When you run inference on AWS Bedrock, the deal was explicit: your prompts and completions stay inside the AWS boundary, and the model providers never see your data. That guarantee is why regulated shops and European organizations route their AI workloads through Bedrock instead of going straight to the model vendor.
This week AWS broke that deal, and the way they did it is a clinic in how the Shared Responsibility Model fails customers in practice.
The entire value of AWS Bedrock was that it sat as the neutral place between companies and the model providers. It guaranteed data and inference residency, and it guaranteed there was no possibility that your organization’s data was being used by the model providers. Strip that away and AWS Bedrock is first-party Anthropic, but with fewer features.
The Launch
On June 9th, Anthropic announced Claude Fable 5 and Mythos 5. Within minutes AWS pushed out a blog post putting the models on Bedrock, and CEO Matt Garman posted his own “now generally available” note on LinkedIn. The speed tells you the priority. This was a launch built so AWS wouldn’t look left behind in the model race. PR was Job Zero. Security was, as usual, a second-class citizen.
Here’s the part that matters, in AWS’s own words from the bottom of that blog post:
Once you opt into data retention, your data will leave AWS’s data and security boundary.
For Fable 5 and Mythos 5, that’s not an edge case. Their allowed_modes is exactly one value:
"allowed_modes": ["provider_data_share"]
The only way to use these models on Bedrock is to consent to your prompts and outputs being shared with Anthropic, retained for 30 days, and subjected to human review. The neutrality is gone. The broker is now a passthrough.
This is Anthropic’s requirement, not AWS’s, and Anthropic has said future models at this capability level will carry the same string attached. They frame the 30-day retention as a safety measure to catch novel attacks and jailbreaks, and maybe it is. But it changes what you’re agreeing to, and not in a way the launch made obvious.
Set up a meeting with your lawyers and DPO today.
Ask the obvious question, where does this retained data physically live and who can read it, and the two vendors hand you two different answers. AWS says your data is shared with Anthropic and leaves AWS’s security boundary. Anthropic’s own support article says that for the Bedrock path specifically, the retained data stays in your AWS environment. Both can be true at once: the bytes may sit in AWS-resident storage while Anthropic’s safety classifiers and a small set of approved reviewers read them in place. So the clean residency story you used to be able to tell, that the data never leaves your region and never touches the provider, is now questionable at best. You can’t assert it without a straight answer that neither vendor has put in writing.
Residency was never the only thing the neutral-broker promise bought you, and the bigger problem survives no matter where the bytes physically sit. Anthropic is now a sub-processor with access to your inputs and outputs, including human review of flagged content. That is a different compliance animal entirely. It means DPA amendments, an updated sub-processor list, a revisit of your records of processing, and a fresh look at your legal basis for every workload you point at these models. It also means your data is accessible to a US company that is openly deploying its most capable model in collaboration with the US government, which puts it plainly within reach of the US CLOUD Act. Can we really trust Anthropic, under pressure from the DOD, not to hand over our data to an aggressive and increasingly autocratic US Government?
Either way, lawyers and compliance need to be involved, and they like to take their time on these matters. Rushing out new models and data retention at the same time was a major disservice to customers by Amazon.
Shared Responsibility – Everything, Everywhere, all at once.
Yes, the customer owns the configuration. That’s the whole premise of the Shared Responsibility Model, and I’m not going to complain that AWS made data retention my responsibility.
The failure is that AWS shipped this with no warning. Flipping the switch is a single account-wide call against the bedrock-mantle endpoint and every subsequent inference call to an opted model on that account puts your prompts and outputs in Anthropic’s hands for 30 days, with human review of anything flagged. Any principal holding one of those keys can change your account’s data governance posture before your security team has even heard the feature exists.
There was no reason AWS had to wait until Fable and Mythos shipped to introduce this capability. They could have given security teams a heads-up, published the controls, and let people prepare. They chose not to. They chose secrecy and press-release timing over their customers.
The model launched, the capability went live, and the people responsible for data governance found out after the fact. I can’t defend something that’s released after I close the laptop for the day. Defenders got no warning, because chasing the hype cycle is more important than letting customers protect themselves.
See no evil, have no evil
The next problem is that these aren’t normal AWS APIs. The bedrock-mantle.region.api.aws endpoint is documented and monitored on a separate page from the rest of Bedrock, distinct from the bedrock-runtime endpoint your tooling already knows. Your CSPM was built to reason about bedrock actions and standard CloudTrail management events. It was not built to watch a parallel Mantle data plane.
There’s a dark upside here: with no console surface and uncertain logging, the auditor who comes looking may never find it either.
The docs are also silent on two things a governance team needs: how a model decides which retention modes it allows, and how you’ll be told if a model you’re already using changes its retention policy out from under you. This is a problem we will continue to have.
The Guardrail Didn’t Even Get a Footnote
AWS did define the right control. There’s an SCP pattern using a bedrock-mantle:DataRetentionMode condition key that denies any mode other than none.
It just wasn’t there at launch. The blog told you how to turn data sharing on, with copy-paste curl and Python. The enforcement guidance lives in a docs subsection that got no announcement, and wasn’t even published when the press-release went out. The capability got a megaphone. The guardrail didn’t even get a footnote.
What To Do Today
- Deploy the SCP now. Deny any retention mode other than none across the org, covering both the Mantle and control-plane actions:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "bedrock-mantle:PutAccountDataRetention", "bedrock-mantle:CreateProject", "bedrock-mantle:UpdateProject" ], "Condition": { "StringNotEquals": { "bedrock-mantle:DataRetentionMode": "none" } }, "Resource": "*" }, { "Effect": "Deny", "Action": [ "bedrock:PutAccountDataRetention" ], "Condition": { "StringNotEquals": { "bedrock:DataRetentionMode": "none" } }, "Resource": "*" } ] }
Scope an exception to a specific account or project only when there’s an approved use case with a signed-off DPA behind it.
- Audit CloudTrail, but know it won’t be where you’re looking. The retention change rides a different event source than the rest of Bedrock. Mantle events carry an eventSource of bedrock-mantle.amazonaws.com, not bedrock.amazonaws.com or bedrock-runtime.amazonaws.com. A project-level change logs as UpdateProject. The account-wide flip bedrock-mantle:PutAccountDataRetention, is the one that matters, and AWS’s own Mantle CloudTrail page currently doesn’t list it among the management events it documents. Verify it in your own account. The control-plane variant bedrock:PutAccountDataRetention (eventSource bedrock.amazonaws.com) does log as a normal management event, but an admin who uses the Mantle endpoint instead sails right past a detection that only watches the control plane.
Bedrock’s neutrality was the product. AWS has now made that conditional, gated it behind a single undocumented-at-launch API call, and shipped the off-switch as a footnote nobody got. If you used Bedrock so your data wouldn’t reach the model provider, that’s no longer something you get by default. It’s something you now have to defend.
This is not Customer Obsession
Comments