Building multi-tenant AI applications with Amazon Bedrock AgentCore requires robust architectures to ensure tenant isolation, granular cost attribution, and tiered service levels. The demonstrated solution utilizes a hierarchical structure of Tier, Tenant, and User to enforce security and operational efficiency. By implementing a pool model, where tenants share underlying infrastructure, organizations can maximize resource utilization while maintaining logical separation through scoped identifiers and access policies.

The architecture centers on a healthcare AI assistant example, providing two distinct service tiers. The Basic Tier, intended for small clinics, utilizes the Mistral Ministral 3 8B Instruct model for efficient document retrieval. The Premium Tier, designed for hospitals, employs the OpenAI GPT OSS 120B model to enable advanced reasoning and web search capabilities. Tier differentiation is enforced via declarative policies that restrict or allow access to specific tools based on tenant plans.

Six core AgentCore capabilities drive this multi-tenant framework. The AgentCore Runtime provides tenant-level compute isolation using isolated micro-VMs. AgentCore Identity integrates with Amazon Cognito, using JSON Web Token (JWT) claims to propagate tenant context across system components. This context allows for secure, scoped data access without manual filtering logic in every service.

Memory and tool access are further secured through the Token Vending Machine (TVM) pattern and Attribute-Based Access Control (ABAC). By assuming roles with session tags such as Tier, ClinicId, and UserId, the system ensures that credentials are scoped only to the requesting tenant's namespace. The AgentCore Gateway utilizes the Model Context Protocol (MCP - an open-source standard for connecting AI agents to tools) to manage external tool interactions. This gateway automatically propagates tenant headers, ensuring that data isolation is maintained throughout the request lifecycle without requiring custom integration code for every tool.

Building multi-tenant AI applications with Amazon Bedrock AgentCore requires robust architectures to ensure tenant isolation, granular cost attribution, and tiered service levels. The demonstrated solution utilizes a hierarchical structure of Tier, Tenant, and User to enforce security and operational efficiency. By implementing a pool model, where tenants share underlying infrastructure, organizations can maximize resource utilization while maintaining logical separation through scoped identifiers and access policies.

The architecture centers on a healthcare AI assistant example, providing two distinct service tiers. The Basic Tier, intended for small clinics, utilizes the Mistral Ministral 3 8B Instruct model for efficient document retrieval. The Premium Tier, designed for hospitals, employs the OpenAI GPT OSS 120B model to enable advanced reasoning and web search capabilities. Tier differentiation is enforced via declarative policies that restrict or allow access to specific tools based on tenant plans.

Six core AgentCore capabilities drive this multi-tenant framework. The AgentCore Runtime provides tenant-level compute isolation using isolated micro-VMs. AgentCore Identity integrates with Amazon Cognito, using JSON Web Token (JWT) claims to propagate tenant context across system components. This context allows for secure, scoped data access without manual filtering logic in every service.

Memory and tool access are further secured through the Token Vending Machine (TVM) pattern and Attribute-Based Access Control (ABAC). By assuming roles with session tags such as Tier, ClinicId, and UserId, the system ensures that credentials are scoped only to the requesting tenant's namespace. The AgentCore Gateway utilizes the Model Context Protocol (MCP - an open-source standard for connecting AI agents to tools) to manage external tool interactions. This gateway automatically propagates tenant headers, ensuring that data isolation is maintained throughout the request lifecycle without requiring custom integration code for every tool.