AgentCore Policy authorises tool calls through the AgentCore Gateway. Gostly captures the upstream’s actual response — no matter how the agent reached the tool — and replays it byte-equivalent.
AWS announced AgentCore Policy in March 2026 as a Cedar-based authorisation layer for agentic systems running on Bedrock. The model is familiar to anyone who has written Cedar: a decision is taken on (principal, action, resource, context), allow or deny, and the result is logged. The integration point is the AgentCore Gateway — tool calls that pass through the Gateway are policy-checked before they execute.
The architectural escape hatch worth naming: AgentCore policy is bypassed when the agent calls a tool that is notbehind the Gateway. If an agent in production reaches for an internal HTTP service directly, a third-party SDK that doesn’t route through the Gateway, or a tool registered outside the AgentCore inventory, the policy layer has no visibility. That is a documented design constraint, not a bug — but it changes the threat model.
Gostly sits at a different point in the call path. The Gostly proxy intercepts the HTTP traffic itself, regardless of which agent framework issued the call. Whether the request came from an MCP tool definition, an AgentCore Gateway-registered tool, or a hand-rolled httpx.AsyncClient invocation, the proxy captures it. The contract becomes per-route and per-recorded-response — a finer granularity than the Gateway ARN that AgentCore Policy can address.
There is also a vendor-lock-in axis. AgentCore tightens the pricing pressure on Bedrock — the policy layer is a real reason to standardise an organisation on the AgentCore stack, and that standardisation has commercial consequences down the line. Gostly is transport-agnostic: it works against any HTTP upstream and runs as a single Rust binary or in a Kubernetes cluster you control. No cloud lock-in is added by adopting it.
| Feature | AWS AgentCore | Gostly |
|---|---|---|
| Cedar-based policy on tool calls (allow / deny by principal · action · resource · context) | first-class | No |
| Coupled to AWS Bedrock & AgentCore Gateway | Yes | No |
| Coverage when agent calls a tool NOT behind the Gateway | No | captured regardless of path |
| Transport-agnostic (any HTTP upstream, any cloud) | No | Yes |
| Resource granularity | Gateway ARN | per-route / per-recorded-response |
| Records the upstream's actual response | No | default workflow |
| Byte-equivalent replay for regression testing | No | Yes |
| No LLM in the deterministic cascade | n/a | Yes |
| Row-level tenant isolation on shared state | IAM-scoped | 22-table RLS in Postgres |
| Self-hostable, no cloud lock-in | No | single Rust binary or K8s |
| MCP server for agent introspection | No | Team tier — shipped |
| Audit log of policy decisions | CloudTrail | platform audit log (Team) |
AgentCore Policy is genuinely strong on the “should this call go out?” axis when the call is routed through the Gateway. Gostly addresses the orthogonal axis: capturing what actually came back, regardless of how the call was made.
Choose AWS AgentCore when
Choose Gostly when
Your agent’s API calls — captured, redacted, replayable. Any HTTP upstream. Any cloud. No lock-in.
Evaluating for a team of 3+? We’d love to talk before you commit.