Printed from Production AI Institute public record

https://www.productionai.institute/insights/openai-amazon-bedrock-psf-assessment-2026

Production AI Institute · Public recordRecord
Production AI Institute
Briefing
Briefing

Today's public AI briefing: what changed, what went wrong, and what the evidence says.

Open Briefing →
Today's AI briefingThe daily record of what changed and broke.Public record explorerSearch every incident, entity, and source.
Check
Check

Inspect tools, incidents, and data-use disclosures against the public record.

Open Check →
Check an AI toolWhat a tool actually does with your data.Run exposure checkTest your own stack against the record.Data-use indexDisclosures across the major AI tools.Incident registryDocumented production AI failures.
Lab
Lab

Independent research instruments: model and agent scorecards, moral-reasoning evals, and ecosystem assessments.

Open Lab →
AI lab scorecardsHow the frontier labs actually perform.Compass · moral reasoningTest models on hard moral cases.Agent readinessIs the agent ecosystem production-ready?Ecosystem assessmentsIndependent reviews of the AI stack.Model & agent evalsOpen evaluations and their results.Research libraryEvidence-led analysis and briefings.
Learn
Learn

The open standard, the tools built on it, and the research that interprets the record.

Open Learn →
Production safety standardThe open PSF standard, explained.WorkflowOS · open sourceBuild governed AI workflows.Workflow libraryReady-made governed workflows.InsightsResearch articles on the record.
Act
Act

Turn uncertainty into public evidence: ask, disclose, build evidence, or correct.

Open Act →
Ask for disclosureRequest a public data-use answer.Submit a correctionFlag something wrong or missing on the record.Save a watchTell PAI what to keep current for you.
Method
Method

How the public record is made, governed, corrected, cited, and kept independent.

Open Method →
How records are madeSourcing, review, and correction.
Check an AI tool
Record
Record
Check an AI tool
Production AI public record - EditorialMethod →
Insights / PSF Assessmentopenai-bedrock-ga · June 1, 2026

OpenAI on Amazon Bedrock in Production: A PSF Domain Assessment

AWS marked GPT-5.5, GPT-5.4, and Codex generally available on Amazon Bedrock on June 1, 2026. The GA path gives AWS-native teams OpenAI frontier models with IAM, guardrails, and regional inference; autonomous Codex workflows still need explicit human approval gates.

Production AI Institute · 11 min read · Updated June 2026
Independence disclosure: The Production AI Institute has no commercial relationship with Amazon Web Services or OpenAI. This assessment is based on AWS and OpenAI primary announcements, the June 1, 2026 GA blog post, and Bedrock documentation. Neither vendor was consulted in preparing this assessment.

On June 1, 2026, AWS announced general availability of OpenAI GPT-5.5, GPT-5.4, and Codexon Amazon Bedrock, one month after the expanded partnership entered limited preview on April 28, 2026. Inference runs on Bedrock's next-generation engine with isolated queues, durable request state, and the same per-token pricing OpenAI publishes for first-party API use. Codex clients (CLI, desktop app, VS Code) can authenticate with AWS credentials and route usage toward existing cloud commitments.

For teams already running on AWS, this GA closes a common compliance gap: developers no longer need personal OpenAI keys outside the IAM perimeter to reach frontier models. The PSF question is whether Bedrock's governance layer is sufficient on its own, or whether Codex-scale autonomy still demands the deployment controls we document in OpenAI Codex CLI 0.134 and our broader Amazon Bedrock Agents assessment.

Release scope assessed

ArtifactVersionDate
GPT-5.5 on BedrockModel catalog GA2026-06-01
GPT-5.4 on BedrockModel catalog GA2026-06-01
Codex on BedrockPay-per-token GA via Bedrock API2026-06-01
Bedrock Managed Agents (OpenAI)Coming soon (interest form)Not in scope

PSF domain scorecard

Ratings reflect Bedrock GA capabilities documented on June 1, 2026. Full domain definitions are in the Production Safety Framework.

DomainRating
D1Input GovernancePartial
D2Output ValidationPartial
D3Data ProtectionStrong
D4ObservabilityStrong
D5Deployment SafetyPartial
D6Human OversightPartial
D7SecurityStrong
D8Vendor ResilienceStrong
D1

Input Governance

Partial

Bedrock guardrails and IAM policies scope who can invoke OpenAI models, but Codex and Responses API callers still accept unstructured repository, ticket, and MCP payloads unless the harness tags trusted versus untrusted content.

AWS documents that GPT-5.5, GPT-5.4, and Codex on Bedrock inherit the same guardrails, knowledge bases, and IAM controls as other Bedrock models. That is a meaningful enterprise input gate compared with routing developers directly to OpenAI API keys outside your cloud perimeter. Codex on Bedrock still ingests full repository context, terminal output, and tool results. Guardrails can block topics and filter PII patterns, yet they do not replace XML scoping or deny lists for indirect prompt injection via issues, wikis, or compromised MCP servers. Teams enabling Codex CLI, desktop, or VS Code against Bedrock endpoints should publish a requirements profile equivalent to the managed profiles OpenAI documents for direct Codex use.

Practitioner action: Attach Bedrock guardrails to every OpenAI model ID before production traffic. Scope IAM roles per environment. Tag RAG and ticket payloads as untrusted in harness prompts. Review allowlists when enabling Codex across monorepos.
D2

Output Validation

Partial

Guardrails and structured tool schemas help, but OpenAI model outputs still require deployment-layer validators for regulated formats, financial figures, and irreversible tool arguments.

The June 1, 2026 GA post positions GPT-5.5 for multi-step agentic work and Codex for repository-scale coding. Bedrock does not automatically schema-validate every model completion before a downstream tool executes. Guardrails provide policy filters; they are not a substitute for JSON schema enforcement, business-rule graders, or human review on high-impact outputs. Codex on Bedrock can refactor, test, and propose merges across large codebases. PSF Domain 2 expects explicit validation before merge, deploy, or customer-facing send regardless of inference provider.

Practitioner action: Add schema validation on tool arguments before execution. Run golden-set evals when switching from direct OpenAI API to Bedrock endpoints. Block auto-merge on agent PRs until CI and reviewer sign-off pass.
D3

Data Protection

Strong

Bedrock states prompts and responses are not used to train models and are not shared with model providers, with KMS encryption, PrivateLink, and regional inference for residency-sensitive workloads.

The GA announcement emphasizes that OpenAI models on Bedrock run on AWS inference infrastructure with IAM, VPC and PrivateLink isolation, KMS encryption, and CloudTrail logging. Customer content stays inside the Bedrock trust boundary rather than transiting to OpenAI-operated endpoints. Codex usage can apply toward existing AWS cloud commitments, which matters for procurement but does not replace contractual BAA or DPA review for regulated data. Regional availability still requires practitioners to confirm model IDs in their target Regions before promoting PHI or financial workloads.

Practitioner action: Map data classes to approved Bedrock Regions before Codex rollout. Enable KMS customer managed keys where policy requires. Document that Bedrock routing replaces direct OpenAI API keys for developer laptops where possible.
D4

Observability

Strong

CloudTrail, Bedrock model invocation logging, and durable request state capture on the Bedrock inference engine give operators AWS-native traces that direct OpenAI API calls do not provide by default.

AWS describes an isolated queue with automated capacity management and durable state capture so long Responses API calls can resume after node restarts instead of failing silently. That supports PSF Domain 4 for agentic workloads with unpredictable duration. Practitioners should correlate Bedrock invocation IDs with application trace IDs in their APM. Codex token usage toward AWS commits still needs per-team chargeback tags because Bedrock billing alone does not attribute cost to product lines.

Practitioner action: Enable Bedrock model invocation logging to your SIEM. Tag invocations with service, environment, and model ID (gpt-5.5, gpt-5.4, codex). Alert on token anomalies when Codex runs unattended in CI.
D5

Deployment Safety

Partial

GA availability with predictable Bedrock pricing helps controlled rollouts, but day-one promotion of Codex across production repos still needs staged canaries, rollback plans, and explicit model ID pinning.

OpenAI models on Bedrock ship at first-party token rates with no additional AWS markup per the June 1 post. Teams can pin model IDs in Bedrock the same way they pin Anthropic or Meta models. The deployment risk is organizational: Codex on Bedrock authenticates with AWS credentials and can reach the same repos your engineers use. Managed Agents powered by OpenAI remain on a coming-soon interest list, so this GA covers model and Codex inference paths, not the full OpenAI agent harness on AWS yet. Stage Region-by-Region and validate latency against direct API baselines before decommissioning legacy key routes.

Practitioner action: Run a two-week canary on gpt-5.4 before fleet-wide gpt-5.5. Maintain rollback IAM policies that deny new model IDs until golden-set scores pass. Document which Codex surfaces (CLI, desktop, VS Code) are approved in your org.
D6

Human Oversight

Partial

Bedrock does not remove the need for human approval on irreversible Codex actions; AWS controls authenticate the caller, not the business consequence of each agent step.

Codex on Bedrock is designed for autonomous coding workflows: refactors, tests, debugging, and multi-file changes. AWS DevOps and security agents elsewhere on Bedrock follow a similar autonomous pattern. PSF Domain 6 requires consequence-based escalation: payments, deletes, external sends, and production config changes need explicit human gates regardless of whether inference runs on Bedrock or openai.com. Remote steering via ChatGPT mobile (where enabled) improves oversight for long tasks but is not an audit trail.

Practitioner action: Require human approval before merge or deploy on any Codex-generated change. Map high-risk tools to break-glass reviewers. Train operators on CAIS oversight patterns for unattended coding agents.
D7

Security

Strong

Enterprise AWS security primitives (IAM, PrivateLink, guardrails, encryption, CloudTrail) apply uniformly to OpenAI models, reducing shadow-API key sprawl when teams standardize on Bedrock routes.

The partnership closes a common gap for AWS-native shops that previously exported prompts to non-AWS endpoints to reach GPT-5.5. Centralizing inference under Bedrock lets security teams revoke access through IAM instead of hunting personal API keys. Guardrails and VPC endpoints reduce exfiltration paths. Supply-chain risk shifts to Codex tool breadth (MCP, shell, repository write). Penetration testing and adversarial prompt suites remain necessary after enabling Codex on Bedrock, especially when agents can open pull requests or touch deployment pipelines.

Practitioner action: Disable long-lived OpenAI API keys where Bedrock replaces them. Run CAIS-aligned adversarial tests on RAG and ticket ingestion paths. Restrict Codex MCP servers to approved registries.
D8

Vendor Resilience

Strong

Bedrock multi-vendor catalog lets teams keep OpenAI models while maintaining fallback to Anthropic, Meta, or Amazon Nova models without replatforming orchestration.

The June 1 GA follows a limited preview that began April 28, 2026 and same-week availability of Claude Opus 4.8 on Bedrock. That pattern reinforces Bedrock as a resilience layer: model vendor changes become configuration updates rather than network architecture rewrites. OpenAI-specific features (certain Codex harness behaviors, future Managed Agents) may lag direct OpenAI API releases. Practitioners should maintain abstraction in application code and keep quarterly golden-set comparisons against at least one non-OpenAI Bedrock model.

Practitioner action: Document fallback model IDs in runbooks. Pin Bedrock model versions, not latest aliases, for production. Compare our generic Bedrock Agents assessment when mixing OpenAI models with AgentCore orchestration.

Certification and stack context

Teams routing Codex through Bedrock should align IAM and logging work with CLOE (Certified LLM Operations Engineer) expectations for model operations. Autonomous coding agents benefit from CAIS (Certified AI Safety Specialist) training on tool blast radius. First-time AWS agent deployments should follow AIDA (AI Deployment Associate) checklists Bedrock does not enforce automatically. Compare direct OpenAI routing in our OpenAI Agents SDK assessment when mixing Bedrock inference with custom harnesses.

Sources

  • AWS ML Blog: OpenAI models and Codex on Amazon Bedrock GA (June 1, 2026)
  • OpenAI: OpenAI models, Codex, and Managed Agents come to AWS (April 28, 2026)
  • AWS What's New: Bedrock OpenAI models limited preview (April 28, 2026)
  • AWS ML Blog: Claude Opus 4.8 on AWS (May 28, 2026)
  • Production AI Institute: Amazon Bedrock Agents PSF Assessment
  • Production AI Institute: Production Safety Framework

Scores are structured assessments against PSF v1.1, not empirical PAI Lab multi-run results. Revisit when Bedrock Managed Agents powered by OpenAI reach GA or when AWS publishes Region-specific model deprecation schedules.

Use this assessment against your own deployment. The readiness check scores a live system against the same PSF controls.

Run a readiness check on your deployment →
Public record

This record is maintained by PAI and free to cite. If something is wrong or missing, tell us. Corrections and source suggestions keep the record honest.

Follow policy changes ->Save a watch ->Submit a correction
Records are free to cite. citation guidance.
PAI
Production AI Institute

The public record and operating memory for production AI: what changed, what broke, and what the evidence says.

WorkflowOS · open source (MIT)
Navigate
Briefing
OverviewToday's AI briefingPublic record explorer
Check
Check an AI toolRun exposure checkData-use indexIncident registry
Lab
AI lab scorecardsCompass · moral reasoningAgent readinessEcosystem assessmentsModel & agent evalsResearch library
Learn
Production safety standardWorkflowOS · open sourceWorkflow libraryInsights
Act
Ask for disclosureSubmit a correctionSave a watch
Method & trust
How records are madeCorrectionsHow to citeContact
© 2026 Production AI Institute · CC BY 4.0
AboutPrivacyTermsSecurityGovernanceIndependence