear ownership models across agencies, service providers, and vendors
Decision-making authority and escalation paths
Shared success criteria for each phase of the migration lifecycle

Aligning stakeholders early grounds architectural decisions, timelines, and operating models in a common understanding of responsibilities and outcomes.

Implement a governance cadence that matches system criticality

Governance refers to the structured decision-making framework that defines who makes decisions, how issues are escalated, and how progress is tracked and reported throughout the project effort. Mission-critical workloads require governance structures that are both rigorous and efficient. Lightweight governance models often fail to surface risks quickly enough in complex, multi-stakeholder environments.

For mission-critical systems, those that directly impact citizen services, involve regulated data, or have significant operational dependencies, effective governance typically includes the following elements:

Weekly operational forums focused on cross-team blockers and dependencies
Biweekly executive sponsor reviews to drive decisions and manage risk
Defined escalation mechanisms for issues requiring immediate resolution

For less critical systems—those with lower operational impact or simpler technical requirements—governance can be lighter weight with biweekly operational check-ins and monthly executive reviews.

Structured governance cadences meaningfully accelerate decision-making, with organizations reporting that regular operational forums help surface and resolve blockers significantly faster than improvised approaches.

This layered governance approach creates alignment at both the delivery and leadership levels while maintaining momentum.

Continuously evaluate stakeholder delivery capability

Stakeholder readiness directly impacts migration execution quality and timeline predictability. In complex environments involving multiple system integrators, ISVs, and internal teams, capability gaps, or unclear responsibilities can introduce delivery risk. Organizations should continuously evaluate the delivery capability of stakeholders throughout the migration lifecycle.

Assessment should focus on both technical capability and operational readiness, including:

Cloud platform expertise aligned to the target architecture and services
Regulatory and compliance experience relevant to the workload or industry
Organizational readiness for post-migration operations, support, and optimization
Technical certifications and cloud delivery experience across participating teams

In migrations involving multiple implementation teams, delivery success also depends on effective coordination across organizations. Even experienced teams can introduce risk if communication channels, escalation paths, or ownership boundaries are unclear. Establishing clear governance structures—such as defined escalation paths, communication cadences, and delivery responsibilities—helps confirm that issues are identified early and resolved quickly.

Conducting these assessments during the planning phase helps organizations identify capability gaps and coordination risks before execution begins. By validating both stakeholder capability and collaboration readiness, organizations can reduce the likelihood of delays and quality issues during critical migration phases while improving overall delivery predictability.

Design for evolving requirements and regulatory complexity

In regulated environments, requirements frequently evolve as security reviews, compliance audits, and operational validations progress. Treating requirements as static introduces schedule and cost risk.

Planning for regulatory complexity means:

Establishing formal technical change control processes with clear impact assessment procedures
Building buffer time into schedules for compliance reviews and security validations
Engaging compliance and security teams early in the architecture design phase
Maintaining transparency on timeline, cost, and scope tradeoffs with all stakeholders
Creating a risk register that tracks regulatory dependencies and mitigation strategies

Organizations with formal change control processes are better equipped to avoid schedule disruptions and cost overruns by surfacing potential issues early, before they escalate into delivery risks.

Being proactive about stakeholder engagement means teams can adapt without destabilizing delivery. When technical changes affect critical milestones, executive stakeholders should be engaged immediately to make informed decisions about tradeoffs.

Maintain consistent executive engagement throughout the lifecycle

Executive engagement is not a periodic checkpoint, but rather a core control mechanism in complex migrations. Consistent leadership involvement accelerates decision-making, resolves ownership disputes, and reinforces priorities across organizations.

Executive engagement requires active participation from the most senior leader accountable for the migration’s success. This leader is typically a chief information officer (CIO), chief technical officer (CTO), or agency director. This leader should have the authority to make final decisions, allocate resources, and resolve cross-organizational conflicts.

To apply this to your organization, you need to identify who has ultimate accountability for the migration’s success. Make sure this person is visible in governance forums, receives regular status updates, and is available for rapid decision-making when critical issues arise.

Successful programs require executive sponsors to:

Demonstrate visible commitment that reinforces priorities across delivery teams
Actively participate in governance forums (at least monthly)
Resolve cross-organizational conflicts quickly
Support timely decisions when constraints compete

In multiagency environments, executive sponsors serve as the ultimate decision authority and beacon for organizational alignment.

Use AWS as a stakeholder orchestrator

Beyond infrastructure and services, AWS can play a critical role in convening stakeholders across customers, supporting organizations, and vendors. In complex migrations, this orchestration capability helps maintain alignment and momentum.

Organizations can benefit by:

Using AWS to reinforce a unified “one team” delivery model
Engaging AWS security, compliance, and assurance teams early
Using structured support for cutover and go-live planning

This collaborative approach helps customers navigate complexity while reducing operational and compliance risk.

Stakeholder engagement self-assessment

Before beginning your migration journey, it’s essential to evaluate your organization’s stakeholder management maturity across dimensions that directly correlate with migration success. A self-assessment provides a brief structured framework to identify strengths and gaps in your current approach. You can then proactively address weaknesses before they become blockers during active migration work.

Prioritize addressing the most critical gaps, starting with executive sponsorship and stakeholder alignment because these foundational elements enable progress in other areas.

The AWS Cloud Adoption Framework (AWS CAF) provides additional guidance on organizational readiness and stakeholder engagement strategies that can help you develop comprehensive improvement plans across the People, Governance, and Business perspectives.

Use this quick assessment to evaluate your migration’s stakeholder management maturity:

Executive sponsorship: Do you have an identified executive sponsor who actively participates in governance and can make final decisions?
☐ Effective ☐ Needs improvement ☐ Does not exist

Implementor readiness: Have you formally assessed solution provider and contractor cloud capabilities and organizational change management readiness?
☐ Effective ☐ Needs improvement ☐ Does not exist

Governance structure: Do you have regular operational and executive forums with clear escalation paths?
☐ Effective ☐ Needs improvement ☐ Does not exist

Stakeholder alignment: Have all parties agreed on ownership, decision rights, and success criteria?
☐ Effective ☐ Needs improvement ☐ Does not exist

Change management: Do you have processes to handle evolving requirements and regulatory complexity?
☐ Effective ☐ Needs improvement ☐ Does not exist

If you answered “Needs improvement” or “Does not exist ” to any question, prioritize addressing that area before beginning active migration work.

Use Amazon Quick or Amazon Bedrock to generate a comprehensive assessment
AI-powered tools can dramatically accelerate your migration readiness evaluation, transforming what traditionally takes weeks of manual analysis into a comprehensive assessment generated in minutes. By using Amazon Quick or Amazon Bedrock, organizations can quickly evaluate their stakeholder management maturity, identify gaps, and receive actionable recommendations tailored to their specific context.

Use the following prompt to generate a customized readiness assessment:

I am the [CIO/CTO/CISO] of [Organization Name], and we are planning a mission-critical
cloud [migration/modernization] involving [X] applications, [Y] servers, and multiple stakeholder groups
including [list: agencies, contractors, vendors, internal teams]. This migration will impact
[describe scope: regulated workloads, citizen services, business operations].

Please conduct a comprehensive stakeholder management and migration readiness assessment
that evaluates our organization across the following dimensions:

1. EXECUTIVE SPONSORSHIP & GOVERNANCE
   - Identify our executive sponsor and assess their level of engagement
   - Evaluate our governance structure (meeting cadence, decision-making authority,
     escalation paths)
   - Assess whether we have clear RACI matrices defining roles and responsibilities
   - Determine if we have appropriate executive review forums established

2. SERVICE PROVIDER & VENDOR READINESS
   - Evaluate our solution implementors' cloud delivery experience for regulated workloads
   - Assess implementor certifications and AWS platform expertise
   - Review implementor escalation paths and support mechanisms
   - Identify organizational change management capabilities across implementor ecosystem

3. STAKEHOLDER ALIGNMENT & COMMUNICATION
   - Map all key stakeholders (internal teams, external support organizations, vendors)
   - Assess clarity of ownership models and decision rights
   - Evaluate communication effectiveness and information flow
   - Identify potential conflicts or misalignments in expectations

4. TECHNICAL & OPERATIONAL READINESS
   - Assess our migration scope definition and workload inventory
   - Evaluate our business case strength (cost, value, drivers)
   - Review our migration execution plan completeness
   - Assess our AWS environment readiness (Landing Zone, security, compliance)
   - Evaluate our skills and training preparedness

5. RISK & CHANGE MANAGEMENT
   - Identify regulatory complexity and compliance requirements
   - Assess our change control processes and impact assessment procedures
   - Evaluate our risk mitigation strategies
   - Review our approach to handling evolving requirements

6. MIGRATION COMPLEXITY FACTORS
   - Number of applications/servers in scope: [X]
   - Regulatory requirements: [list]
   - Number of stakeholder organizations: [Y]
   - Timeline constraints: [dates]
   - Budget parameters: [range]

For each dimension, please:
- Provide a maturity rating (Effective/Needs Improvement/Does Not Exist)
- Identify specific gaps and risks
- Recommend concrete actions with owners and timelines
- Suggest AWS mechanisms or resources that could help (EBAs, LNAs, Migration
  Readiness Assessments)
- Prioritize recommendations by impact and urgency

Additionally, please:
- Generate a readiness statement calculated across five key dimensions: Migration Scope, Business Case, Technical Capabilities, Organizational Change Management, and Migration Planning
- Provide a migration health forecast (On Track/Behind Plan/Elevated Risk/Stalled)
- Generate a 90-day action plan with specific milestones
- Identify early warning indicators we should monitor
- Recommend governance cadence appropriate for our complexity level

Output the assessment in a format suitable for executive presentation, including:
- Executive summary with key findings and recommendations
- Detailed assessment by dimension with supporting evidence
- Risk heat map showing priority areas
- Action plan with clear ownership and timelines
- Success metrics and KPIs to track progress

For more in-depth and context-specific guidance, project plans and responsible, accountable, consulted, informed (RACI) matrices can be uploaded for analysis.

By using AI to generate this assessment, you’ll receive a customized evaluation that considers your unique organizational context, compliance landscape, and stakeholder ecosystem that you can use to proactively address gaps before they become delivery risks.

Key takeaways for mission-critical migrations

Organizations planning large-scale, mission-critical migrations should prioritize stakeholder management as a first-order design consideration. Successful programs consistently demonstrate:

Early and explicit stakeholder alignment
Proactive implementation readiness and enablement
Structured, multilevel governance
Anticipation of evolving requirements
Continuous executive engagement

Cloud technology enables transformation, but stakeholder management enables delivery. By applying these principles, organizations can better manage complexity, reduce risk, and achieve successful outcomes for their most critical workloads.

Learn more

Experience Based Acceleration (EBA) for the details you need to get started
Learning Needs Analysis (LNA) in AWS Training and Certification to request an assessment
AWS Public Sector team for more information on how AWS can help with stakeholder management

Integrating subject matter experts into generative AI evaluation with the AWS Generative AI Innovation Center

Taylor McNally — Wed, 06 May 2026 00:38:12 +0000

You’ve coded your generative AI proof of concept. The demo impresses stakeholders. Then a subject matter expert (SME) sits down with the output and spots a problem no automated metric would catch. The response was fluent, well-structured, and wrong in a way that only someone with deep domain knowledge could identify.

This moment plays out across industries as organizations move from prototype to production with generative AI. It’s the disconnect between what domain experts instinctively know is right and what they can express as measurable evaluation criteria.

Through our work in the Amazon Web Services (AWS) Generative AI Innovation Center, we’ve helped dozens of organizations develop evaluation strategies that bridge this “articulation gap.” The approach has four phases that act together as a flywheel. First, define what good looks like. Second, build ground truth alongside automated metrics. Third, shift from manual to automated evaluation as the system matures. Fourth, identify new evaluation needs.

The following graphic illustrates the flow through these phases. SME involvement evolves from hands-on scoring to periodic calibration as automated metrics mature.

Figure 1: The evaluation flywheel

Phase 1. Define what good looks like

Before writing an evaluation script, the most important step is structured conversations with SMEs. The goal is to translate expert intuition into concrete, repeatable criteria. This can be harder than it sounds. Experts often struggle to articulate why one output feels right and another doesn’t, especially when both are factually correct.

Start by gathering preliminary requirements. What does the system need to do? What are the highest-risk failure modes? Where would a wrong answer cause real harm? Then move to evaluation design. We find that showing SMEs real model outputs and asking, “What’s wrong with this?” is more productive than asking them to define quality in the abstract. Their reactions reveal implicit standards that would otherwise go unspoken.

Consider an education technology company building an AI tutoring assistant. An instructional designer reviewing outputs might flag that the AI gives correct answers but fails to establish the student’s prerequisite knowledge. A math tutor that jumps to derivatives without confirming the student understands limits is technically accurate but pedagogically harmful. That feedback can be used to develop a rubric dimension such as scaffolding appropriateness, scored on a 1–5 scale with a clear definition and anchor example(s) at each level. The rubric becomes the shared language between domain experts and engineers for the rest of the project. The following table shows an example rubric.

Score	Label	Definition	Anchor example
5	Excellent	Builds on confirmed prior knowledge, introduces concepts in logical sequence, checks understanding before advancing	“Before we look at derivatives, let’s make sure you’re comfortable with limits. Can you tell me what happens to f(x) = 1/x as x approaches infinity?”
4	Good	Follows a logical sequence and references prerequisites, but doesn’t actively verify understanding	“Derivatives build on the concept of limits. Remember that a limit describes the value a function approaches. Now, a derivative measures…”
3	Adequate	Correct and organized but assumes prerequisite knowledge without acknowledging it	“The derivative of f(x) measures the rate of change. To find it, we use the limit definition…”
2	Poor	Skips prerequisites and uses jargon or notation the learner might not recognize	“Apply the power rule: d/dx[x^n] = nx^(n-1). So for f(x) = x³, f’(x) = 3x².”
1	Harmful	Introduces concepts out of order or gives answers that actively confuse the learner	“Use L’Hôpital’s rule here. Take the derivative of the numerator and denominator separately…” (student has not learned derivatives yet)

Phase 2. Improve ground truth and build automated metrics

Then you can begin building your evaluation dataset. Amazon SageMaker Ground Truth provides managed labeling workflows where SMEs can score model outputs against your rubric at scale. These human-scored examples become the ground truth that all automated metrics are validated against. Try to cover the full range of quality levels and edge cases your system will encounter.

Simultaneously, develop automated evaluation pipelines based on SME feedback. You can use Amazon Bedrock Evaluations to run large language model (LLM)-as-judge assessments with custom metrics. Keep in mind automated metrics earn trust by agreeing with expert judgment, not the other way around. Measure the correlation between automated and human scores. When they diverge, investigate. Sometimes the automated metric needs refinement. Sometimes it reveals inconsistency in human scoring. Both outcomes improve the system.

Phase 3. Shift from manual to automated evaluation

As confidence in automated metrics grows, the SME role shifts from scoring every output to validating the scoring system itself. You can now automatically evaluate at production scale with limited human involvement. SMEs can first conduct periodic calibration checks between human and automated scores, then check cases the automated system flags as uncertain.

For the education company example, automated metrics might handle 90% of evaluation volume, covering factual accuracy, response format, and reading level. SMEs review a rotating sample of outputs during each sprint plus any outputs where the automated scorer’s confidence falls below a threshold, particularly for scaffolding and pedagogical quality. The SMEs are no longer bottlenecking every release but are calibrating the system that evaluates at scale.

The following graphic illustrates how SME effort evolves from one phase to the next. Total effort decreases, but the nature of the work shifts from defining criteria to calibrating automated systems.

Figure 2: How SME effort evolves across phases

Phase 4. Review the metrics

As your product evolves, so should your evaluation framework. Phase 4 brings SMEs back to assess whether the rubric, ground truth, and automated metrics still reflect what “good” looks like today.

Start by having SMEs review the current rubric against recent model outputs. Are the dimensions still relevant? For the education company, if the tutoring assistant now supports multi-turn conversations, the original rubric might miss how well the assistant builds on prior exchanges.

SMEs should also flag where automated scores are diverging from expert judgment. Consistent disagreements from phase 3 calibration checks signal that metrics need updating.

After gaps and outdated criteria are identified, cycle back to phase 1 with fresh structured conversations, current outputs, and an updated rubric. Then add to the ground truth, revalidate automated metrics, and return to phase 4. This is the flywheel: teams that treat evaluation as a continuous loop maintain alignment with what “good” means as it changes over time.

Getting started

After working on hundreds of generative AI projects, we’ve consistently seen that teams who build effective feedback loops into their development process can evaluate at scale with confidence, ship faster, and clear the gap between prototype and production that stalls so many generative AI initiatives.

Are you ready to learn more or get started?

Sovereign Intelligence: How AWS Enables Global Health Security Without Compromising Data Privacy

Dr. Dawn Heisey-Grove — Wed, 06 May 2026 00:33:26 +0000

*Part 2 of 3: Democratizing Access to Genomic Data and Analytics*

When infectious diseases emerge, rapid pathogen identification and tracking saves lives. Yet for decades, this critical work has been hampered by a fundamental tension: the need to share genomic data across borders against the imperative to protect national data sovereignty and patient privacy.

Amazon Web Services (AWS) is helping resolve this tension through innovative platforms that enable global collaboration while keeping sensitive data secure. This is the next frontier in democratizing genomic data: making outbreak intelligence accessible to researchers and health practitioners across all countries, regardless of available technical infrastructure or economic resources.

In this post, we explore how AWS enables global pathogen surveillance and outbreak intelligence through sovereign-by-design platforms like PathGen, which allow countries to collaborate on infectious disease tracking while maintaining control over their sensitive health data within national borders.

The Global Challenge: Outbreak Detection in a Connected World

The COVID-19 pandemic starkly illustrated the power and limitations of global genomic surveillance. While rapid sequencing and data sharing enabled unprecedented scientific collaboration, many countries—particularly in low- and middle-income regions—lacked the infrastructure to participate fully. Others hesitated to share data due to sovereignty concerns or fear of travel restrictions.

The challenge is clear: how do we enable real-time global outbreak intelligence while respecting each nation’s right to control its own health data?

PathGen: AI-Powered Outbreak Intelligence with Data Sovereignty

The Asia Pathogen Genomics Initiative unveiled PathGen in December 2025—an AI-enabled integrated surveillance platform designed to support public health decision-making across 14 Asian countries. PathGen represents a breakthrough in sovereign-by-design health technology, combining pathogen surveillance data with contextual information needed to provide countries with timely, secure, and actionable decision support. Critically, all analysis occurs in-country, without raw data leaving national borders.

Technical Architecture: Sovereignty Meets Collaboration

PathGen’s architecture leverages Amazon Bedrock for secure access to large language models for AI-generated summaries and insights, ensuring sensitive health data remains encrypted and under the control of each country’s health ministry; and Amazon Elastic Compute Cloud (Amazon EC2) with GPU instances (P5 and G5) and Graviton 4 chips “for real-time genomic analysis and AI inference.

“This isn’t just about technology, it’s about trust,” said Professor Paul Pronyk, Director of the Duke-NUS Centre for Outbreak Preparedness. “When countries know their raw genomic data never leaves their borders, they’re more willing to participate in the collaborative surveillance that keeps us all safe. PathGen proves that data sovereignty and global health security aren’t competing values. They’re complementary goals that, with the right architecture, can strengthen each other.”

Technical Innovation: Making Genomic Surveillance Accessible

The success of platforms like PathGen depends on democratizing access to key biomedical data resources, and making complex genomic analysis infrastructure and solutions accessible to public health officials who may not be bioinformatics experts.

The Wisconsin State Laboratory of Hygiene (WSLH) leveraged AWS resources to develop two solutions that address this problem:

Open-Source Solutions for Public Health Labs. Easy Genomics is an open-source solution designed specifically for public health laboratories, developed for WSLH using AWS Partner support. By providing pre-configured pipelines that run on AWS, the platform enables labs with limited bioinformatics expertise to conduct sophisticated analyses.

This is particularly important in resource-limited settings where hiring bioinformaticians may not be feasible. With Easy Genomics, someone without bioinformatics expertise can upload raw sequencing data and receive actionable results without needing to understand the underlying computational complexity.

Generative AI for Data Standardization. One of the biggest challenges in genomic surveillance is data standardization—different labs use different protocols, instruments, and file formats. WSLH wanted to leverage generative AI to accelerate that process. Students working with the Digital Transformation Hub (DxHub) at California Polytechnic State University (Cal Poly) built the open source AI Genomic Schema Harmonizer in partnership with AWS Cloud Innovation Centers (CIC).

By automatically detecting and correcting format inconsistencies, extracting relevant metadata, and flagging potential quality issues, the Harmonizer reduces the technical barriers to participation in global surveillance networks.

“The success of democratizing pathogen genomics depends on making complex data analysis and workflows accessible to public health officials who may not have a scientific computing background,” said Dr. Kelsey Florek of WSLH. “It’s about removing technical barriers so that every public health laboratory, regardless of resources, can participate in protecting their communities.”

Technology in Service of Humanity

The democratization of genomic data and analytics represents one of the most significant advances in improving health outcomes worldwide in recent decades. By making powerful computational tools accessible to researchers and public health officials worldwide, regardless of their location or resources, AWS helps level the playing field in the fight against disease.

At AWS, we believe our cloud and AI services are powerful tools to address the world’s urgent and complex challenges in health. Through continued innovation, strategic partnerships, and unwavering commitment to our customers’ missions, we’re working to build a future where genomic insights benefit all of humanity—not just the privileged few.

Read the first blog in the series, Breaking Down Barriers: How AWS Democratizes Genomic Data for the World, which highlights how AWS services and support are empowering researchers to move faster, at scale, to achieve groundbreaking discoveries and transform healthcare delivery for everyone.
Follow along for the third blog in the series, which highlights how biobanks are reshaping medical research.
Learn more about AWS Skilling and Social Impact
To learn more about AWS for Healthcare and Life Sciences, visit aws.amazon.com/health
To explore how AWS can support your organization’s mission, contact your AWS account team or visit aws.amazon.com/contact-us

How Kofile modernizes county records with AI on AWS

Lekan Ojo — Tue, 05 May 2026 21:10:23 +0000

County governments across the United States manage millions of public records—property deeds, marriage certificates, court documents, and business licenses—that serve citizens, title companies, legal professionals, and researchers daily. Yet these records often exist in fragmented formats spanning paper documents, microfiche, PDFs, and various digital files, making search and retrieval time consuming and labor intensive for both government staff and the public.

Kofile Technologies has transformed public records management for more than 3,000 county governments using Amazon Bedrock powered document intelligence built on Amazon Web Services (AWS). Their Kleio^SM platform reduces citizen search times from hours to seconds by processing millions of historical documents with automated classification and intelligent search capabilities so that users can summarize, translate, and engage in conversational, multilingual interactions that make information more accessible than ever before. At the same time, they maintain the stringent security and compliance standards government organizations require.

Millions of records, limited access

County governments serve as custodians of vast collections of public records, often spanning decades or even centuries. These records exist in many formats—paper, microfilm, digital scans, maps, and plats—and are stored across multiple systems with limited interoperability.

For county clerks, recorders, and their staff, the daily reality involves manually searching through indexes, cross-referencing physical files, and responding to public records requests with processes that haven’t fundamentally changed in decades. Citizens seeking property records, attorneys researching title histories, and government staff conducting audits all face the same bottleneck: finding the right document takes too long.

According to Kofile leadership, county clerks were overwhelmed by paper-based processes, while citizens experienced frustration with weeks-long wait times for simple records requests. The company recognized that AI could transform this experience, but the solution had to be secure, scalable, and built specifically for government requirements.

Kofile recognized that the challenge wasn’t just digitization—counties had been scanning documents for years. The real gap was intelligence. How do you take millions of digitized pages and make them truly useful? How do you allow a county clerk to find a specific deed from 1987 using a natural language question instead of navigating a complex index system?

The manual nature of traditional records management creates bottlenecks that affect entire communities. Property transactions stall waiting for deed searches. Legal proceedings are delayed while attorneys request court documents. Economic development slows when businesses can’t quickly access the records they need. County IT teams struggle to maintain aging infrastructure while managing security and compliance requirements.

Document intelligence for civic assets

Kofile’s vision for Kleio^SM went beyond building a better search engine. To truly modernize public records management, the AWS team helped them address six critical challenges for their county customers:

Multimodal document ingestion to process everything from freshly scanned pages to legacy microfilm conversions at scale
Automated metadata extraction and classification using AI to reduce the manual effort required to catalog records by identifying document types, dates, names, parcel numbers, and other key information
Semantic search capabilities so that county staff and citizens could find records by describing what they need in plain English, rather than knowing exact index terms
Document translation for counties serving multilingual communities through multi-language interaction in more than 90 languages
Analytics dashboards for county administrators to understand usage patterns and operational metrics
Enterprise-grade security with encryption, role-based access controls, full audit trails, and multi-tenant isolation—requirements that are nonnegotiable for government records

Collaborating with AWS to accelerate innovation

Kofile’s work with AWS has been instrumental in bringing Kleio^SM to market quickly while maintaining the security and compliance standards government organizations require. The breadth of generative AI, AI, and machine learning (ML) services offered by AWS mean that Kofile can focus on solving government-specific challenges rather than building infrastructure from scratch.

According to Kofile’s technical leadership, purpose-built AI services from AWS provided enterprise-grade capabilities out of the box, dramatically accelerating their time to market. This allowed the team to focus on the unique needs of county governments rather than reinventing document processing and search infrastructure.

This collaboration also provides Kofile’s government customers with confidence in the platform’s long-term viability and continuous innovation, backed by the AWS commitment to the public sector.

Building on a platform designed for government on AWS

Kofile architected Kleio^SM as a cloud-centered, multi-tenant software-as-a-service (SaaS) platform using Amazon Bedrock to deliver comprehensive document intelligence capabilities. Building on AWS gave Kofile the foundation to deliver these capabilities at scale while meeting the stringent security and compliance requirements of government customers.

Kleio^SM uses a range of AWS services to deliver its document intelligence capabilities. The platform is architected as a multi-tenant SaaS solution, with each county’s data isolated and secured.

Document ingestion and storage
Kleio^SM ingests documents from multiple sources—scanners, existing digital repositories, and bulk uploads—storing them securely in durable, scalable storage that makes them immediately available for the automated processing pipeline. The platform handles high-volume batch uploads—critical for counties that might be onboarding decades of historical records—as well as ongoing day-to-day document additions.

AI-powered processing
After they’re ingested, documents flow through an automated AI processing pipeline that extracts intelligence and structure from unstructured content. The platform automatically extracts metadata and entities—names, dates, parcel numbers, document types—reducing the manual indexing burden on county staff.

Kleio^SM then classifies documents by type—property deeds, mortgage documents, liens, marriage certificates, death certificates, and dozens of other categories. This classification happens in seconds, compared to the manual review that previously took minutes per document. This automated classification proves particularly valuable for large-scale digitization projects where manually categorizing hundreds of thousands of documents would be impractical.

Intelligent search
Kleio^SM’s search capabilities go beyond traditional keyword matching. The platform vectorizes and indexes documents, providing semantic search that understands the intent behind a query. A county clerk searching for “property transfers in the downtown district last year” receives relevant results even when documents use different terminology like “conveyance,” “deed,” or “real estate transaction.”

This semantic search capability transforms the user experience, making decades of records accessible through intuitive, conversational queries rather than requiring specialized knowledge of document terminology and filing systems.

Document translation and export
For counties serving diverse communities, Kleio^SM offers optional document translation capabilities. Users can select documents, translate them into a target language, and export bundled document packages—streamlining workflows for public records requests. The platform also supports flexible export options, allowing users to download documents in various formats while maintaining proper formatting and metadata.

Analytics and operational dashboards
County administrators gain visibility into records operations through analytics dashboards. The platform provides real-time monitoring of system performance, processing volumes, and user activity, supporting proactive management and capacity planning. These dashboards reveal patterns in records requests, processing bottlenecks, and usage trends, helping counties optimize their operations and allocate resources effectively.

Security and compliance for government

Kofile architected Kleio^SM to meet the stringent security and compliance requirements of government organizations, taking advantage of the comprehensive security services and infrastructure of AWS:

Data protection – Kleio^SM encrypts all data at rest using customer managed keys, giving counties control over their encryption keys. TLS 1.2 or higher protects data in transit. Data residency controls verify that records remain in specified AWS Regions, meeting state and local data sovereignty requirements.
Access control and identity – Role-based access control (RBAC) integrated with AWS identity services solutions verifies that users access only the records and functions appropriate to their roles. Federation with government identity providers and multi-factor authentication (MFA) enforcement adds an additional security layer.
Audit and compliance – Kleio^SM captures comprehensive audit trails that log every access and action, providing the detailed audit history government organizations require. The platform’s architecture aligns with the AWS Well-Architected Framework, particularly the Security and Reliability pillars, maintaining best practices in cloud architecture.
Resilience and recovery – Multi-AZ deployment provides high availability, and automated backups with cross-Region replication offer disaster recovery capabilities. This architecture delivers the resilience government organizations need to maintain continuous access to critical public records. The platform positions counties for compliance with frameworks such as Government Risk and Authorization Management Program (GovRAMP), depending on their specific requirements and the records they manage.
Infrastructure as code (IaC) – Kleio^SM’s infrastructure is defined using IaC tools, supporting consistent, repeatable deployments with built-in security controls. Continuous integration and continuous deployment (CI/CD) pipelines verify that updates are tested and deployed systematically, minimizing risk while facilitating rapid innovation.

Real-world impact on government services

The transformation Kleio^SM delivers extends across multiple stakeholder groups, including county clerks and staff, citizens and title companies, county administrators, and IT teams. Kleio^SM fundamentally changes how counties manage and provide access to public records.

What previously took county clerks and staff hours of manual searching through filing cabinets and microfiche readers now takes seconds through intelligent search. Staff can handle significantly higher volumes of records requests without increasing headcount. Automated classification and metadata extraction eliminate tedious data entry, allowing clerks to focus on higher-value citizen services. The reduction in manual processing time translates directly to cost savings and improved employee satisfaction.

Public records that previously required in-person visits by citizens and title companies or multi-day wait times are now accessible online with immediate results. Title companies can complete property searches in minutes rather than hours, accelerating real estate transactions and economic activity. Citizens can access marriage certificates, property records, and other documents without taking time off work to visit county offices. This improved accessibility increases transparency and strengthens trust in government.

Real-time dashboards provide visibility for county administrators into operations that were previously opaque. Administrators can identify processing bottlenecks, track service levels, and make data-driven decisions about resource allocation. The analytics capabilities reveal patterns in records requests, helping counties anticipate demand and plan capacity. Quantifiable metrics on processing times and citizen satisfaction support budget justifications and demonstrate the value of modernization investments.

The cloud-based architecture eliminates the burden on IT teams of maintaining on-premises infrastructure, including servers, storage systems, and backup solutions. Automatic scaling handles peak demand without manual intervention. The CI/CD pipeline manages security updates and patches systematically. Multi-tenant isolation verifies that each county’s data remains secure and separate, and centralized management reduces operational complexity.

Looking ahead

Kofile’s investment in AI-powered document intelligence represents a broader shift in how government organizations think about their records. Public records aren’t merely archives to be preserved—they’re civic assets that, when made accessible and intelligent, can drive better outcomes for communities.

As AI capabilities continue to advance, the potential applications expand: automated redaction for sensitive information, proactive identification of records that need preservation attention, and deeper integration with county workflows and systems.

For counties looking to modernize their records management, one proven path forward combines decades of domain expertise in government records with the scale, security, and AI capabilities of the cloud.

To learn more about Kofile Technologies and the Kleio^SM platform, visit kofile.com. To explore how AWS supports public sector organizations, visit AWS in the Public Sector.

Accelerating federal document processing using Document AI from DMI

Channa Basavaraja — Mon, 04 May 2026 23:47:01 +0000

If your agency is managing millions of unstructured documents, from eligibility records to case files, this post introduces how DMI Document AI, built on Amazon Bedrock, can help you automate document processing, reduce backlogs, and redirect your team toward higher-value mission work.

Common digitalization challenges across federal agencies and beyond

Your agency might be navigating a massive influx of unstructured, high sensitivity documents every day. These could include regulatory records, eligibility evidence, applications, and supporting documentation such as birth and educational certificates, citizen forms, adjudication packets, and case files.

Many agencies are dealing with backlogs of millions of cases, alongside annual intake volumes that often exceed tens of millions of forms. This creates an urgent need to automate data extraction and validation to speed up approvals, compliance, and mission-critical workflows.

Agencies are noticing encouraging early outcomes from intelligent document processing (IDP) pilots and partial automation. By integrating workflow automation with optical character recognition (OCR) or intelligent character recognition (ICR), some have achieved impressive milestones, such as 50% faster cycle times, based on DMI field experience. However, these pilots also reveal the challenges of scaling enterprise production across various document types, noisy documents, and unstandardized formats.

Many agencies have strategic mandates to digitize hundreds of millions of pages to meet federal digitization mandates.

The challenges are essentially of scale and complexity:

Billions of paper documents
Scanned legacy forms with inconsistent layouts
Aged or degraded paper records, such as legacy handwriting notes, signatures, and historical service records

These document collections require capabilities well beyond traditional OCR. Agencies increasingly need advanced generative AI–driven IDP solutions such as Document AI to:

Interpret handwritten and inconsistent text
Classify documents automatically (document understanding)
Extract key entities such as names, dates, addresses, occupations, and identifiers
Normalize and validate extracted data against business rules
Make extracted artifacts searchable, discoverable, and usable for downstream mission operations

Agencies are seeking secure, scalable, and high-accuracy modern IDP solutions that can modernize intake-heavy workflows while maintaining stringent standards for privacy, auditability, and data integrity. To meet these rigorous demands, Document AI uses Federal Risk and Authorization Management Program (FedRAMP) accredited Amazon Web Services (AWS) services, providing a foundation of robust encryption, data residency, and comprehensive audit logging. By building on these pre-authorized components, agencies can support secure, responsible adoption and significantly fast-track FedRAMP certification for their document solutions while maintaining data protection within their AWS environment.

Introducing DMI Document AI solution powered by Amazon Bedrock

DMI Document AI is a robust solution for IDP. Organizations can use it to digitize, comprehend, and operationalize documents. The solution delivers precise document capture and data extraction, paired with AI-driven document type classification, analytics, workflow automation, and automated document generation. In essence, it converts static documents into searchable, actionable business intelligence. It includes three integrated modules: DocuChew, DocuRun, and DocuGen:

DocuChew – Moving beyond traditional rule-based OCR, uses generative AI–enabled approach to document classification and metadata extraction, using advanced generative AI and multimodal large language models (LLMs) to replace rigid, rule-based workflows. The solution currently supports English-language processing for common document formats, including Word, PDF, images, and Excel. Although traditional OCR systems often struggle with context, handwriting, and layout changes, DocuChew maintains a high extraction accuracy of over 90 percent, based on DMI’s benchmarking using several hundred page data. This provides agencies with a more flexible and sustainable foundation for managing new and evolving document types without the reactive cycle of manual workarounds required by legacy systems.
DocuRun – Uses Amazon Bedrock Data Automation to transform how organizations handle unstructured multimodal content using pre-built smart document templates known as blueprints. These blueprints apply natural language context to intelligently identify, normalize, and extract data, decoupling extraction logic from underlying code for rapid scaling. To support data integrity, DocuRun incorporates robust validation and error handling through human-in-the-loop workflows. By using Amazon Augmented AI (A2I), the system allows for manual reviews and corrections, providing high accuracy and compliance.
DocuGen – Is an advanced Retrieval Augmented Generation (RAG) system (patent pending) specifically designed for long document generation (LDG). Traditional RAG pipelines often act as black boxes that collate all available source data, which can lead to wasted LLM processing tokens and outputs that ignore user priorities. DMI’s DocuGen solves this by:
- Prioritizing relevance – Uses a weighted mechanism to make the generated content, such as policies and standard operating procedures (SOPs), align with the specific importance of sources in the document.
- Massive efficiency gains – The module can autonomously produce a more than 200-page word document in approximately 45 minutes, a task that typically takes days to complete. This solution securely stores generated documents in Amazon Simple Storage Service (Amazon S3) for further processing.

The following graphic illustrates these three modules.

Figure 1: Document AI modules

Solution architecture and capabilities

To deliver a secure, scalable, and fully customizable solution, DMI Document AI integrates with core AWS services, using Amazon Bedrock for leading LLMs including Amazon Nova family of models, Amazon Bedrock Knowledge Bases for durable vectorization and embeddings, and Amazon Bedrock Data Automation for intelligent document extraction and smart templates. The solution further supports mission integrity through AWS tenant security isolation, Amazon Bedrock Guardrails, and personally identifiable information (PII) protection for security, while using A2I for human-in-the-loop workflows and AWS CloudFormation for rapid, standardized deployment using infrastructure as code (IaC).

The following diagram illustrates the solution architecture.

Figure 2: Document AI architecture

The solution is deployed through IaC using AWS CloudFormation templates, enabling quicker deployments. Document AI is deployed within customer’s AWS account, allowing customers to maintain control over their data and avoid vendor lock-in or black-box architectures.

Key solution capabilities

The DMI Document AI solution is a modular, AWS based solution designed to modernize the entire document lifecycle through three core modules: DocuChew (ingestion and extraction), DocuRun (classification and workflow), and DocuGen (advanced document generation). The solution’s end-to-end workflow follows a multistep process that transforms raw data into actionable intelligence and business asset. Here are the steps:

1. OCR-free ingestion – Documents are ingested through automated data pipelines using generative AI, avoiding the limitations of rigid, rule-based OCR.
2. Multimodal analysis – The system handles multipage processing for complex, unstructured data, including PDFs, images, and handwritten records.
3. Intelligent classification – DocuChew uses multimodal LLMs to automatically identify document types and extract metadata.
4. Smart template application – DocuRun uses Amazon Bedrock Data Automation to apply blueprints that use natural language context to identify content structures.
5. Contextual extraction – Data is extracted and normalized from various file types, including tables and images, without custom-coded logic.
6. Entity recognition – Key entities such as names, dates, and identifiers are extracted and validated against business rules.
7. Durable vectorization – Extracted artifacts are vectorized using Amazon Bedrock Knowledge Bases backed by OpenSearch Serverless, creating a long-term memory for LLM-aware processing.
8. Search and discovery – Documents are transformed into searchable artifacts for downstream mission operations.
9. User priority definition – For new long document generation, users begin by assigning weights to identify the relative importance of each data source.
10. Weight validation – The system performs a check to validate user-defined priority weights sum up to 100 percent.
11. Strategic source selection – Based on weights, the system selects content from diverse sources such as agency security docs, past audits, and SOPs.
12. Package aggregation – Relevant content is combined into a single working package.
13. Constraint management – The system automatically confirms the package stays within allowed size and token limits.
14. Autonomous generation – The package is sent to high-performance models to generate targeted, multipage documents.
15. Human-in-the-loop review – The output is reviewed by business users through A2I to support accuracy and compliance.
16. Iterative refinement – User feedback is fed back into the system to refine future results, creating a repeatable loop for continuous improvement.

Security and integrity

DMI Document AI solution is engineered with a defense-in-depth architecture, so that every stage of the multistep process adheres to stringent government mandates for privacy, auditability, and data integrity.

For infrastructure and data sovereignty, the solution is deployed through IaC using AWS CloudFormation templates, allowing for rapid, standardized deployment directly within the agency’s own AWS account. This supports data sovereignty and Amazon Virtual Private Cloud (Amazon VPC) isolation, preventing data from leaving the agency’s secure perimeter or being used to train third-party models. Solution can be augmented with AWS PrivateLink, VPC Endpoints for inter service communication to further security posture.

To maintain a zero trust posture, the solution uses AWS Identity and Access Management (IAM) controls for access and encryption and API security to enforce the principle of least privilege. Data is protected by industry-standard encryption both at rest and in transit, so that sensitive materials such as regulatory records and personnel files remain secure throughout the ingestion and extraction lifecycle.

The system uses Amazon Bedrock Guardrails specifically configured for high-sensitivity federal use cases. Examples of these include:

PII protection – Automatically detects and masks PII such as Social Security numbers found in eligibility evidence and case files.
Prompt injection defense – Neutralizes malicious attempts to bypass model constraints or exploit vulnerabilities, referred to as jailbreaking, in AI systems, keeping the system focused only on its mission-critical extraction or generation tasks.
Content filtering – Prevents the generation of harmful or off-topic content during the creation of documents.
Governance and compliance – Provides comprehensive audit logging, tracking interactions for full transparency. Because the solution uses FedRAMP-accredited AWS services, agencies can inherit established security controls, significantly fast-tracking the path to final Authority to Operate (ATO) for their implementations. Please refer to Security Reference Architecture for AI for details on securing AI solutions.

An AI-enabled approach for digitization

Traditional unstructured data extraction pipelines are often rule based and limited in their support for recognizing new document types and dynamic adjustment.

Although traditional template-based OCR has been the standard for decades, it’s insufficient for the scale and complexity of current federal datasets. DMI Document AI provides a flexible, OCR-free approach that addresses these limitations.

The following table compares the abilities of traditional OCR and DMI Document AI across a range of features.

Feature	Traditional OCR	DMI Document AI
Handwriting support	Struggles with handwritten content and degraded images.	Designed to interpret handwritten content, signatures, and aged paper records, such as archives, with high precision.
Context understanding	Often loses context when layouts change or when dealing with complex structures such as table headers and chart captions.	Uses generative AI and multimodal LLMs to apply natural language context, allowing it to intelligently classify documents and extract data based on meaning rather than rigid coordinates.
Deployment time	Takes weeks or more to configure for new document types.	Uses IaC through CloudFormation templates. The entire solution can be configured and deployed in days, providing rapid, measurable value.
Maintenance	Forces teams into a reactive cycle of tweaking extraction rules each time form layout changes.	Decouples extraction logic from underlying code using smart templates (blueprints), which allow for seamless updates through straightforward configuration, significantly reducing operational burden.

DMI’s proprietary advanced RAG: An innovative approach for LDG

Enterprise RAG has been used to create on-demand, high-quality documents for agencies. However, the current RAG pipelines often function as generic systems that include all data elements. This approach leads to blanket ingestion, including non-business essential attributes, resulting in inefficient usage of LLM resources and ignoring priorities preferred by business users.

As an advanced RAG-based solution, DocuGen can create long documents. For example, DocuGen has autonomously generated 200-page documents in only 45 minutes in a representative testing environment. This drastically cuts down time and reduces manual labor and errors.

DocuGen helps the AI workflow produce better content that is contextually relevant by incorporating a proprietary, user-steered prioritization model. Users start by assigning percentage weights (called user-defined weights) to reflect what matters most to them. The system confirms that the percentages add up to 100%. It then uses these weights to decide how to prioritize information from each document source, such as agency security documentation, past audit reports, and existing SOPs.

It selects an optimal portion of content from each source, combines them into a single working package, and helps the package stay within the allowed LLM context window size limits. The system then sends the package along with the prompt to the AI model to generate the targeted content.

Finally, the output is reviewed by the user, using A2I, and the feedback is used to refine future results. This creates a repeatable loop that improves accuracy, relevance, and alignment with business objectives.

Designed for broad application

Agencies are at various stages of technical maturity when it comes to handling unstructured data, and they explore various AI-powered IDP solutions. Some have experimented with proofs of concept (POCs) and generic LLMs such as ChatGPT, while others have limited AI skills and resources. Document AI offers a way to automate tasks more efficiently and manage workloads effectively. It supports modular deployment, allowing each module (DocuChew, DocuRun, and DocuGen) to be deployed independently. Here are the key benefits:

Deployment – The plug-and-play design integrates seamlessly with existing enterprise systems.
Customization – Each component can be tailored to meet the specific needs of the agencies.
Integration – Components can be deployed and integrated within existing environments independently.

Document AI use case examples

Organizations across large federal, defense, civilian, and health sectors can streamline their document operations and expand their capabilities, as demonstrated in DMI’s work with a U.S. Department of Defense organization and multiple other federal customers.
For example, DMI supported a U.S. Department of Defense organization in modernizing its records management system, enabling scalable processing and secure storage of millions of personnel records. This effort enhanced document handling, accessibility, and organization, reducing total cost of ownership significantly while improving the speed and accuracy of working with high-volume document sets.

Some of the most common uses cases:

Automate digital document intake, processing, and extraction of content such as invoices and case files, reducing data engineering time for business users.
Use AI to automatically index incoming personnel documents, enabling the reassignment of personnel.
Generate new documents from existing knowledge bases (such as internal policies and manuals)
Automate structured and unstructured processing and progress review of grants, reducing review timelines for grant approvers.

Conclusion

DMI, an AWS Advanced Tier Services Partner, helps government agencies cut through document processing burdens by eliminating manual, repetitive tasks and embracing secure, responsible AI. Powered by Amazon Bedrock and Amazon Bedrock Data Automation—and tailored for mission operations—it accelerates the shift to a modern, outcome-focused organization.

With Document AI, agencies can handle different document types, streamline document compliance, and automate document workflows with human-in-the-loop review without the need to overhaul their systems.

DMI brings together an integrated set of mission-driven transformation services and solutions to help US defense, intelligence, and federal civilian agencies evolve through the next wave of digital transformation and beyond. Combining the best of both public and private sector expertise, DMI provides managed services, application development, digital strategy and consulting, cloud transformation, cybersecurity, and AI services to deliver human-centric outcomes at scale while maintaining the highest standards for reliability, performance, and security.

To learn more about DMI’s Document AI capabilities and how agencies are applying this approach in production environments, visit the DMI AWS Partner Profile or contact our team at engage@dminc.com. You can also connect with DMI to explore use cases aligned to your agency’s document processing and modernization priorities.

University of Maryland Athletics Transforms Fan Experience with AWS: A Data-Driven Success Story

Kaitlin Darby — Mon, 04 May 2026 22:01:45 +0000

The University of Maryland Athletics Department has achieved a remarkable transformation in how it understands and serves its fans, partnering with Amazon Web Services (AWS) to build a unified data platform that’s delivering measurable results across operations, insights, and revenue generation.

The Challenge Every Athletics Department Knows

Like many collegiate athletics programs, UMD Athletics faced fragmented data systems, time-consuming manual processes, and delayed insights that made it difficult to respond quickly to fan needs and market opportunities. Survey analysis took hours each week, pricing decisions relied on manual weekly checks, and delivering actionable insights to stakeholders could take 1-2 weeks—far too slow in today’s fast-paced sports environment.

Creating Actionable Insights At Scale

UMD Athletics partnered with AWS to create a comprehensive platform that brings together customer profiles, fan segmentation, and self-service analytics across the entire organization. The journey began following an enablement session on modern data architecture led by UMD’s AWS account team. UMD Athletics took the first step by loading CSV ticket purchase data from Paciolan into Amazon S3, then leveraging AWS Glue to clean and transform that raw information into structured data products segmented by sport. Using Amazon Athena, the UMD analyst created views to query the data directly from S3, and integrated Amazon QuickSight to rapidly build dashboards surfacing revenue trends by sport, game, ticket type, and more — delivering immediate, actionable visibility without the need for a traditional data warehouse.

From that early success, expansion accelerated by harnessing the power of generative AI for development. Using Amazon Q Developer for code generation, analysts were able to describe their goals in natural language and receive Python code to accomplish the task — dramatically lowering the barrier to building new data pipelines. AWS Lambda functions were developed to incorporate season ticket holder data and donor information, broadening the platform’s view of each fan and supporter. Post-game survey data was then added to the mix and analyzed by Amazon Bedrock for sentiment analysis and fan segmentation, turning qualitative feedback into quantitative insight. Automated follow-up processes were built on top of this foundation, freeing up capacity for expanded survey programs and more targeted marketing efforts.

The result is a solution that combines cloud data infrastructure with AI-powered automation to transform raw data into actionable insights at scale.

The platform delivers 360-degree customer profiles and enables every team member — from ticketing to marketing to development — to access the insights they need through intuitive dashboards, without waiting for IT or analytics teams. What began as a single analyst loading a CSV file has grown into an organization-wide self-service analytics capability, with generative AI accelerating every stage of the data lifecycle.

Results That Transform Operations

The platform has delivered substantial cost reductions and time savings, with $75-80K in annual operating expense savings, 90+ hours saved annually from automated pricing processes alone, and hundreds of additional hours recovered from eliminating manual report processing.

Perhaps most impressive is how the platform has accelerated decision-making: survey analysis has been reduced from hours to minutes using AI-powered categorization, insights delivery has accelerated from 1-2 weeks to near real-time enabling mid-season action on fan feedback rather than waiting for end-of-year reviews, survey capacity has doubled from 10 to 20+ annually with no additional headcount required, and pricing decisions are now 7x faster, moving from weekly manual checks to daily automated alerts.

“AWS has allowed us to build tooling that moves at our speed and scale, fully customized to our business. Being able to aggregate and analyze data holistically while piecing together the entire fan journey, allows us to react proactively, and that’s completely changed how we make decisions.”

John Tieso, Lead Data & Marketing Analyst, University of Maryland Athletics

Revenue Impact: From Weekly Reviews to Daily Action

The platform’s ability to integrate primary and secondary market data, velocity metrics, and attendance patterns has transformed pricing strategy with daily automated pricing alerts replacing weekly manual checks, same-day pricing decisions that respond to market conditions in real-time, and $200K-$300K+ in projected incremental revenue for 2026.

The transformation goes beyond numbers. UMD Athletics has shifted from a reactive posture—analyzing last season’s data to inform next season’s decisions—to a proactive approach where fan feedback and market signals drive immediate action. The athletics department can now identify and respond to fan sentiment trends during the season, adjust pricing strategies daily based on comprehensive market intelligence, expand survey programs to gather more feedback without adding staff, and empower staff across departments with self-service access to insights.

A Blueprint for Collegiate Athletics

As programs nationwide face pressure to deliver exceptional fan experiences while managing costs and maximizing revenue, UMD’s transformation offers a proven roadmap. The key ingredients: unified data infrastructure that breaks down silos, AI-powered automation that accelerates insights, and self-service analytics that democratize access to intelligence across the organization.

The University of Maryland Athletics Department’s partnership with AWS demonstrates how modern cloud technologies and AI can transform operations in collegiate athletics. By building a unified data platform that breaks down silos and accelerates insights, UMD has created a foundation for continued innovation in fan engagement and revenue optimization.

The University of Maryland Athletics Department continues to expand its use of AWS services to enhance fan experiences and operational excellence. For more information about AWS solutions for sports and entertainment organizations, visit aws.amazon.com.

This content has been blocked by our content filters on Amazon Bedrock—Now what?

Josh Famestad — Mon, 04 May 2026 13:51:50 +0000

If you’ve received the message “This content has been blocked by our content filters” while using a foundation model (FM) on Amazon Bedrock, or a model has otherwise refused to perform a task, you’re not alone. This is a question customers sometimes face when building applications to process sensitive or complex content on Amazon Web Services (AWS) when that content triggers safety mechanisms. This post walks you through a practical framework for understanding why this happens and what you can do about it.

Why do models refuse requests?

Model providers train FMs with safety mechanisms that cause them to decline certain types of requests. Providers implement these mechanisms to prevent misuse and protect end users. Content filtering and refusal behavior comes from multiple layers:

Model-level safety training – Each FM is trained by its provider with built-in refusal behaviors. These vary between model families and even between versions within the same family.
Provider acceptable use policies (AUPs) – Each model provider on Amazon Bedrock (Amazon, Anthropic, Meta, Mistral, Cohere, AI21 Labs, and others) maintains their own terms of service and AUP that define what the model can and can’t be used for. You can find these on the AI Service Cards for Amazon models and on the Serverless Third-Party Models on Amazon Bedrock End User License Agreement (EULA) and Terms of Service (TOS).
Amazon Bedrock platform-level protections – Amazon Bedrock includes abuse detection features to prevent misuse that violates the AWS Acceptable Use Policy.

The challenge is that these safety mechanisms can’t distinguish between malicious intent and legitimate business need. Law enforcement analysts reviewing threat communications, healthcare providers processing crisis intervention notes, and content moderation platforms analyzing user reports might all encounter refusals.

How to troubleshoot content filtering challenges

We recommend two steps:

1. Verify the provider’s policies permit your use case.
2. Evaluate the model’s technical performance with representative data and tasks.

These steps are explained in the following sections.

Verify your use case is permitted

Consult your legal and compliance teams when working with sensitive content. Confirm that your intended use case is allowed under the model provider’s AUP. Restrictions vary across models including limitations on:

Criminal justice and law enforcement applications
Surveillance and monitoring
Biometric identification and facial recognition
Predictive policing
Automated decision-making and profiling

Some restrictions are absolute. Others can be addressed through an approval or exception process with the provider. Review the relevant policies for models and services in scope:

AI Service Cards – Transparency resources covering intended use cases, limitations, and design choices for AWS AI services
Serverless Third-Party Models on Amazon Bedrock
Responsible use in the Amazon Nova User Guide
AWS Acceptable Use Policy
Amazon Bedrock abuse detection

Key takeaway: Don’t invest engineering effort into a model whose provider doesn’t permit your use case.

Evaluate models with your own data

Published benchmarks and general guidance can help you narrow the field, but the only reliable way to know if a model works for your use case is to test it with data that’s representative of your actual workload.

Amazon Bedrock Evaluations provides built-in model evaluation capabilities that you can use to compare models using your own datasets and evaluation criteria. You can assess models on task accuracy, robustness, toxicity detection, and run evaluations across multiple models simultaneously.

With open source evaluation frameworks such as PromptFoo, you can define test cases with assertions to systematically measure how models handle your content. You can create evaluation suites that test whether a model refuses or completes tasks across your specific content categories, using both deterministic checks (for example, detecting refusal patterns in output) and model-graded assessments (for example, scoring output quality against a rubric).

What to measure:

Task completion rate – How often does the model successfully complete the task and how often does it refuse?
Refusal patterns – Which content categories trigger refusals? Are they relevant to your workload?
Output quality – When the model does respond, is the output accurate and useful?
Consistency – Does the model behave predictably, or do minor prompt variations cause different refusal behavior?

Key takeaway: Narrow your candidate models using these steps, then invest evaluation effort on the resulting list using iterative results as you experiment with prompts across multiple candidate models.

Putting it all together

In summary, here’s the decision flow:

1. Check the policies – Identify models that permit your use case.

2. Evaluate with your data – Test your short-listed models with representative samples from your actual use case.

This isn’t a one-time exercise. As new models become available on Amazon Bedrock and providers update their policies and safety training, it’s worth periodically reevaluating your model selection.

Resources

CMMC implementation begins: A new era for defense contractors

Paul Keastead — Mon, 04 May 2026 13:20:58 +0000

The long-awaited Cybersecurity Maturity Model Certification (CMMC) 2.0 is now a reality for the Defense Industrial Base (DIB). With the finalization of both the Code of Federal Regulations (CFR) Title 32 and CFR Title 48 rules, we’ve entered a new era of cybersecurity requirements for defense contractors. This post explores the implications of these developments and what they mean for businesses in the defense sector. This includes organizations in aerospace, defense satellite, healthcare, manufacturing, and higher education that conduct business with the Department of Defense (DoW). AWS supports these organizations in CMMC implementation through comprehensive security services, compliance documentation, and infrastructure that aligns with CMMC requirements across all levels while providing tools and resources to help organizations achieve and maintain certification.

The road to CMMC implementation has been a carefully orchestrated process. The 32 CFR CMMC Final Rule, published on October 15, 2024, and effective as of December 16, 2024, laid the groundwork by establishing the CMMC Program, defining security controls for each CMMC level and outlining assessment and certification processes. Following this, the crucial 48 CFR rule, which integrates CMMC requirements into the Defense Federal Acquisition Regulation Supplement (DFARS), has now been finalized. This means that all contracts that have Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) will require an assessment of the contractor or subcontractor environment to ensure they’ve implemented the proper cybersecurity controls.

The DoW has now begun the phased rollout of CMMC requirements in contracts. This marks the start of a new era in defense contracting, where cybersecurity compliance is no longer just a contractual obligation but a prerequisite for doing business with the DoW.

What this means for contractors

November 10th, 2025 CMMC requirements began appearing in select new contracts, with full implementation expected by fiscal year 2028. This gives contractors time to adapt, but it also means that early adopters will have a competitive advantage in the market. Contractors and subcontractors face several significant challenges as they pursue CMMC certification. The requirement for pre-award certification has fundamentally changed the contracting landscape, as organizations must now achieve certification before they can be awarded DoW contracts. Additionally, prime contractors bear the responsibility of ensuring their subcontractors meet appropriate CMMC levels, creating cascading compliance requirements throughout the supply chain. The new framework’s restrictions on Plans of Action and Milestones (POA&Ms) further complicate matters, as organizations must demonstrate proactive compliance rather than relying on reactive planning approaches. Finally, CMMC 2.0 demands ongoing maintenance of cybersecurity practices through continuous monitoring, moving beyond the traditional point-in-time certification model to ensure sustained security posture.

When contractors and subcontractors are ready to move forward, they can follow this five-step plan:

Assess current posture – Conduct a thorough gap analysis or self-assessment against CMMC requirements for your targeted level.
Develop compliance strategy – Create a comprehensive roadmap for achieving and maintaining CMMC compliance.
Initiate certification process – Begin working with a certified third-party assessment organization (C3PAO) to schedule your assessment for CMMC level 2.
Supply chain management – Review and update agreements with subcontractors to ensure they meet necessary CMMC levels.
Training and documentation – Implement robust training programs and documentation processes to support ongoing compliance.

Conclusion

The implementation of CMMC represents a significant shift in how the DoW approaches cybersecurity in its supply chain. Although it presents challenges, it also offers opportunities for contractors who can effectively navigate the new landscape. Those who embrace these changes and demonstrate their commitment to robust cybersecurity practices will be best positioned for success in future defense contracting.

Expect to see increased scrutiny of cybersecurity practices, not only during the certification process, but throughout the lifecycle of contracts. The DoW’s commitment to enhancing the security of the DIB is clear, and contractors must align with this vision to remain competitive. Organizations that can adapt and comply with these new regulations are more likely to thrive in this new cybersecurity-focused environment. For more information on how to accelerate CMMC with AWS visit https://aws.amazon.com/compliance/cmmc/ or contact CMMConAWS@amazon.com.

TAGS: announcements, AWS Public Sector, cybersecurity, defense, government, U.S. Department of Defense, CMMC, DFARS, NIST, Defense Industrial Base

How nonprofits can explore, document, and enhance applications using Kiro

Ben Turnbull — Wed, 29 Apr 2026 23:03:05 +0000

Nonprofit technical teams are caught in a knowledge squeeze. On one side, staff departures walk institutional knowledge out the door. According to the 2026 Social Impact Staff Retention Project survey, nearly 7 in 10 nonprofit employees are considering new jobs, taking undocumented knowledge with them. On the other, new applications arrive from contractor handoffs, open source adoptions, and rapid prototyping sprints, each one adding complexity that no one has time to document. The gap between what your team owns and what your team knows continues to widen.

In this post, you’ll see how Kiro, an AI-assisted development environment powered by Amazon Bedrock, helps nonprofit technical teams close that knowledge gap from both sides. First, you’ll walk through techniques for exploring unfamiliar code bases, turning inherited applications into transparent, navigable systems rather than black boxes. Then, you’ll learn how to generate living documentation that captures institutional knowledge, accelerates onboarding for incoming staff, and stays current as your workloads evolve.

The challenge of knowledge loss and rising complexity

At Amazon Web Services (AWS), nonprofit technical leaders regularly tell us that understanding their own applications is one of their biggest operational risks. Consider these common scenarios:

A community health organization inherits a patient intake application after its lead developer departs. They’re left with a running application, a code repository, and little to no documentation.
A youth services nonprofit adopts an open source case management platform. The team customizes it to fit their workflows, but 6 months later, no one remembers why certain modules were modified or how they interact with the rest of the system.
A small IT team needs to onboard a contractor to add a critical feature but spends the first 2 weeks explaining how the application works, impacting timeline and budget.

For many nonprofits, institutional knowledge lives in the heads of a few individuals, and when those individuals leave, the organization’s ability to maintain and improve its technology leaves with them. At the same time, new workloads keep arriving. Organizations explore open source solutions, contractors hand off deliverables from completed engagements, and each new project brings an unfamiliar tech stack that can take weeks to onboard. The knowledge deficit grows in both directions at once.

Solution overview

Kiro is an AI-assisted development environment that analyzes your existing code base and helps you generate documentation, architecture insights, and best-practice guidance without requiring deep prior knowledge of the application. Here’s how Kiro supports the knowledge gap at a high level:

Analyze your existing code base using AI to understand application structure, dependencies, and logic flows.
Produce steering files, which are best-practice configuration files that guide future development, so new features align with your organization’s conventions.
Generate documentation and architecture diagrams, creating institutional knowledge that might never have existed.
Model Context Protocol (MCP) connects Kiro to external knowledge sources, such as AWS documentation or your own internal tools, so that recommendations stay current and contextually relevant.

The key benefits for nonprofit teams include the ability to accelerate application discovery from weeks to hours through AI-assisted exploration, generate living documentation that evolves with your code automatically, and apply best practices consistently, even without deep expertise on every team. The walkthrough in this post explores these elements in Kiro.

Prerequisites

To follow along with this walkthrough, you need Kiro installed on your development machine. For reference, I will use the bedrock-chat repository from AWS samples to demonstrate a new code base exploration.

Discovery and documentation

As you begin exploring a new workload, use the built-in tools available in Kiro to explore the repository both at a high level and a more granular level.

Start with steering files
Use Kiro’s predefined steering file generation to create an overview of your project in three distinct markdown files. These foundational steering files establish core project context so Kiro can align with your goals and patterns during development and double as a useful summary as you onboard to the project.

To generate these steering files, follow these steps:

1. In the Kiro panel, choose AGENT STEERING & SKILLS
2. Choose Generate Steering Docs.
3. The Kiro agent will explore the repository and produce the following three documents automatically:

a. product.md – Describes what your repository does.
b. tech.md – Lists your frameworks, libraries, and tools.
c. structure.md – Maps out how your project is organized.

The following screenshots illustrate these steps.

Figure 1: Foundational steering documents in the Kiro panel

These foundational files help your team onboard by providing a human-readable project summary, but steering files primarily help Kiro learn your organization’s patterns and best practices for development. As you encode standards, such as preferred naming conventions, security patterns, or architectural decisions into custom steering files, Kiro uses them to guide future code suggestions and feature development. This means new developers get consistent guidance from both the documentation and the AI tool itself, reducing the risk of diverging from established patterns. You can read more about this in the Keeping documentation up to date section later in the post.

Generate custom documentation with Kiro chat
For more tailored documentation, use the Kiro built-in context gathering subagent. Kiro automatically indexes your code base when you open a project so the subagent can explore your repository and generate custom documentation on demand.

Open a new Kiro chat session in Vibe mode and prompt it to generate an onboarding document. This document will contain useful context to help someone new better understand the project. It can align with common README context, or you can extend it to an onboarding narrative with service overviews and custom guidance. Consider prompting Kiro to personalize the onboarding communication to the capability of your team members. Kiro uses its context subagent to explore the repo and build context that will be summarized in a final markdown document.

Consider submitting this sample prompt to the Kiro chat to generate custom documentation:

Explore this repository and generate a guided onboarding narrative called ONBOARDING.md. The document should be welcoming, conversational, and structured like a senior teammate walking a new developer through the project on day one. Cover these sections in order:

1. Welcome & what this project does: What the app is, who uses it, and the problem it solves.
2. Architecture at a glance: Mermaid diagram of major components and request flow, with brief explanations.
3. Key concepts & domain language: Project-specific terms defined and mapped to implementing code.
4. Local environment setup: Prerequisites, step-by-step install, dev stack deployment, and common gotchas.
5. Day-to-day workflows: Running tests, adding endpoints/tools, modifying infra, and CI/CD overview.
6. Services cheat sheet: Table of every service dependency: role, abstracting module, docs link, and quota notes.
7. Where to go from here: Links to existing docs, suggested first tasks, and team contact placeholders.

The following screenshot shows Kiro’s response. First, it indicates it will explore the repository structure. Then, it creates and verifies a comprehensive onboarding document to orient new staff in a Kiro chat.

Figure 2: Kiro chat generates an onboarding document to orient new staff

For more granular exploration, Kiro chat is context aware. You can open a file and ask, “Summarize this file,” or reference specific files using the context mention icon (#). You can highlight a code snippet, right-click, and choose Kiro then Chat to ask targeted questions about that specific section of code. This makes Kiro chat a companion for ongoing code discovery as you learn more about the repository.

Figure 3: Context-aware file exploration in Kiro chat

Scale discovery with advanced tools

Foundational steering files and built-in subagents through Kiro chat are a good starting point for exploratory analysis. However, as your projects grow in complexity, you might require more sophisticated approaches. Many enterprise applications yield additional complexity, and documentation will need to persist in shared spaces beyond a local file system. This section addresses more advanced methods for generating onboarding documentation through multi-root workspaces, the use of MCP servers, and shareable agent skills.

Large-scale application discovery
Kiro supports multi-root workspaces for applications spanning multiple repositories, which is common in microservice architectures. Add additional folders to your workspace by choosing File and then Add Folder to Workspace, and the same discovery methods shared previously work across all roots. This simplifies exploration across the full stack of an application by unifying disparate repositories in one shared workspace.

Model Context Protocol
You can extend Kiro’s capabilities through MCP servers to develop more robust documentation and connect with downstream systems. For example, configuring the draw.io MCP server enables Kiro to generate architecture diagrams and visual workflows directly from your code base context. By adding the Atlassian MCP server, you can publish documentation to Confluence, creating a shared knowledge base accessible to your entire team. You might also consider the AWS Knowledge MCP for code bases with AWS infrastructure to reference the latest AWS documentation for service explanation.

The following screenshot shows a diagram generated by Kiro using the Draw.io MCP server.

Figure 4: Draw.io diagram generated through Kiro chat using the Draw.io MCP server

These MCP servers include bundles of tools that are readily available for you to use through the Kiro chat. Next, you can compile prompts and MCP servers into a packaged agentic skill for repeatable tasks such as generating initial onboarding documentation for a new project.

Agent skills for repeatable documentation
Skills in Kiro are portable instruction packages that follow the open Agent Skills standard. They bundle instructions, scripts, and templates into reusable packages that Kiro can activate when relevant to your task. Skills live in your .kiro/skills directory and are version-controlled and shared across projects, driving consistent documentation practices organization-wide.

A documentation generation skill might break down into the following steps:

Use the context-gatherer subagent to analyze the repository.
Call MCP tools to add technical details from external knowledge sources such as AWS documentation.
With this collected context, generate an onboarding document to orient new users and store it in a project onboarding directory.
Use the architecture context to create a draw.io diagram as an XML file and store it in the onboarding directory.
Create a new page in Confluence that includes the full content of the onboarding document and a section for the draw.io diagram.

The following screenshot shows the documentation uploaded directly to Confluence.

Figure 5: Confluence documentation published from the Kiro skill through the Atlassian MCP server

Keeping documentation up to date

Initial discovery is only half of the challenge. As your organization continues developing these systems, documentation must stay current to avoid the same knowledge gaps from resurfacing.

Agent hooks for documentation
Agent hooks execute predefined actions when specific events occur in your integrated development environment (IDE). For documentation, consider two approaches:

userTriggered event that updates docs on demand from a button click
fileEdited event with tight path patterns that trigger updates when core files (such as API routes, components, or services) change

When a hook fires, Kiro can use your previously designed skill to automatically update your onboarding document, regenerate diagrams, and sync changes to Confluence, keeping your documentation current without manual effort.

Note: You’ll need to use the Kiro IDE to take advantage of agent hooks, which uses event signals from the IDE. As of this writing, hooks are currently unavailable if you’re using the Kiro command line interface (CLI).

Custom steering
Steering files also play a forward-looking role here. Beyond onboarding documentation, use custom steering files to encode your organization’s development standards and AWS best practices. When a new developer starts working on a feature, these files guide them toward consistent patterns and away from common pitfalls. The foundational steering files help people understand what exists today, and custom steering files help Kiro (and your team) build what comes next in alignment with your organizational standards.

Conclusion

For nonprofit teams, institutional knowledge shouldn’t depend on any single person. AI-assisted development tools such as Kiro make it possible for resource-constrained teams to rapidly document, explore, and enhance the applications they depend on. Automated discovery and documentation reduce onboarding time and close knowledge gaps that put mission-critical systems at risk, and MCP integration and steering files guide new features to follow best practices.

Ready to get started? Install Kiro and try it on one of your existing applications today. For organizations that want to assess and modernize legacy applications more broadly, explore AWS Transform to understand your full application portfolio and plan a path forward.

About the author

Brightpoint uses AWS to build CARA, an AI-powered chat assistant connecting families to critical resources across Illinois

Michael Shaver — Wed, 29 Apr 2026 22:40:33 +0000

Brightpoint serves more than 37,000 children and families throughout Illinois, putting prevention at the center of their work to help families before small problems become life-altering crises. With support from the Amazon Web Services (AWS) Children’s Health Innovation Award program, which provides both cash and AWS credit funding to registered nonprofit organizations, Brightpoint built Connection Assistant & Referral Agent (CARA). CARA is an intelligent, multilingual, and judgment-free digital assistant that makes it easier for families to find and connect with the right support anytime, anywhere. This always-available chat-based assistant enhances how Brightpoint connects families to resources, providing an additional assist to Brightpoint staff while strengthening the overall system of care across Illinois.

Breaking down barriers to family support

Families navigating complex systems face significant barriers when seeking support. Finding the right resources for home visiting, mental health services, childcare, and financial stability programs requires knowledge of available services and how to access them. Families can struggle to connect with appropriate resources, especially outside of traditional business hours when their Brightpoint team isn’t available.

Brightpoint recognized that their most knowledgeable staff members possessed invaluable expertise in connecting families to resources, but this knowledge wasn’t evenly distributed or accessible to families around the clock. The organization needed a solution that could provide the expertise of their best staff members through a self-service experience that could communicate in any language. This challenge was particularly urgent given Brightpoint’s commitment to prevention and their goal of reaching families before small problems escalate into major crises.

Building an intelligent solution with AWS

CARA was built using AWS services in close partnership with the AWS Cloud Innovation Center and AWS Professional Services teams. The custom solution uses multiple AWS technologies to deliver a comprehensive family support system:

Amazon Bedrock powers generative AI and natural language interactions, enabling CARA to communicate naturally with families in any language.
Amazon DynamoDB provides secure and scalable data storage for the centralized referral database.
AWS CloudTrail provides governance and monitoring across the entire system.

Every component of CARA runs on AWS infrastructure, providing the reliability, security, and flexibility needed to scale statewide as Brightpoint expands access to more families across Illinois. Behind the scenes, CARA powers a centralized, continually updated referral database that captures real-time insights into community needs, identifies trends by geography, and gives staff the tools to rate and refine referral partners.

Resources from the Children’s Health Innovation Award, a category of the AWS Imagine Grant, helped Brightpoint access AWS experts to design and implement CARA from start to finish, so the solution could meet the complex needs of families while maintaining the highest standards for security and scalability.

Preparing for statewide impact

CARA is currently available to participants in Brightpoint’s Doula and Home Visiting programs in Central and Northern Illinois as part of a pilot. This pilot marks the first step in a phased expansion across the state, ultimately aiming to make CARA available to the more than 37,000 children and families that Brightpoint serves in programs throughout Illinois.

CARA’s mission-driven design addresses three critical areas. First, it makes it easier for families to find and access benefits and services such as home visiting, mental health, childcare, and financial stability programs. Second, it uses AI responsibly to deliver personalized interactions. Third, it collects structured data with consent to improve referral follow-through and provides system-level insight into unmet needs.

Brightpoint’s staff are eager to see the value this tool will bring to the families they work with, as well as the support it will provide to staff who help navigate complex systems to meet family needs. The organization plans to measure several key indicators as CARA rolls out, including tracking how many people sign up to use the tool, what kinds of questions or services they’re searching for, and whether they’re successfully getting connected to resources as a result. Over time, Brightpoint will analyze gaps and trends in the types of support being requested to help identify where additional funding and community resources are most needed.

Lessons learned for nonprofit technology implementation

For nonprofits exploring similar technology projects, Brightpoint’s team emphasizes the importance of staying grounded in both purpose and process while keeping an eye on the tradeoffs made at every step of design and build. Even a relatively narrow use case such as helping families find the right referral can reveal unexpected complexity.

The organization discovered that data preparation required significantly more manual work than anticipated. It took 2 months to collect and manually clean their data after AI-assisted cleanup failed, requiring a manual review of 1,400 records. The team also had to make nuanced design choices about how many responses to surface, in what order, and whether to show exact matches or related services families might not think to ask for.

Brightpoint’s advice centers on expecting iteration, embracing imperfection, and remembering that staff are often key users and cocreators in the process. The organization acknowledges that many more lessons are sure to come as they continue rolling CARA out to families across Illinois, but their partnership with AWS has positioned them to adapt and scale their solution as they learn from real-world implementation.

How you can support Brightpoint

Visit Brightpoint to learn more about and support their work to advance the wellbeing of children and families here. Even small donations make a big difference!

To learn more about how AWS helps public sector organizations deploy AI-driven solutions, connect with the AWS Public Sector team today.

CMMC Level 2 compliance on AWS: Why control ownership is where organizations struggle

Alexandria Burke — Wed, 29 Apr 2026 21:04:35 +0000

Cybersecurity Maturity Model Certification (CMMC) Level 2 compliance challenges stem not from a lack of security controls but from a fundamental misunderstanding of who owns them. This post brings guidance on Customer Responsibility Matrices (CRMs), authorization boundary definitions, and multi-provider control ownership into a single actionable framework for defense contractors preparing for third-party assessment.

With Certified Third-Party Assessment Organization (C3PAO)-assessed certifications becoming a condition of contract award and noncompliance carrying risks including disqualification and False Claims Act liability, the window for preparation is closing.

If your organization handles Controlled Unclassified Information (CUI) and operates on Amazon Web Services (AWS), you’re well positioned to address CMMC Level 2 requirements, but only if you understand the shared responsibility model and how control ownership works in practice.

The critical takeaway is that hosting in a Federal Risk and Authorization Management Program (FedRAMP)-authorized environment doesn’t automatically satisfy CMMC requirements. Every control must answer three questions: who implements the control, where it operates, and what evidence proves it.

Organizations that can’t clearly answer all three of these questions for each of the 110 National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev 2 controls could struggle during assessment. This is especially consequential in multi-provider environments where managed service providers (MSPs) build enclaves on top of cloud service provider (CSP) infrastructure. These enclaves fall outside the CSP’s FedRAMP authorization boundary and must independently demonstrate compliance with all 323 FedRAMP Moderate Baseline controls.

This post also addresses boundary drift, which is the unmanaged expansion of an assessment scope as new applications and services are deployed. Boundary drift can silently erode compliance posture over time. It’s recommended that organizations embed continuous boundary validation in change management workflows and request explicit, independently maintained CRMs from every provider in their chain. The absence of a provider CRM is treated as a risk factor: Under CMMC, if responsibility isn’t explicitly defined and provable, then the control isn’t met.

CMMC Level 2 timeline: Where we stand

The regulatory framework behind CMMC 2.0 is now operational. The CMMC Program Rule (32 CFR Part 170) became effective on December 16, 2024, and CMMC assessments formally began on January 2, 2025. The Acquisition Rule (48 CFR) followed, which was published on September 10, 2025 and took effect on November 10, 2025. It was codified in Defense Federal Acquisition Regulation Supplement (DFARS) clauses 252.204-7021 and 252.204-7025. This means CMMC compliance is a mandatory, enforceable element of applicable contracts.

The rollout follows a deliberate four-phase schedule, as illustrated in Figure 1:

Figure 1: CMMC Level 2 phased rollout timeline

The phased rollout progresses as follows:

Phase 1, November 2025 to November 2026 – Requires Level 1 and Level 2 self-assessments with scores uploaded to the Supplier Performance Risk System (SPRS) in most new solicitations.
Phase 2, November 2026 to November 2027 – The critical inflection point where C3PAO-assessed Level 2 certifications become a condition of award. Only companies authorized by The Cyber AB and listed in the CMMC Marketplace can issue certifications. Contractors are advised to coordinate with a C3PAO at least 6 to 12 months in advance.
Phase 3, November 2027 to November 2028 – Extends Level 2 certification requirements to options on existing contracts.
Phase 4, November 2028 onward – Achieves full implementation across all applicable contracts except commercial off-the-shelf (COTS) contracts.

One point that organizations often overlook is that DFARS 252.204-7012 remains independently enforceable. CMMC Level 2 validates the same 110 NIST SP 800-171 Rev 2 controls that DFARS 252.204-7012 has required since 2017. CMMC adds a third-party verification layer to existing obligations. Noncompliance carries risks including False Claims Act liability, making it important that organizations treat compliance preparation as an urgent operational priority rather than a future concern.

Why this matters for organizations using AWS

CMMC Level 2 doesn’t mandate a specific AWS Region. It requires that you implement NIST SP 800-171 controls, and that any CSP you use meets the FedRAMP Moderate Baseline equivalent, as required by DFARS 252.204-7012. Both AWS GovCloud (US) and the commercial US East/West Regions meet this requirement. The right deployment target depends on your specific contract requirements:

If your contract involves International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR)-controlled data, deploy in AWS GovCloud (US). ITAR workloads require the jurisdictional isolation that AWS GovCloud (US) provides.
If your contract requires Impact Level 4 or 5, deploy in AWS GovCloud (US). Commercial regions only support Impact Level 2.
If your workloads involve CUI without ITAR/EAR restrictions and without Impact Level 4/5 requirements, you can deploy in commercial US East/West Regions using Federal Information Processing Standards (FIPS)-validated endpoints and still meet CMMC Level 2 requirements.
If you have mixed workloads with different regulatory overlays, consider a hybrid approach: AWS GovCloud (US) for ITAR programs and commercial regions for standard CUI workloads. Use separate AWS Organizations to maintain clear boundaries.

Regardless of which region you choose, services such as AWS CloudTrail, AWS Config, AWS Security Hub, and Amazon GuardDuty are designed to support the monitoring, logging, and configuration management that CMMC controls require. However, the availability of these services doesn’t mean the controls are met. Your organization must configure, operate, and evidence these controls, and clearly document who owns each one.

The sections that follow explain the shared responsibility model in the context of CMMC, how to build and maintain a CRM, how to scope your assessment boundary, and how to manage compliance across multiple providers.

The shared responsibility model in practice: CSPs, MSPs, and your organization

Perhaps the most common misconception in cloud-based CMMC compliance is that hosting in a FedRAMP-authorized environment automatically satisfies security requirements. It doesn’t. Control inheritance is determined by boundary placement, not by the cloud provider. Deploying in any FedRAMP-authorized AWS Region doesn’t automatically mean controls are inherited. The Organization Seeking Assessment (OSA) must define where its boundary begins and ends.

The AWS Shared Responsibility Model operates on a layered principle. Inherited controls exist only at the AWS infrastructure layer, covering physical security, hypervisor management, and core network infrastructure. All higher layers introduce shared or customer-owned responsibility.

This means that solution configuration, access controls, monitoring, and operational controls all carry obligations that fall partially or entirely on the customer and their service providers. As illustrated in Figure 2, control responsibility is distributed across four layers in a typical multi-provider CMMC environment:

Figure 2: Multi-provider control ownership model

The CSP (AWS) provides the foundational infrastructure with inherited controls, but each additional layer, including the MSP enclave, the Managed Security Service Provider (MSSP) security services, and the organization itself introduces new shared or customer-owned responsibilities that must be independently documented and evidenced.

The MSP enclave challenge

One of the most consequential misunderstandings in the defense industrial base involves MSP enclaves. FedRAMP authorization applies to a specific system boundary, not to everything built on top of it. An MSP isn’t a CSP. When an MSP builds an enclave on AWS, they introduce new configurations, new access controls, new monitoring layers, and new administrative functions. These aren’t covered by the CSP’s FedRAMP authorization.

The MSP effectively creates a new authorization boundary, and that boundary must independently meet FedRAMP Moderate or an equivalent with full evidence. However, some MSPs market “CMMC-compliant enclaves” with “fully inherited controls,” a claim that might not withstand assessment scrutiny.

FedRAMP equivalency requirements

The December 2023 memorandum tightened FedRAMP equivalency requirements. Under the updated requirements, a cloud service offering is a FedRAMP Moderate equivalent only if it achieves 100% compliance with all 323 FedRAMP Moderate Baseline security controls, which are validated through an assessment by a FedRAMP-recognized Third-Party Assessment Organization (3PAO).

CSPs must either be FedRAMP Moderate/High-authorized or secure a third-party assessment confirming compliance with all FedRAMP Moderate Baseline controls. Defense contractors bear the verification responsibility: DFARS 252.204-7012 mandates that contractors “require and ensure” their CSP’s compliance.

The CRM is a nonnegotiable compliance artifact

If there’s one document that separates organizations that pass CMMC assessments from those that don’t, it’s the CRM. A CRM defines which controls are inherited from the CSP, which are shared between the CSP and the customer, and which are fully implemented by the Organization Seeking Certification (OSC) or MSP, along with the implementation location and the evidence source. Under CMMC, the shared responsibility matrix formally documents accountability for each of the 110 NIST SP 800-171 Rev 2 requirements and their 320 assessment objectives.

Three questions every control must answer
As mentioned at the beginning of this post, a CRM must define three things for every control:

Who implements it
Where it is implemented
What evidence supports it

This per-control traceability is what assessors look for. From an assessor perspective, the following questions are nonnegotiable: Where is each control implemented? Who owns it? What evidence proves it? Is this control inherited, shared, or customer-managed? If the answer is unclear, the control isn’t met.

Layered ownership across multiple providers
When multiple providers are involved, which is a common scenario in defense contracting, the CRM must reflect a layered ownership model. Inherited controls exist only at the CSP infrastructure layer. All higher layers (MSP enclave, MSSP monitoring, customer application) introduce shared or customer-owned responsibility.

MSPs operating enclaves must provide their own CRM with control-by-control mapping and clear ownership between CSP, MSP, and OSA. When MSPs don’t provide their own independent CRM, the gap compounds significantly. Inherited controls require documentation in the System Security Plan (SSP), and shared controls require proof of active configuration.

The fundamental rule is unambiguous: If responsibility isn’t explicitly defined, it’s not inherited. And in CMMC, if it’s not provable, it’s not compliant.

Boundary scoping and the five asset categories

Proper boundary scoping is the structural foundation upon which CRM documentation and control ownership rest. The CMMC Level 2 Scoping Guidance, 32 CFR §170.19, defines five asset categories that organizations must use to classify every component within their environment:

Asset category	Description	Assessment implications
CUI assets	Process, store, or transmit CUI	Assessed against all 110 Level 2 security requirements
Security Protection Assets (SPAs)	Provide security functions: security information and event management (SIEM), firewalls, virtual private network (VPN), identity providers	Assessed against relevant Level 2 requirements
Contractor Risk Managed Assets (CRMAs)	Can but aren’t intended to handle CUI because of policies in place	Documented in SSP; subject to limited assessor checks
Specialized assets	Can handle CUI but can’t be fully secured: Internet of Things (IoT), operational technology (OT), government-furnished equipment (GFE), test equipment	Managed using risk-based policies
Out-of-scope assets	Can’t process, store, or transmit CUI	Physically or logically separated from CUI environment

Table 1: CMMC Level 2 asset categories per 32 CFR §170.19

All assets must be documented in an asset inventory, treated in the SSP, and included in the network diagram of the CMMC assessment scope. The classification of each asset directly determines which controls apply and how they must be evidenced. Getting this wrong (for example, not identifying a SPA that provides logging functions) can cascade into multiple control findings during assessment.

AWS services can play a role across several of these categories. For example, AWS CloudTrail and AWS Security Hub are likely SPAs in your environment, while Amazon Simple Storage Service (Amazon S3) buckets storing CUI would be classified as CUI assets. Proper classification of each AWS service in your environment is a prerequisite for accurate boundary scoping.

The silent compliance risk of boundary drift

Boundaries can initially be well-defined only to shift over time. Boundary drift is a risk that occurs when an OSA deploys new applications or services into a managed enclave, changing the boundary without formal reassessment. Those new components must be reassessed and incorporated into the CRM, meaning boundaries aren’t static and must be continuously validated.

This risk is particularly relevant in dynamic cloud environments where new workloads can be provisioned rapidly. When an OSA deploys applications into an MSP-managed enclave, the boundary changes. Those new components introduce potential new CUI touchpoints, new access paths, and new control requirements. If the CRM and SSP aren’t updated to reflect these changes, the organization’s documented compliance posture diverges from its actual environment, which is a gap that assessors are likely to identify.

Common patterns related to boundary drift include treating MSP enclaves as inside the CSP’s FedRAMP boundary, making blanket 100% inherited controls claims, and not distinguishing between infrastructure and managed services. These each represent a boundary definition issue that can result in assessment findings across multiple control families.

The mitigation strategy requires:

Maintaining explicit CRM and supply chain risk management (SCRM) documentation that maps control ownership across all parties
Continuous boundary validation when changes occur
Verifying that every external service provider that builds an enclave independently meets FedRAMP Moderate or an equivalent

AWS services such as AWS Config and AWS Security Hub are designed to support continuous monitoring of your environment’s configuration state, which can help your organization detect when boundary changes occur and trigger the appropriate review processes.

Actionable steps for multi-provider compliance

Preparing for a CMMC Level 2 assessment in a multi-provider cloud environment demands disciplined, proactive effort. The following steps represent the most important recommended actions for organizations:

Step 1: Request explicit CRMs from every provider
Each CRM must define who implements each control, where it’s implemented, and what evidence supports it. This applies not only to the CSP but independently to every MSP and MSSP in the environment. If an MSP is offering a managed enclave handling CUI, they must provide their own CRM with control-by-control mapping and clear ownership between CSP, MSP, and OSC. It’s recommended that organizations treat the absence of a provider CRM as a risk factor. If your MSP or MSSP isn’t prepared, that risk falls on you.

Step 2: Contractually require DFARS flow-down and assessment-ready artifacts
MSP contracts must include cyber incident reporting requirements (72-hour notification), media preservation obligations, and access provisions for damage assessment. Beyond contractual language, MSPs must be obligated to produce evidence artifacts (configuration baselines, access review logs, vulnerability scans) that the C3PAO requires during assessment. Practices must match documentation: If an SSP states that vulnerability assessments are conducted weekly but the actual cadence is quarterly, assessors could identify the discrepancy and the control won’t pass.

Step 3: Conduct mock assessments before engaging a C3PAO
Without a mock assessment led by someone experienced in CMMC, gaps in documentation, missing evidence, and scope confusion often go unnoticed until it’s too late. A practice run can surface issues that can be remediated before the stakes are real. We recommend that organizations maintain version-controlled SSPs, traceable evidence logs, and tailored plans of action and milestones (POA&Ms) as part of their continuous compliance posture.

Step 4: Implement continuous boundary management
Given the risks of boundary drift, organizations must establish processes that trigger CRM and SSP updates whenever new applications, services, or configurations are deployed into the assessment scope. This isn’t a one-time exercise. It’s an ongoing operational discipline that must be embedded into change management workflows.

Conclusion

The transition from self-assessed to third-party verified CMMC compliance represents a fundamental shift in how the protection of CUI is validated. With C3PAO assessments becoming a condition of award and contractors facing disqualification for noncompliance, the window for preparation is narrowing.

The core lesson is that compliance isn’t about where your data is hosted, it’s about who owns each control, where that control operates, and what evidence proves it. Organizations that assume inheritance without documentation, treat MSP enclaves as extensions of CSP authorization boundaries, or allow boundary drift to go unmanaged are building their compliance posture on a foundation that might not withstand assessment.

The path forward requires:

Explicit control ownership through thorough CRMs
Rigorous boundary definition and continuous monitoring
Contractual accountability across every provider in the chain
Evidence-based verification that aligns documentation with operational reality

AWS provides a broad set of services and solutions designed to support organizations on this path, from AWS GovCloud (US) and commercial US Regions for hosting CUI workloads, to AWS Artifact for accessing AWS compliance reports, to services such as AWS Security Hub, AWS Config, AWS CloudTrail, and Amazon GuardDuty that are designed to help support continuous monitoring and evidence collection. CMMC compliance is achievable, but only for organizations willing to own every layer of their security posture.

For more information on CMMC compliance on AWS, contact AWS compliance support.

Next steps and resources

AWS Security Assurance Services – Reach out to AWS Security Assurance Services to speak with a trusted advisor to support your CMMC certification journey
CMMC program overview – Official CMMC program page with the latest guidance, rules, and assessment information
AWS Shared Responsibility Model – Understand the division of security responsibilities between AWS and the customer

How Leidos enhanced intelligent document processing using agentic AI on AWS

Gabriel Fuentes — Wed, 29 Apr 2026 20:27:48 +0000

When government agencies process millions of documents monthly—each with unique compliance requirements—traditional intelligent document processing (IDP) pipelines hit a wall. Leidos faced exactly this challenge with their ManagedX platform, an AI-powered, cloud-based IDP solution built on Amazon Web Services (AWS).

This post shares how Leidos enhanced ManagedX by adopting multi-agent workflow patterns using the open source Strands Agents SDK, and how AWS Enterprise Support helped guide that evolution.

The challenge: Scaling document processing for diverse government needs

ManagedX was already automating the extraction and processing of structured, semi-structured, and unstructured documents using AI and machine learning (ML). But as Leidos expanded across government agencies—each with distinct document types and compliance requirements—the team identified limitations in the existing architecture.

The core challenge was flexibility. Some agencies process thousands of short forms daily; others analyze single documents spanning hundreds of pages. The existing pipeline made it difficult to scale individual capabilities independently or offer a modular, pay-per-component model.

“Our government customers don’t just process one type of document—a single case file might include medical records, legal briefs, financial forms, and handwritten notes—all requiring different extraction strategies and compliance rules,” said Bill Zhou, Cloud DevOps Engineer at Leidos.

“In our previous setup, introducing a new document type or agency-specific workflow meant modifying the core pipeline, which slowed our ability to onboard new missions. We needed a flexible system where each processing capability—optical character recognition (OCR), classification, extraction, validation—could evolve independently and be composed differently for each agency’s needs,” said Justin Miles, Systems Engineer at Leidos.

“We were spending more time adapting the pipeline for each new agency than actually improving our AI capabilities. The multi-agent approach lets us compose processing workflows like building blocks—each agent is specialized, testable, and reusable across missions.” Bill Zhou, Cloud DevOps Engineer at Leidos.

Leidos needed a modular architecture that could adapt to each agency’s requirements without rebuilding the pipeline for every new use case.

Why Strands Agents SDK and the workflow pattern

Rather than iterating on the existing monolithic pipeline, Leidos adopted a multi-agent architecture—decomposing the document processing workflow into specialized agents, each responsible for a distinct task: OCR, text extraction, document classification, field extraction (structured data pull), validation, and graph/search indexing. This architecture powered a variety of use cases, from healthcare claims processing, legal e-discovery, and financial documentation to insurance underwriting. In every instance, auditability and deterministic ordering mattered in the regulated environments, which helped Leidos establish efficient workflow patterns.

The Strands Agents SDK—an open source, Apache 2.0-licensed framework already powering production features in AWS services—proved to be a natural fit for several reasons.

First, Strands supports a workflow agent pattern designed for sequential, deterministic processing with explicit dependency management. For government document processing, where the sequence matters—classify, then extract, then validate, then store—this determinism provides the auditability and consistency that regulated environments require. Leidos evaluated collaborative and swarm patterns, where agents negotiate dynamically, but chose the workflow pattern because predictable execution was non-negotiable.

Second, Strands’s Python-native tool definitions made it possible for Leidos to wrap existing capabilities as tools using simple decorators, without rewriting them. Each agent received its own tailored toolset, keeping responsibilities cleanly separated.

Third, Strands’s built-in support for Model Context Protocol (MCP) servers simplified how agents connected to AWS services. Rather than building custom integrations for each service, MCP provided pre-built tool interfaces—reducing development effort and making it simpler to add new service connections as the platform evolves.

Finally, Strands is model-agnostic, so Leidos can assign different Amazon Bedrock foundation models to different agents based on task complexity. Lighter models handle classification; more capable models handle validation with personally identifiable information (PII) guardrails powered by Amazon Bedrock Guardrails. Each model operates with separate throughput quotas, improving both cost-efficiency and performance isolation. Strands also provides built-in observability, logging every tool execution with its parameters—a critical capability for the auditability that government document processing demands.

With the architecture pattern selected, the next challenge was deployment in a regulated environment.

Deploying multi-agent AI in AWS GovCloud with containers

Deploying agentic AI in AWS GovCloud (US) presented its own constraints. At the time of implementation, managed agent orchestration services were not yet available in the AWS Region, so Leidos needed an alternative approach to run and scale their multi-agent system.

Because Strands is lightweight and runs anywhere Python runs, the team chose a container-based deployment using AWS Fargate. This container-based pattern proved to be a practical blueprint for running multi-agent workloads in regulated environments where managed services might not yet be available.

The role of AWS Enterprise Support

Throughout this evolution, Leidos worked with their AWS Technical Account Manager (TAM) through AWS Enterprise Support. Rather than prescribing a solution, the TAM served as a strategic advisor—helping the team evaluate agent patterns, navigate service constraints in GovCloud, and think through trade-offs between deployment approaches.

This type of engagement reflects a broader shift within AWS Enterprise Support toward proactive, strategic guidance—helping customers connect emerging capabilities like agentic AI with specific mission requirements.

The engagement was mutually beneficial for Leidos, who decided to build on AWS due to a combination of customer alignment, platform maturity, and developer velocity. With many of its government customers heavily invested in AWS—particularly within GovCloud—Leidos worked within their existing AWS footprint while maintaining compliance and security requirements.

“Ultimately, it was AWS’s flexibility, scalability, and partnership support that helped to bring ManagedX to life and allowed us to deliver solutions quickly and effectively for our customers,” said Zhou.

Lessons learned

For organizations considering a similar path, Leidos’s experience offers several takeaways:

Match the agent pattern to the processing sequence – If your document workflow follows a predictable path, the workflow pattern in Strands provides the determinism and auditability that government environments require.
Use existing code as tools – Strands’s decorator-based tool definitions and MCP support mean you don’t have to rewrite working logic—wrap it and assign it to the right agent.
Plan for Regional constraints – In regulated environments like GovCloud, not every managed service is available on day one. Strands’s lightweight footprint makes container-based orchestration with Fargate and Amazon SQS a viable alternative.
Engage your support relationship early – AWS Enterprise Support TAMs can help evaluate emerging patterns and navigate constraints—engaging them early in the architectural decision process can save significant time and rework.

Conclusion

Leidos’s enhancement of ManagedX demonstrates how an established IDP platform can evolve to meet growing government demands through multi-agent AI patterns. By selecting the Strands Agents SDK for its workflow capabilities, built-in tooling support, and model flexibility—and deploying on containers in GovCloud—Leidos built a modular, scalable solution that adapts to diverse agency needs.

“The modular architecture significantly improved ManagedX’s onboarding speed and processing efficiency, allowing us to establish new agency workflows much faster,” said Miles.

“ManagedX started as a document processing platform, but the agent architecture unlocked something bigger—it’s quickly becoming an intelligent case management system where AI plays an important role from intake to final recommendations. And with our foundation in place, we’re excited to introduce advanced capabilities like multi-level case intelligence, automated artifact generation, and a conversational AI interface that will help us boost insight and decision-making for case workers,” said Zhou.

For other public sector organizations exploring agentic AI, the path doesn’t require starting from scratch. It starts with understanding your processing requirements, choosing the right agent pattern, and engaging strategic partners like AWS Enterprise Support to help guide the journey.

To learn more about how AWS Enterprise Support can help your organization accelerate innovation, contact your AWS account team or visit the Enterprise Support homepage. To learn more about building with the Strands Agents SDK, visit the Strands Agents documentation. Learn more about Managed X and speak with a member of the ManagedX team.