DEV Community

Cover image for 25 Workflow Automation and Process Agent Patterns on AWS You Can Steal Right Now
AWS Community Builders profile image Marcelo Acosta Cavalero
Marcelo Acosta Cavalero for AWS Community Builders

Posted on • Originally published at buildwithaws.substack.com

25 Workflow Automation and Process Agent Patterns on AWS You Can Steal Right Now

#aws #ai #devops #productivity

Originally published on Build With AWS. Subscribe for weekly AWS builds.

A logistics coordinator at a mid-size manufacturer spends every Monday morning copying order data from the ERP into a spreadsheet, cross-referencing inventory levels in a second system, emailing the warehouse team about shortages, and updating the shipping schedule in a third tool.

The entire ritual takes three hours.

The data exists in every system.

The logic is consistent.

The human is the integration layer.

This is the third edition of a five-part series cataloging real AI architecture patterns running on AWS.

Edition 1 covered customer-facing agents.

Edition 2 covered internal knowledge and productivity agents.

This edition focuses on the unsexy middle: workflow automation and process agents that operate behind the scenes, moving data between systems, enforcing business rules, handling exceptions, and keeping operations running without direct human interaction.

No chat interfaces, no employee-facing Q&A.

These agents augment or progressively replace the spreadsheets, email chains, RPA scripts, and manual copy-paste rituals that hold business processes together, particularly where the process requires judgment that rule-based automation cannot handle.

If you missed the earlier editions, go back to Edition 1 for the “Agent or Not?” scoring framework and the AgentCore vs Quick breakdown.

Edition 2 introduced Amazon Q Business for knowledge workloads.

Those mental models apply here.

This edition adds a fourth consideration: when an agent is overkill and Step Functions plus EventBridge handles the job.

The Agent vs Orchestration Decision

Workflow automation sits in a gray zone.

Not every automated process needs an AI agent.

Many workflows are deterministic: if X happens, do Y, then Z, every time, no variation.

Step Functions handles those workflows with built-in error handling, retry logic, and visual debugging.

Adding an agent to a deterministic workflow adds cost, latency, and a reasoning layer that provides no value.

Agents earn their place in workflow automation when the process requires judgment calls.

When the system needs to interpret unstructured input, classify ambiguous data, decide which path to take based on context that cannot be reduced to simple rules, or handle exceptions that vary enough to defeat a static decision tree.

Use the same five questions from Edition 1 (workflow predictability, reasoning depth, tool access, conversational interaction, improvement over time) to score each workflow.

These thresholds are a useful heuristic: workflows scoring below 10 belong in Step Functions.

Between 10 and 15, consider a hybrid where Step Functions orchestrates the deterministic parts and an agent handles the judgment steps.

Above 15, build the agent.

Three practical signals help distinguish agent territory from orchestration territory.

First, input predictability: if every input follows a known schema with constrained values, orchestration handles it.

If inputs arrive as unstructured documents, free-text emails, or variable formats, an agent adds value.

Second, rule stability: if the business rules change rarely and can be fully enumerated, encode them in Step Functions.

If the rules shift frequently, contain ambiguity, or require interpretation of context, an agent adapts where static rules break.

Third, exception tolerance: if the process can halt on any unexpected input and wait for a human, orchestration is fine.

If exceptions are common enough that halting creates an operational bottleneck, an agent that handles the ambiguity keeps the process moving.

Reference Architectures for Process Agents

Process agents differ from the customer-facing and employee-facing patterns in the first two editions.

They rarely have a chat interface.

They trigger from events, schedules, or system state changes.

They interact with APIs, databases, and file systems rather than humans.

The reference architectures reflect this shift.

Reference Architecture G - Event-Driven Process Agent

Platform: AgentCore

When to use: The agent triggers from system events and makes decisions about how to process each event based on context. No human interaction during execution. The agent reads data, reasons about what to do, takes actions across systems through Gateway-mediated tool calls, and logs outcomes.

AgentCore Policy constrains which actions the agent can take, and AgentCore Observability provides tracing and visibility into agent execution and tool calls.

All tool interactions flow through the Gateway, which handles authentication, rate limiting, and MCP-compatible tool exposure.

Covers most document processing, data routing, exception handling, and system integration agents where the trigger is an event, not a person.

Reference Architecture H - Hybrid Orchestration (Step Functions + Agent)

Platform: Step Functions + AgentCore

When to use: The workflow has deterministic steps (data extraction, API calls, file transformations) mixed with judgment steps (classification, exception handling, content generation).

Step Functions orchestrates the overall flow and calls the agent only when reasoning is needed.

This hybrid pattern reduces unnecessary model invocations, improves debuggability through Step Functions’ visual execution history, and preserves deterministic control with built-in retries and error handling for the predictable steps.

Covers workflows where the majority of steps are deterministic and the remaining steps require contextual decision-making.

Reference Architecture I - Multi-System Process Coordinator

Platform: AgentCore (multi-agent or single agent with adapters)

When to use: The process spans 4+ systems where each system has different APIs, data formats, and error modes. The coordinator agent manages sequencing, handles partial failures, and tracks process state in a durable store (DynamoDB or RDS, not AgentCore Memory, which serves context retention rather than transactional workflow state).

System adapters normalize the interface to each backend.

This pattern centralizes coordination logic and can reduce the operational complexity of ad hoc point-to-point integrations, while still relying on stable adapters and contract validation at the API layer.

The 25 Use Cases

Document Processing and Data Extraction

#051 - Invoice Processing and Matching Agent

Pattern: Migration from RPA

Platform: Step Functions + AgentCore (hybrid)

Complexity: Quick Win

Reference Architecture: H

What the agent does:

  • Receives invoices via email attachment, API upload, or S3 drop. Amazon Textract extracts line items, totals, vendor information, and payment terms with confidence scores.
  • The deterministic steps (extraction, format normalization, duplicate detection) run in Lambda via Step Functions.
  • The agent handles the judgment calls: matching invoices to purchase orders when line items do not align exactly, resolving quantity discrepancies, and flagging anomalies like unexpected price increases or new line items not on the PO.
  • Extraction results where Textract’s field-level confidence falls below a configured threshold route directly to human review rather than through the agent’s matching logic, because low-quality extraction makes downstream matching unreliable.
  • Clean matches route to the payment queue.
  • Exceptions route to AP (the team that handles invoice payments) with the agent’s analysis and a recommended resolution.

AWS services: Step Functions, Amazon Textract, Bedrock (Claude), AgentCore Runtime, S3 (document ingestion), Lambda (deterministic steps), DynamoDB (PO matching index), SES (exception notifications)

You need this if: Your accounts payable team manually matches invoices to purchase orders, spends 15+ minutes per exception, and processes more than 500 invoices per month.

#052 - Contract Data Extraction and Lifecycle Agent

Pattern: Migration from RPA

Platform: AgentCore

Complexity: Strategic Bet

Reference Architecture: G

What the agent does:

  • Processes incoming contracts, amendments, and renewals.
  • Extracts key terms: effective dates, renewal windows, termination clauses, pricing schedules, SLA commitments, liability caps, and data handling provisions.
  • Drafts a deviation summary comparing extracted terms against company standards as a review aid for legal and procurement, not as an autonomous legal reviewer.
  • Populates the contract management system with structured data.
  • Monitors active contracts for upcoming renewals, expiring SLAs, and auto-renewal windows.
  • Sends alerts to the legal and procurement teams with a summary of each contract’s key obligations and upcoming milestones.

AWS services: Bedrock (Claude), AgentCore Runtime, Amazon Textract, S3 (contract repository), DynamoDB (contract metadata), EventBridge (milestone scheduling), SES (alerts)

You need this if: Your legal team manually reviews contracts to track key dates and obligations, and you have missed renewal windows or auto-renewed unfavorable terms because nobody flagged the deadline.

#053 - Mail and Correspondence Classification Agent

Pattern: New build

Platform: AgentCore

Complexity: Quick Win

Reference Architecture: G

What the agent does:

  • Processes inbound correspondence from a shared mailbox, physical mail scans, or document upload.
  • Classifies each item by type (invoice, RFP, legal notice, customer complaint, regulatory filing, general inquiry), extracts key metadata, and routes to the appropriate department or workflow.
  • For structured document types (invoices, purchase orders), triggers the corresponding processing pipeline.
  • For unstructured items (letters, complaints), generates a summary and priority assessment before routing.
  • Can support page-level or section-level routing when document boundaries are reliably identified, though multipage segmentation adds complexity that should be validated per document type.

AWS services: Bedrock (Claude), AgentCore Runtime, Amazon Textract, S3 (document intake), SQS (routing queues), EventBridge (workflow triggers), DynamoDB (classification audit trail)

You need this if: Your operations team manually sorts and distributes 100+ pieces of inbound correspondence daily, and misrouted items cause delays measured in days.

#054 - Receipt and Expense Categorization Agent

Pattern: Migration from RPA

Platform: Step Functions + AgentCore (hybrid)

Complexity: Quick Win

Reference Architecture: H

What the agent does:

  • Processes bulk receipt uploads from corporate card feeds, receipt scanning apps, and email forwards.
  • Textract extracts merchant, amount, date, and line items.
  • Step Functions handles the deterministic categorization for known merchants mapped to GL codes.
  • The agent handles ambiguous cases: merchants with multiple possible categories, split purchases across categories, foreign transactions requiring context to categorize, and items that might be personal vs business expenses.
  • Categorization outputs are schema-constrained to valid GL codes at the application layer, preventing open-ended classification drift.
  • Low-confidence categorizations queue for human review with the agent’s reasoning attached.
  • AWS services: Step Functions, Amazon Textract, Bedrock (Nova), AgentCore Runtime, Lambda, DynamoDB (merchant mapping), S3 (receipt storage)

You need this if: Your finance team recategorizes 20-30% of auto-categorized expenses because simple rule-based systems cannot handle merchant ambiguity or context-dependent categorization.

#055 - Form Processing and Data Entry Agent

Pattern: Migration from RPA

Platform: Step Functions + AgentCore (hybrid)

Complexity: Quick Win

Reference Architecture: H

What the agent does:

  • Digitizes and processes paper forms, PDFs, and scanned documents into structured data.
  • Handles applications, enrollment forms, registration documents, and intake paperwork.
  • Textract extracts fields.
  • Step Functions manages the pipeline (extraction, validation, storage).
  • The agent resolves extraction ambiguities, fills inferred fields from context (deriving a state from a zip code, a department from a job title), validates cross-field consistency (does the birth date match the stated age?), and flags irreconcilable conflicts for human review.
  • Loads validated data into the target system (CRM, HRIS, ERP) via API.

AWS services: Step Functions, Amazon Textract, Bedrock (Nova), AgentCore Runtime, Lambda, API Gateway, target system APIs

You need this if: Your team manually enters data from paper or PDF forms into business systems, the error rate exceeds 5%, and rework from data entry mistakes costs more than the entry itself.

Approval and Routing Workflows

#056 - Intelligent Request Routing Agent

Pattern: New build

Platform: AgentCore

Complexity: Quick Win

Reference Architecture: G

What the agent does:

  • Receives internal requests from a ticketing system, email, or Slack and routes them to the correct team, queue, or individual based on content analysis rather than user-selected categories.
  • Reads the full request text, identifies the actual need (which often differs from what the submitter selected in a dropdown), determines priority from impact signals in the text, and assigns it to the right handler.
  • When a request spans multiple teams, splits it into sub-requests with the relevant context for each team.
  • Tracks routing accuracy and rebalances when certain queues are overloaded.

AWS services: Bedrock (Claude), AgentCore Runtime, AgentCore Gateway (ticketing system API, Slack API), EventBridge, DynamoDB (routing rules and metrics)

You need this if: More than 25% of internal requests get rerouted at least once because users select the wrong category, and your average time-to-right-team exceeds 4 hours.

#057 - Dynamic Approval Chain Agent

Pattern: New build

Platform: AgentCore

Complexity: Strategic Bet

Reference Architecture: G

What the agent does:

  • Manages approval workflows where the approval chain varies based on request content, not just amount thresholds.
  • Analyzes the request (purchase, access change, policy exception, project proposal), determines which approvers are required based on the specific content (a security-related purchase needs CISO sign-off regardless of amount, a vendor change needs procurement review), checks for conflicts of interest, and routes accordingly.
  • Handles delegation when approvers are out of office, escalates stalled approvals, and maintains a complete audit trail.
  • When policies conflict (two approval rules apply and contradict), it flags the conflict and routes to the policy owner for clarification.

AWS services: Bedrock (Claude), AgentCore Runtime, AgentCore Policy (tool boundaries and action constraints), HRIS API (delegation and reporting structure), EventBridge (escalation timers), SES (notifications), DynamoDB (approval state and audit trail)

Note: AgentCore Policy serves as the deterministic control boundary for which actions the agent can take. The approval lifecycle state (pending, approved, rejected, escalated) should live in DynamoDB or a workflow engine, not in the agent’s reasoning alone.

You need this if: Your approval workflows are either too rigid (everything follows the same chain regardless of content) or too manual (someone decides who needs to approve each request), and both modes create bottlenecks.

#058 - Exception Handling and Escalation Agent

Pattern: New build

Platform: AgentCore

Complexity: Strategic Bet

Reference Architecture: G

What the agent does:

  • Monitors automated business processes for exceptions that cannot be resolved by existing error-handling logic.
  • When a process throws an exception (payment fails, data validation rejects a record, an API call returns an unexpected response), the agent analyzes the exception context, classifies it, and determines whether the issue is transient (retry), correctable (apply a predefined remediation within policy boundaries), or requires human judgment.
  • For correctable issues, it recommends or executes predefined remediation actions constrained by AgentCore Policy, and logs every change applied.
  • For human-required issues, it identifies the right person based on the exception domain and provides a diagnostic summary.
  • Tracks exception patterns and recommends process improvements when the same exception type recurs.

AWS services: Bedrock (Claude), AgentCore Runtime, AgentCore Memory (historical context for recurring exceptions), CloudWatch (process monitoring), EventBridge (exception events), SNS (escalation), DynamoDB (structured exception log and pattern analytics)

You need this if: Your operations team spends hours daily triaging process exceptions from automated systems, and 60% of those exceptions follow patterns that could be handled without human intervention.

System Integration and Data Synchronization

#059 - Cross-System Data Reconciliation Agent

Pattern: Migration from RPA

Platform: AgentCore

Complexity: Strategic Bet

Reference Architecture: I

What the agent does:

  • Reconciles data across systems that should agree but drift over time.
  • Compares customer records between CRM and billing, inventory counts between warehouse management and ERP, employee data between HRIS and payroll.
  • Identifies discrepancies and flags them against deterministic authority rules that define which system owns each field.
  • The agent’s role is matching ambiguity and explanation, not final authority: it resolves near-matches the rules engine cannot handle, explains why records diverged, and either corrects the discrepant system automatically for low-risk fields (phone numbers, formatting differences) or queues corrections for approval for high-risk fields (pricing, compensation).
  • Runs on a schedule and produces reconciliation reports showing drift trends, common discrepancy sources, and data quality scores per system.

AWS services: Bedrock (Claude), AgentCore Runtime, AgentCore Gateway (multi-system APIs), EventBridge (scheduler), S3 (reconciliation reports), DynamoDB (discrepancy tracking), Quick (QuickSight for drift dashboards)

You need this if: Your teams spend time manually comparing data across systems, you have discovered billing errors caused by CRM-to-billing sync failures, and nobody trusts that any single system has the correct data.

#060 - Legacy System Migration Agent

Pattern: New build

Platform: Step Functions + AgentCore (hybrid)

Complexity: Foundation Build

Reference Architecture: H

What the agent does:

  • Assists in migrating data from legacy systems to modern platforms.
  • Step Functions manages the bulk migration pipeline (extract, transform, load).
  • The agent assists with the judgment-intensive parts: suggesting field mappings when the legacy-to-target relationship is not one-to-one, interpreting free-text fields that encode structured information (a “notes” field containing address changes, pricing exceptions, and relationship context), and flagging records where legacy data does not meet the new system’s validation rules.
  • Transformation pipelines and validation rules remain deterministic; the agent handles ambiguity and explanation, not schema authority.
  • Produces a migration report for each batch showing what mapped cleanly, what required interpretation, and what needs human review.

AWS services: Step Functions, Bedrock (Claude), AgentCore Runtime, AWS DMS (data migration), Lambda (ETL steps), Glue (data transformation), S3 (staging), RDS/DynamoDB (target systems)

You need this if: Your legacy migration is stalled because 20-40% of records need manual cleanup, and the cleanup requires understanding context encoded in free-text fields and inconsistent formats.

#061 - API Integration Mediator Agent

Pattern: New build

Platform: AgentCore

Complexity: Strategic Bet

Reference Architecture: I

What the agent does:

  • Sits between systems that need to exchange data but lack a clean integration.
  • Handles the translation layer: mapping fields between different schemas, converting units and formats, handling version differences in APIs, and managing the sequencing when updates to one system require multiple coordinated calls to another.
  • When an API starts returning unexpected responses, the agent can help detect and classify the integration drift, and in constrained cases map minor schema variations (a renamed field, a new optional property).
  • For breaking changes to authentication flows, data contracts, or endpoint structure, contract validation and human review remain necessary.
  • Maintains a log of all translations applied and flags when its confidence in a mapping drops below threshold, indicating the integration needs engineering attention.

AWS services: Bedrock (Nova), AgentCore Runtime, AgentCore Gateway, API Gateway (endpoint management), DynamoDB (mapping rules), CloudWatch (integration health metrics), SNS (confidence alerts)

You need this if: You maintain brittle point-to-point integrations between systems using custom Lambda functions, and every API version change breaks downstream processes.

#062 - Master Data Management Agent

Pattern: New build

Platform: AgentCore

Complexity: Foundation Build

Reference Architecture: I

What the agent does:

  • Maintains a golden record for key business entities (customers, products, vendors, locations) across systems.
  • When a new record is created or an existing record is updated in any connected system, the agent evaluates whether it represents a new entity or matches an existing one.
  • Goes beyond simple deduplication: resolves near-matches by analyzing contextual signals (same company, different address might be a branch office, not a duplicate) and surfaces merge candidates with explanations.
  • Deterministic survivorship rules (most recent, most complete, source priority) govern which values win in a merge; the agent handles entity resolution and ambiguous matching, while stewardship workflows and audit trails ensure humans review high-impact merges before propagation to connected systems.
  • Produces data quality scorecards showing entity completeness, duplication rates, and conflict resolution patterns.

AWS services: Bedrock (Claude), AgentCore Runtime, AgentCore Gateway (multi-system APIs), DynamoDB (golden record store), EventBridge (change events), Glue (data profiling), Quick (QuickSight for data quality dashboards)

You need this if: Your customer or product master data is fragmented across 3+ systems, duplicates cause operational errors, and your team manually merges records using spreadsheets.

Order and Supply Chain Operations

#063 - Order Fulfillment Orchestration Agent

Pattern: Migration from RPA

Platform: AgentCore

Complexity: Strategic Bet

Reference Architecture: I

What the agent does:

  • Manages the order-to-fulfillment process across ERP, warehouse management, shipping carriers, and inventory systems.
  • When an order is placed, the agent determines the fulfillment path within predefined business rules and constraints: which warehouse has stock, which carrier meets the delivery window at the lowest cost, and whether to split-ship or wait for all items.
  • Handles exceptions that derail RPA scripts: backorders, address validation failures, carrier capacity constraints, and partial inventory availability.
  • When fulfillment cannot meet the promised delivery date, the agent determines the best alternative (expedited shipping, alternative warehouse, substitute product) and updates the customer record.

AWS services: Bedrock (Claude), AgentCore Runtime, AgentCore Gateway (ERP, WMS, carrier APIs), EventBridge (order events), DynamoDB (fulfillment state), SNS (exception alerts)

You need this if: Your fulfillment team manually handles 15-20% of orders because they fall outside the happy path of your automated workflow, and each exception takes 20+ minutes to resolve.

#064 - Inventory Rebalancing Agent

Pattern: New build

Platform: Both (AgentCore backend + Quick dashboards)

Complexity: Strategic Bet

Reference Architecture: G + Quick dashboards

What the agent does:

  • Monitors inventory levels across warehouses, stores, and distribution centers.
  • Identifies imbalances where one location has excess stock while another faces shortages.
  • Factors in demand forecasts, seasonal patterns, lead times, transfer costs, and upcoming promotions to recommend and initiate rebalancing transfers.
  • Handles the complexity that rule-based systems miss: a supplier delay requiring redistribution of remaining stock, seasonal demand shifts that differ from historical patterns, or promotional activity creating localized spikes.
  • External demand signals (social media trends, weather forecasts) can improve rebalancing accuracy but require dedicated data integrations beyond the base inventory stack.
  • Quick dashboards give supply chain managers visibility into inventory health, transfer recommendations, and demand signals.

AWS services: Bedrock (Claude), AgentCore Runtime, AgentCore Gateway (WMS APIs), Amazon Quick (QuickSight + Research), EventBridge (inventory triggers), Redshift (demand data), S3 (forecast models)

You need this if: Your inventory rebalancing happens weekly via spreadsheet analysis, and you regularly discover stockouts at one location while another location sits on 90+ days of the same product.

#065 - Vendor Performance Monitoring Agent

Pattern: New build

Platform: AgentCore backend + Quick analytics

Complexity: Quick Win

Reference Architecture: G + Quick dashboards

What the agent does:

  • Tracks vendor performance across delivery timeliness, quality metrics, pricing compliance, and responsiveness.
  • Pulls data from receiving logs, quality inspection records, invoice accuracy rates, and communication response times.
  • Identifies trends that indicate deteriorating performance before they become problems: gradually increasing lead times, rising defect rates, or more frequent pricing discrepancies.
  • Generates vendor scorecards and produces alerts when a vendor crosses a performance threshold.
  • For procurement reviews, compiles a vendor comparison across the same product category with data-backed performance rankings.

AWS services: Bedrock (Claude), AgentCore Runtime, Amazon Quick (QuickSight + Research), ERP API, quality management API, EventBridge (threshold alerts), Redshift (vendor metrics), SES (scorecards)

You need this if: Your procurement team evaluates vendors based on relationship and recent memory rather than data, and poor vendor performance gets discovered through downstream operational problems.

#066 - Purchase Order Generation Agent

Pattern: Migration from RPA

Platform: Step Functions + AgentCore (hybrid)

Complexity: Quick Win

Reference Architecture: H

What the agent does:

  • Generates purchase orders based on inventory triggers, demand forecasts, and reorder points.
  • Step Functions handles the deterministic parts: checking reorder thresholds, pulling vendor pricing from contracts, applying standard terms.
  • The agent handles the judgment calls: selecting the best vendor when multiple suppliers carry the same item (factoring price, lead time, current performance score, and existing open orders) constrained by the approved vendor list and procurement policies, consolidating small orders to meet minimum order quantities, timing orders to optimize shipping costs, and adjusting quantities based on demand trend analysis.
  • Submits POs through the procurement system and tracks acknowledgment.

AWS services: Step Functions, Bedrock (Nova), AgentCore Runtime, Lambda, ERP API, DynamoDB (vendor performance and pricing), EventBridge (reorder triggers)

You need this if: Your purchasing team manually creates 50+ POs per week, the vendor selection process is inconsistent, and you miss volume discount thresholds because orders are not consolidated.

Financial Operations

#067 - Revenue Recognition Processing Agent

Pattern: New build

Platform: AgentCore

Complexity: Foundation Build

Reference Architecture: G

What the agent does:

  • Supports the revenue recognition process under ASC 606 by analyzing contract terms, delivery milestones, and performance obligations.
  • The agent assists with the interpretation layer that trips up rule-based systems: multi-element arrangements where deliverables have different recognition patterns, variable consideration (usage-based pricing, performance bonuses), contract modifications mid-period, and the distinction between point-in-time and over-time recognition.
  • Authoritative recognition logic and GL postings remain rule-driven and controller-reviewed.
  • The agent’s primary value is exception triage, workpaper preparation, and drafting supporting schedules and documentation that the accounting team validates before posting.
  • Edge cases route to the controller with the agent’s analysis and a recommended treatment.

AWS services: Bedrock (Claude), AgentCore Runtime, AgentCore Policy (recognition rules), ERP API, DynamoDB (contract terms), S3 (supporting documentation), EventBridge (milestone triggers)

You need this if: Revenue recognition consumes your accounting team’s last two weeks of every quarter, manual journal entries introduce errors, and your auditors consistently question the supporting documentation.

#068 - Bank Reconciliation Agent

Pattern: Migration from RPA

Platform: Step Functions + AgentCore (hybrid)

Complexity: Quick Win

Reference Architecture: H

What the agent does:

  • Reconciles bank statements against the general ledger.
  • Step Functions handles the straightforward matches: same amount, same date, same reference number.
  • The agent investigates the rest: partial matches where the bank batched multiple payments, timing differences where the bank and GL dates differ, transactions that posted under a different description than expected, and unidentified deposits or charges.
  • For unmatched items, the agent searches across systems (AP, AR, payroll, expense reports) to identify the likely source.
  • Agent-suggested matches above a materiality threshold route to the accounting team for approval rather than auto-resolving.
  • Produces a reconciliation report with matched items, agent-investigated items (with reasoning and confidence), and genuinely unresolved items requiring human investigation.

AWS services: Step Functions, Bedrock (Claude), AgentCore Runtime, Lambda, banking API, ERP API, DynamoDB (matching index), S3 (reconciliation reports)

You need this if: Your monthly bank reconciliation takes 3+ days, most of that time is spent investigating exceptions, and you carry unreconciled items forward because nobody has time to resolve them.

#069 - Accounts Receivable Follow-Up Agent

Pattern: New build

Platform: AgentCore

Complexity: Quick Win

Reference Architecture: G

What the agent does:

  • Manages the collections process for outstanding invoices.
  • Monitors aging reports, identifies overdue accounts, and executes a tiered follow-up strategy.
  • Sends payment reminders using approved communication templates that reference the specific invoice details and payment terms.
  • When responses come in (payment committed, dispute raised, payment plan requested), the agent updates the AR system and adjusts its follow-up schedule.
  • For disputed invoices, it gathers the relevant backup documentation (PO, delivery confirmation, signed acceptance) and escalates to the AR team with a complete case file.
  • All outbound communications follow escalation rules and messaging policies configured in AgentCore Policy. Prioritizes follow-up efforts based on amount, aging, and customer payment history.

AWS services: Bedrock (Claude), AgentCore Runtime, AgentCore Policy (communication and escalation rules), ERP/billing API, SES (communications), EventBridge (follow-up scheduling), DynamoDB (communication history and dispute tracking)

You need this if: Your DSO (days sales outstanding) exceeds industry benchmarks, your AR team cannot follow up on every overdue invoice, and you write off receivables that could have been collected with timely outreach.

Compliance and Regulatory Operations

#070 - Regulatory Filing Preparation Agent

Pattern: New build

Platform: AgentCore

Complexity: Strategic Bet

Reference Architecture: G

What the agent does:

  • Assembles regulatory filings by pulling required data from across business systems.
  • Handles recurring filings (tax returns, SEC reports, environmental disclosures, industry-specific compliance reports) by mapping filing requirements to internal data sources, extracting the relevant figures, performing consistency checks against prior period filings, and assembling draft filing packages with pre-populated data for review.
  • Identifies data gaps where the required information does not exist in a system and routes data collection requests to the responsible teams.
  • Maintains a filing calendar and initiates preparation with enough lead time based on the complexity of each filing.

AWS services: Bedrock (Claude), AgentCore Runtime, AgentCore Gateway (ERP, HRIS, compliance system APIs), EventBridge (filing calendar), S3 (filing archive), DynamoDB (filing requirements and data mappings)

You need this if: Your compliance team manually compiles data from 5+ systems for each regulatory filing, the process starts too late every cycle, and filing errors result from transcription mistakes between systems.

#071 - Audit Trail and Evidence Collection Agent

Pattern: New build

Platform: AgentCore

Complexity: Quick Win

Reference Architecture: G

What the agent does:

  • Organizes and packages evidence from native audit data sources for compliance audits.
  • The raw evidence comes from authoritative system logs: CloudTrail for API activity, CloudWatch Logs for application events, S3 for stored artifacts.
  • The agent’s role is enrichment and organization: when an auditable event occurs (access grant, configuration change, data modification, approval action), it correlates the event across sources and adds context: who, what, when, why (pulling from the approval chain or change request), and the system state before and after.
  • The agent indexes and packages this evidence, not invents it.
  • During audit preparation, retrieves and packages evidence against specific control requirements.
  • Maps internal controls to audit criteria (SOC 2 trust service criteria, HIPAA safeguards, PCI DSS requirements) and identifies gaps where evidence is incomplete or missing.

AWS services: Bedrock (Claude), AgentCore Runtime, CloudTrail, CloudWatch Logs, EventBridge (event capture), S3 (evidence store), DynamoDB (control mapping), OpenSearch Serverless (evidence search)

You need this if: Your team spends 100+ hours preparing for each audit cycle, evidence collection is a manual scavenger hunt across systems, and auditors request additional evidence because the initial package is incomplete.

#072 - Policy Change Impact Assessment Agent

Pattern: New build

Platform: AgentCore

Complexity: Strategic Bet

Reference Architecture: G

What the agent does:

  • When a regulatory change or internal policy update is proposed, the agent assesses the impact across business operations.
  • Analyzes the proposed change against current processes, systems, data flows, and compliance controls.
  • Identifies which teams, systems, and workflows are affected.
  • Estimates the scope of required changes: configuration updates, process modifications, training requirements, and system development.
  • Produces a draft impact report with affected areas ranked by severity and a preliminary remediation plan as an analytical aid for compliance and operations teams.
  • The final impact assessment and remediation decisions remain with the policy owners and affected teams.
  • Tracks implementation of approved changes against the remediation plan.

AWS services: Bedrock (Claude), AgentCore Runtime, Bedrock Knowledge Bases (policy corpus and process documentation), AgentCore Memory (institutional context), DynamoDB (change tracking), S3 (impact reports)

You need this if: Policy changes blindside operational teams because nobody mapped the downstream effects, and your compliance team discovers gaps during audits rather than during the change implementation.

DevOps and Infrastructure Operations

#073 - Deployment Validation Agent

Pattern: New build

Platform: Step Functions + AgentCore (hybrid)

Complexity: Quick Win

Reference Architecture: H

What the agent does:

  • Runs after each deployment to validate that the release behaves correctly.
  • Step Functions orchestrates the validation sequence: smoke tests, health checks, metric collection.
  • The agent handles the judgment calls: comparing post-deployment metrics against pre-deployment baselines and determining whether observed changes are expected (a new feature increases latency on one endpoint but within acceptable bounds) or problematic (error rate increased 0.3% on an unrelated endpoint).
  • Correlates application metrics with infrastructure metrics to distinguish deployment issues from infrastructure events.
  • When validation fails, provides a diagnostic summary and recommends an action (roll back, hotfix, or monitor) based on predefined SLO thresholds and deployment policies, not unconstrained model reasoning.
  • The agent surfaces evidence; deployment policy and on-call make the decision.

AWS services: Step Functions, Bedrock (Claude), AgentCore Runtime, CloudWatch, Lambda (health checks), CodeDeploy, SNS (alerts), DynamoDB (baseline metrics)

You need this if: Your deployment validation is either manual (someone watches dashboards for 30 minutes) or binary (automated tests pass/fail with no nuance), and you have experienced incidents caused by subtle deployment regressions that neither approach caught.

#074 - Cost Anomaly Investigation Agent

Pattern: New build

Platform: Both (AgentCore backend + Quick dashboards)

Complexity: Quick Win Reference

Architecture: G + Quick dashboards

What the agent does:

  • Responds to AWS Cost Anomaly Detection alerts by investigating the root cause. One timing caveat: Cost Anomaly Detection runs detection models approximately three times per day, and because it relies on Cost Explorer data, detection can lag actual usage by up to 24 hours.
  • This pattern suits cost governance and investigation workflows, not real-time operational response (use CloudWatch alarms for that). When an alert fires, the agent pulls cost data from Cost Explorer, correlates spikes with CloudTrail events (new resources launched, configuration changes, scaling events), checks deployment logs for recent releases, and examines usage patterns.
  • Determines whether the cost increase is expected (auto-scaling during a traffic spike), accidental (someone left GPU instances running), or concerning (a compromised credential spinning up resources).
  • Produces an investigation summary with the likely cause, the ongoing cost impact if unaddressed, and a recommended action.
  • Quick dashboards track cost trends and anomaly patterns over time.

AWS services: Bedrock (Claude), AgentCore Runtime, AWS Cost Explorer API, AWS Cost Anomaly Detection, CloudTrail, Amazon Quick (QuickSight), EventBridge (anomaly alerts), SNS (notifications)

You need this if: Your team gets cost anomaly alerts, glances at them, and marks them as reviewed without investigating because the investigation requires cross-referencing 4+ data sources manually.

#075 - Certificate and Secret Rotation Agent

Pattern: Migration from RPA

Platform: Step Functions + AgentCore (hybrid)

Complexity: Strategic Bet

Reference Architecture: H

What the agent does:

  • Adds dependency-aware sequencing and verification on top of the native rotation mechanisms already built into AWS Secrets Manager and ACM.
  • Step Functions handles the deterministic parts: checking expiration dates, triggering rotation via Secrets Manager or ACM, updating the secret store.
  • The native rotation handles credential generation.
  • The agent handles what native rotation does not: determining the correct rotation sequence when multiple services depend on the same credential, validating that each service picked up the new credential (not just that the secret was rotated), and managing the coordination window where old and new credentials must both work.
  • When rotation fails (a service did not pick up the new credential), the agent diagnoses the failure, rolls back if necessary, and reports the issue with remediation steps.

AWS services: Step Functions, Bedrock (Nova), AgentCore Runtime, AWS Secrets Manager, ACM, Lambda (rotation functions), CloudWatch (health validation), SNS (failure alerts), Systems Manager

You need this if: You have experienced an outage caused by an expired certificate or credential, your rotation process is manual or partially automated with no validation step, and you manage 50+ secrets across your infrastructure.

What These 25 Patterns Reveal

The hybrid architecture dominates this edition. Roughly a third of the patterns use Step Functions for deterministic steps and AgentCore only for judgment calls. Workflow automation has more deterministic logic than customer-facing or employee-facing use cases. The hybrid approach reduces unnecessary model invocations, keeps deterministic steps easier to validate, debug, and audit through Step Functions’ visual execution history, and reserves agent reasoning for the steps where it actually adds value.

Event-driven triggers replace chat interfaces. Only one of these 25 agents has any human interaction during execution (the exception handling agent’s escalation path). The rest trigger from system events, schedules, or data state changes.

This changes the evaluation criteria: latency matters less than reliability, and the agent’s ability to handle edge cases matters more than conversational quality.

RPA migrations cluster in document processing and financial operations.

A few patterns explicitly replace existing RPA scripts. These agents handle the same workflows but add reasoning for the exceptions that break RPA.

The migration path is clear: identify where your RPA scripts have the most manual exception queues, and those are your first agent candidates.

Data quality is the prerequisite, not the afterthought.

Four patterns (reconciliation, master data management, legacy migration, data entry) directly address data quality. Any serious feasibility assessment scores data readiness as the number one factor, and these patterns validate why.

An agent that processes invoices needs clean vendor master data. An agent that orchestrates fulfillment needs accurate inventory counts.

The data quality agents are foundation builds that make every other agent more reliable.

Multi-system coordination is where agents add the most value over traditional automation.

The patterns spanning 4+ systems (fulfillment orchestration, data reconciliation, regulatory filing) handle failure modes that point-to-point integrations struggle with: partial failures, sequencing dependencies, and cascading rollbacks.

Traditional orchestration tools like Step Functions handle retries, catch paths, and compensating logic well for anticipated failure modes.

Agents add value when the failure mode was never explicitly modeled, when the system encounters ambiguous situations that require interpretation rather than a pre-built error path.

What Comes Next

Two more editions to go:

  • Edition 4 - Data and analytics agents (self-service BI, automated reporting, data pipeline management)
  • Edition 5 - Compliance, security, and governance agents (high-stakes environments with strict audit and control requirements)

If you are building workflow automation agents, look for processes with four properties: high exception volume that creates manual work, measurable human effort you can benchmark against, structured inputs that give the agent something concrete to work with, and a clear fallback-to-human path when the agent’s confidence is low.

Invoice Processing (#051) and Bank Reconciliation (#068) fit all four criteria, which is why they make strong starting points.

They also use the hybrid Step Functions + AgentCore pattern, which gives you the best cost-to-value ratio for your first process agent.

I publish every week at buildwithaws.substack.com. Subscribe. It's free.

Top comments (0)