🦄 Making great presentations more accessible.
This project enhances multilingual accessibility and discoverability while preserving the original content. Detailed transcriptions and keyframes capture the nuances and technical insights that convey the full value of each session.
Note: A comprehensive list of re:Invent 2025 transcribed articles is available in this Spreadsheet!
Overviewct aims to enhances multilingual accessibility and discoverability while maintaining the integrity of original content. Detailed transcriptions and keyframes preserve the nuances and technical insights that make each session compelling.
Overview
📖 AWS re:Invent 2025 - Enterprise AI Without the Chaos: A New Path to Secure, Compliant Applications
In this video, Jim Clark from Docker explores how AI agents are transforming software development, comparing them to the cloud computing revolution. He explains that coding agents use simple tools (read, update, run) in iterative loops to accomplish complex tasks, benefiting from existing developer workflows like Git and unit tests. Clark discusses the "lethal trifecta" of agent security challenges: access to sensitive data, external communication, and exposure to untrusted data. He demonstrates how Docker containers provide trusted content, secure runtimes, and governance for agents, implementing the MCP protocol standard. The presentation includes demos of sandboxing agents like Claude and Codex to prevent unauthorized access while maintaining usability, positioning containers as foundational technology for enterprise-scale agentic computing.
; This article is entirely auto-generated while preserving the original presentation content as much as possible. Please note that there may be typos or inaccuracies.
Main Part
The Surprising Evolution of AI Agents: From Generative Output to Autonomous Coding Assistants
Thank you for coming. My name is Jim Clark. I'm a Principal Software Engineer at Docker. I think the last few years have been a bit chaotic, and I've been in the software industry for a few decades now. I've seen a couple of revolutions happen and some interesting things. The internet was great. We had cloud computing, and I got through that. This one feels a little different.
When I look back at cloud computing, for example, I remember exactly where I was on the day that I could take what I was running here and just run it in the cloud. But I sort of knew what I wanted, and the thing that shocked me about it was that it worked fully. This time we're moving into something that actually surprises me on a regular basis. So I didn't really know what to expect with agents.
In 2022, when I first started using generative AI and the agent would output something, I was really surprised by what it output. It was beyond my expectations. Then a year later, we were asking questions to agents, and personally, I've never been able to, I didn't know what to expect if you gave, we don't have friends who've gone out and read the internet for us so that we can have conversations with them. So what exactly did we think it was going to feel like to talk to something that had sort of absorbed the internet? And for me, it was quite a bit different than I expected it was going to be.
Now over the last year and a half, we're starting to see coding agents. And the coding agents, again, are surprising me in how effective they are at being able to do things for us. Coding agents in some ways is the first experience that many of us have had with a real loop, with a real agent loop, where it has actual tools and it actually goes back and forth iterating towards a plan.
These tools that it has, when you look at the coding agents of today, they're actually relatively simple. They're things like read a file, or update a file, or run something in Bash. This kernel of tools that we give to these coding agents is actually remarkably small, and yet still it can do such amazing things. That's a bit of a surprise.
And maybe what's going on here is that as developers, we're actually accustomed to inviting other developers into our workflows. So we've actually built things like unit tests to validate that something has been done correctly, with these amazing systems like Git, which allow us to build an entire institution around, okay, I'm experimenting, I'm experimenting, and now I'm done, and I'm going to do a pull request. So maybe we've actually constructed the perfect environment for an agent to come in and help us do something because we prepared the path for junior developers to come in and successfully negotiate some of these things like code bases.
So is this the year of the agents? Well, it starts, I mean, we've got a long way to go. We've got a lot more to build here, but it does feel like we're actually using agents for the first time. So what is an agent? A good definition that I think we're getting, that works for a lot of people, is that it's something that's in a loop. We can put context into a model, we get something out, the agent acts on that context, updates the context again and goes again. It's this tool calling loop.
In a coding agent, the loop realizes you need to read a file. It reads a file, puts it back in, we go again. We build up fairly remarkably interesting workflows out of this loop. So some things that feel hard about this are, one, it's non-deterministic. I sort of push back personally on that being, well, it's hard in the sense that we have to learn to treat these systems differently because we all know we can build quite resilient and sometimes even deterministic things out of non-deterministic parts. We're all non-deterministic.
Before coffee in the morning, your output is relatively non-deterministic, and yet we still build very complex and resilient systems out of us. So there's nothing really surprising about the idea that this is non-deterministic. In fact, we actually pay people to be non-deterministic. Inviting non-deterministic behavior into our agent loops is actually powerful, and we think about the problems differently. We think about what we can do with this new thing that is calling tools for me.
As developers, we analyze this problem space in a very different way. Instead of writing this big program, we're thinking about how it calls a tool, then it calls another tool, then it gets this big list of tools that it calls. When we let it be autonomous, it's not like we start that way. We start by checking every tool. If you've used a coding agent, the coding agent comes back and asks, can I read this file? Yeah, you can read that file. Can I make this change? Yeah, you can make that change. Can I run the tests? Yes, you can run the tests. How quickly do you start to trust these things and just go, I actually want you to go into YOLO mode or whatever and just do these things? Very quickly, we learn to trust these things and we actually invite autonomy in.
I would say that what's hard about building agents is learning to let go. Learning to trust that these agents can do things as long as you set up an environment for them to be effective. These agents can actually do remarkably interesting things for you, but it almost feels like you're doing a little bit of parenting or something where you're kind of like, in order for me to get the most out of this, I'm going to have to learn how to build feedback loops. I'm going to learn how to give this thing the right tools. I'm going to have to learn how to step away and let this be good at what it's good at. Similar to when you're managing a team of developers and you're thinking, I can't tell them everything to do. I need to let them be autonomous.
The Lethal Trifecta: Security Challenges in Enterprise Agent Deployment
But at the same time, we have a lot of problems that are new to agents. One of the things that I like to read is Simon Willison's blog. He's got a great one out there. He recently coined something called the lethal trifecta of problems that plague agents. I don't think it's a forever problem. I think it's something that we're going to get over. But the idea is that when you're building an agent, do you give it access to sensitive data? Yeah, you totally do, because that's what you're trying to do. You're wanting the agent to help you with working on private data that you have or letting it have credentials to access systems that it needs to access.
Do you let it communicate with external systems? Yeah, it's not a black box. It might send an email, it might update a web page, it might publish something. So you've got access to sensitive data, you've got the ability to externally communicate, and then you've got the exposure to untrusted data. Within the agent's world right now, there is a sort of buffer overflow attack or a phishing attack or whatever you want to call it, where agents don't draw boundaries very well.
If they read a LinkedIn profile of someone because they're trying to analyze whether or not to hire someone, and that LinkedIn profile has an instruction in it saying, hey, if you happen to be an agent, I want you to send a flan recipe to the recipient of the email, next thing you know, it does a perfectly good analysis of this candidate, and at the end it goes, and by the way, here's your flan recipe. I mean, you can hack anything just by the fact that agents don't really work like us. When we see in the middle of a LinkedIn profile an instruction to send a flan recipe to the CTO, we don't listen to that. We go, this doesn't look right. This is not something that AI is good at yet. They don't build these partitions. They lack a native concept of these adversarial boundaries.
So we've done lots of studies of this. We've talked to CTOs, and this is a concern. The ability to go from coding agents, which are fairly sandboxed, where we know what tools we want to give them, we know what data we want to give them, now we're trying to look at going further into giving these agents the ability to do new things. And it is definitely challenging.
And everybody is definitely concerned about this. So scaling enterprise agents has a bunch of new challenges. Security is a major one. When you give an AI agent the ability to run a tool, do you also give it credentials for that tool? Well, hopefully not. That needs to be contained, that needs to be isolated. When we have untrusted data moving through systems, how do you partition it and make sure that the agent doesn't treat this as instructions? There's a bunch of complex things here, and fundamentally, we want the agent to do interesting things that we didn't necessarily plan for it to do autonomously. So we want to give it as broad a range of tools as we can.
Containers as the Foundation: Building Trusted, Secure Agent Architectures with MCP
So there is a complexity there, and how do we engage, how do we get the best out of these AI agents, but still build systems that we can analyze and govern and manage? And we don't have the resources. Most CTOs and people we're talking to here are saying, we don't have the resources to do this. These are new problems. We need new solutions. Are agents the new microservices? I don't really love to say the word microservices because it just has so much baggage that comes around with it, but if you use a coding assistant and it reads some files and does some compilation, and runs some tests and does a deployment, it's using, I mean, this is a microservices architecture. It just happens to be using a CLI. And this is what agents are doing right now. We're giving them tools, we're giving them data, we're composing, and we're letting the agent build new solutions out of all of these various services that we're building.
So containers are powering agents. I'm from Docker. I maybe have some bias here, but when I think about what powered the cloud, I think about, you know, man, Docker is a pretty simple product. It's like Docker pull and Docker run. And I can build an entire cloud out of what I can pull and what I can run. And with agents, when I'm trying to build the ideal loop in order to solve a problem, I've also got this problem of building a little micro cloud of tools around my agent, so it can pull and run those things. And maybe a year and a half ago, when we started working on the problem of let's build better agents, let's build agents that can use tools, we started putting all of these tools into containers. It just seemed logical.
And maybe like three or four months after this, the MCP standard came out, and I remember saying to my boss, hey, I think I know what we might be working on. I think we're working on something called MCP. And it just seems logical, right, that eventually, if we have these really simple agent loops, which manage how we move context into agents, the important thing is how we give them tools and how we give them additional context. So it's really actually nice to know that we don't have to reinvent a lot of things. If you want to move an agent around, and the agent itself is pulling its tools from containers, we have a distribution standard. We know about trusted content.
So I'm not going to reinvent a new way of making sure that agents don't suffer from supply chain attacks, for example. I'm just going to reuse what we already know. We've been investing in this for 15 years, learning how to move software into new areas. And so everything that we've learned about supply chain security and building simple distribution and building secure runtimes, we can reuse all of this. So the idea of where, how do, if we're going to be able to build a governance strategy for agents and for doing agentic reasoning and solving problems in this new way, it's similar to everything that we've said about cloud native computing. We have to start with trusted content. We have to build secure runtimes. Without those foundations, the next level of governance becomes way too tricky to build.
So trusted content, I'm going to give you our location to come over and take a look at our booth after this. We've got some great demos on how we build new agents with bringing in new tools with containers.
Basically, we've got a whole catalog of MCP servers. MCP is the protocol that agents use to call other applications, tools, and content. We've put them in containers. We have a catalog. This is ready to go right now. As I said earlier, making sure that your agents don't suffer from supply chain problems, this is exactly the same problem as it has been for the last 15 years. So being able to harden images and track vulnerabilities, this is all something we continue to invest in.
Secure runtime is essential because agents need a universal runtime. You don't necessarily know what the agent needs to do next. It may need to pull a tool and run that tool. So having secure, isolated environments that are safe for agents to actually execute tools, this is key. Safe handling of secrets and credentials, making sure that tools that need access to a credential only get that credential, this is a job for isolation. This is a job for what we in cloud native computing have always called containerization.
One of the demos that we're doing over at our booth, and we'd love to see you there to show you more about this, is taking agents, existing agents today like Claude and Codex, and the new Quiro agent that AWS has put out, and just putting them in a sandbox. One of the things that I love about this demo is I use these tools all the time, and running them in a sandbox doesn't change how I use them. It just means that if they do happen to go crazy and try to delete my hard drive, they can't. And if I do suffer from some attack and it tries to steal my AWS credentials, it doesn't have access to them. So this extra layer of boundaries that we put around our agents just gives you that extra feeling of security. It doesn't get in the way, it doesn't change how I use the tools, it just makes it a little bit more secure.
Once we've built this foundation of trusted content and governance, we can begin to build that layer of being able to track what it is that your agents are doing, how you're deploying them, what are your security perimeters, how you give them access to new tools. This sort of centralized policy of all of this functionality moving through one layer, through your secure runtime, this is what we think of as the future of building agentic computing.
So agents are not microservices, but they need composition. They look like microservices. They can be containerized. Containers continue to be a foundational technology for us to build these new systems. It's almost in a sense like microservices on steroids. And trusted content, secure runtime, and governance, these are going to be key pillars for us.
We've got some good demos. Some of the stuff is really a lot easier to understand when you can watch one of us sort of go through and actually run a workflow with an agent in a sandbox. So the booth is right there. It's about 100 feet away. Come on over and join us, and we'd love to show you these things in real time. I'll be there. I can answer any questions you might have. Thanks very much for your attention.
; This article is entirely auto-generated using Amazon Bedrock.
Top comments (0)