Internal Brief
AWS APN Agentic Engagement
Current State
This brief outlines the current state of the AWS APN engagement — what is in motion, what has been established, and what commitments are in place with named AWS stakeholders.
Section 02
Where the engagement actually stands
The AWS Partner Network engagement is past preliminary discovery, had a working proof of concept presented live in front of the client with real agents, workflows and responses, and has a $1.5M four-phase production proposal pending a requested demonstration of my agentic workflows and responses. The brief facts:
Preliminary discovery is complete.
I mapped each of the nine Unify-placed AWS APN consultants end to end — scope, SOPs, pain points, system access, stakeholder relationships, the work they actually execute day to day. This was not a survey or a workshop. I leveraged each consultant's standard operating procedures and decomposed them into the cadence, inputs, outputs, and decision points that an agent would have to replicate. That source material is the foundation for every agent design that follows; Phase 1 of the production engagement extends it through the knowledge transfer interview program, the deeper per-consultant capture, and the named-stakeholder commitments referenced below.
Sixteen candidate agents have been identified and ranked
against a weighted formula of impact, feasibility, and cross-consultant reach. The priority set of four agents that Phase 2 builds against was derived from that ranking, not selected by intuition.
The system taxonomy has been assembled
covering every platform the consultants touch — Smartsheet, QuickSight, Highspot, Salesforce, Asana, SharePoint, Slack, Email, Contract Central, Marketo, and others — with per-consultant access/block status. The access constraints surfaced from this exercise drive the deployment phasing and have produced four active provisioning workstreams.
Production examples proved feasibility of the two most impactful agent functions.
Built and demonstrated to the client: working implementations of the Intake Normalizer (classification, routing, auto-acknowledgment) and the Communications Drafter (audience-tailored drafts with anti-hallucination constraints) — the two agents that ranked highest on impact and reach in the discovery work, deliberately chosen to validate feasibility of the most consequential patterns rather than the easiest ones. Both integrated with Slack. The Intake Normalizer was demonstrated autonomously: a partner email forwarded into a Slack inbox is classified, routed to the correct owner, logged, and — for urgent items — auto-drafted as a response, with no human button-press in the loop.
I walked the client through an interactive visual surfacing the preliminary discovery work — consultant scoping, agent ranking, organization coverage, agent-to-system access mapping, system access constraints, and a live POC agent operations dashboard.
A per-consultant view detailing each individual's scope, SOPs, pain points, tools available and missing, stakeholders, and mapped agents. A weighted ranking of all sixteen candidate agents with the impact/feasibility/reach scoring formula made explicit. An organization-and-stakeholder coverage view with per-program consultant and agent counts. Agent-to-system access mapping with the read/write/proxy patterns per agent, plus supporting views of agent-by-organization coverage and consultant-by-agent benefit. A system taxonomy of every platform the consultants touch, classified by category, vendor, and type (SaaS / internal AWS / core), with per-consultant access and block status. A live agent operations dashboard with confidence scoring, token accounting, processing time, source and urgency breakdowns, auto-route rates, and a per-action audit feed.
The AWS-native production architecture has been designed.
Bedrock + AgentCore + Strands Agents on the runtime side. Bedrock Knowledge Bases as the standard RAG layer. Macie + Bedrock Guardrails + KMS customer-managed keys + Lake Formation for data governance. Security Lake + OpenSearch + AgentCore Observability + a SageMaker-hosted evaluation harness for audit and model risk. Agent Registry built on DynamoDB. Per-action autonomy classification. Prompt versioning via S3. Single-vs-multi-account decision flagged as a Phase 1 deliverable.
The architecture has been designed against the recognized enterprise risks of multi-agent systems.
Runtime isolation, data exposure through tool calls, prompt injection, evaluation drift, vector-store confidentiality, and cross-agent blast radius — each mapped to specific AWS services and design patterns within the production plan.
The Agent Governance CoE has been designed as the operating model alongside the technical architecture.
The design specifies a charter, six defined roles (CoE Chair, Agent Owner with interim consultant and named AWS FTE successor, Model Risk Reviewer, Data Steward, Connector Owner, Incident Responder), a six-stage agent lifecycle (registration → approval → deployment → monitoring → recertification → retirement), and a defined governance cadence (weekly per-agent review, bi-weekly CoE operations, monthly cross-agent observability, quarterly leadership governance, on-change reviewer sign-off). Each lifecycle stage is tied to a specific artifact and a named owner. The CoE is the operating-model layer the technical architecture sits inside — the part most agentic deployments underinvest in, and the part that determines whether the agents are still operating six months after they go live.
Plan addresses the governance gaps the AWS stack does not natively provide.
The Agent Registry, the connector posture layer, the human-in-loop gating for high-risk actions, the prompt versioning workflow, the evaluation harness — none of these are off-the-shelf AWS products. They are the real consulting build.
Proposed phasing
Per the production proposal under client review
| Phase | Workstream | Investment | Originally targeted |
|---|---|---|---|
| Phase 1 | Semantic Capture & Design — discovery + modelling | $301,621 | May 31, 2026 |
| Phase 2 | Agent Development & Pilot — build + integration + core value creation | $452,432 | Jul 31, 2026 |
| Phase 3 | Orchestration & Scale — full solution automation + orchestration complexity | $452,432 | Sep 30, 2026 |
| Phase 4 | Optimization & Transition — stabilization, governance & transition | $301,621 | Oct 31, 2026 |
| Total | $1,508,107 | ~5 months from kickoff |
Phase target dates re-baseline against the actual engagement kickoff date. The preliminary discovery work described above sized this proposal. Phase 1 of the production engagement deepens it. Phases 2-4 — build, scale, and transition — represent roughly $1.2M of the $1.5M total.
Section 03
What's already been established
Overview, not fully exhaustive.
-
The four priority agents for Phase 2, and the rationale that places them ahead of the other twelve
-
The per-consultant access remediation strategy, including which constraints can be resolved through standard AWS access provisioning and which require proxy patterns
-
The control-plane-versus-operating-model framing that anchors the client positioning, and the reasoning behind treating agents like employees as the recertification standard
-
The Four Pillars overlay (Data Governance & Privacy, Model Transparency & Risk, Regulatory Compliance, Lifecycle & Accountability) mapped to AWS-native service substrates with explicit named gaps
-
The per-action autonomy classification framework (autonomous / async-reviewed / sync-reviewed-required) and the specific actions in each bucket per agent
-
The phased rollout sequence, the deliverables that gate each phase, and the consultant contract end dates that constrain the entire timeline
-
The named AWS FTE successor candidate pool for each Agent Owner role and the relationships those names map to from discovery
Section 04
What is timing-critical
The consultants' contract end dates.
Nine Unify-placed APN consultants are not being renewed. The engagement's scheduling spine is the date each of those individuals departs, because the knowledge they hold has to be extracted in interview form before they leave, and the AWS FTE successors who absorb their oversight responsibility have to shadow them on review queues before the contract ends. Miss that window, the agents inherit gaps and the partner relationships degrade silently. The schedule re-baselines to the consultants, not the other way around.
Security reviews are the gating workstream for system access.
The blocked access for Smartsheet, QuickSight, Salesforce, and Highspot is not a routine IT provisioning question — at AWS, these systems require formal security reviews covering data access scope, partner-data handling, and least-privilege rationale, with named reviewers assigned per request. Phase 2 keeps agents on delegated consultant identity where possible, which defers the largest security review surface. Phase 3+ requires agents to hold their own IAM roles and AgentCore Identity records — the only model that survives the consultants' departure — and triggers a separate, larger set of security reviews that must be sequenced into Phase 1 to land on time. The per-agent data access scope those reviews require is already documented from the discovery work and ready to file.
Pending client demonstrations and next-step decisions.
The client has seen the production examples during our most recent discussion of the plan and options, and has asked me to deliver the same demonstration to additional stakeholders on their side, as a precursor to moving forward with next steps. The single-vs-multi-account architectural decision, the Bedrock model standard, the partner notification policy on agent involvement, and the named AWS FTE successor pool are all decisions the client expects to discuss off the back of those demonstrations.
Section 05