Amazon Bedrock Guardrails: Centralized Cross-Account Safeguards Now Generally Available
- Amazon Web Services announced the general availability of cross-account safeguards in Amazon Bedrock Guardrails on April 3, 2026.
- The feature enables administrators to specify a guardrail within an Amazon Bedrock policy in the organization's management account.
- The system provides two primary levels of enforcement to balance corporate mandates with specific operational needs.
Amazon Web Services announced the general availability of cross-account safeguards in Amazon Bedrock Guardrails on April 3, 2026. This new capability allows organizations to centrally enforce and manage safety controls across multiple AWS accounts within a single AWS Organization.
The feature enables administrators to specify a guardrail within an Amazon Bedrock policy in the organization’s management account. This configuration automatically applies configured safeguards to all member entities for every model invocation performed with Amazon Bedrock, ensuring uniform protection across all generative AI applications and accounts.
Hierarchical Enforcement Levels
The system provides two primary levels of enforcement to balance corporate mandates with specific operational needs.
Organization-level enforcements apply a single guardrail from the management account to all entities within the organization. These filters are automatically enforced across all member entities, including individual accounts and organizational units (OUs), for all Amazon Bedrock model invocations.
Account-level enforcement allows for the automatic application of safeguards across all model invocations within a specific AWS account. These safeguards apply to all inference API calls made within that account.
By combining these levels, companies can maintain a baseline of corporate responsible AI requirements while retaining the flexibility to apply application-specific or account-level controls based on unique use case requirements.
Configuration and Guarding Controls
To implement these safeguards, users must first create a guardrail with a specific version. This ensures the configuration remains immutable and cannot be modified by member accounts. Resource-based policies for guardrails must be completed as a prerequisite.
AWS has introduced the ability to define which models are affected by the enforcement using either Include
or Exclude
behaviors. This allows administrators to target specific models for centralized enforcement while leaving others exempt.
For system and user prompts, the service offers two selective content guarding options:
- Comprehensive: This setting enforces guardrails on all content regardless of caller tags. It serves as a safer default for environments where administrators cannot rely on callers to correctly identify sensitive content.
- Selective: This setting is used when callers are trusted to tag content correctly, reducing unnecessary guardrail processing. This is intended for use cases where callers handle a mixture of user-generated and pre-validated content.
Implementation and Testing Workflow
Account-level enforcement is configured via the Amazon Bedrock Guardrails console. Once created, the enforcement can be verified using a role within the account. The guardrail applies to both prompts and outputs, and the response will include guardrail assessment information.

Verification can be performed through several Bedrock inference APIs, including InvokeModel, InvokeModelWithResponseStream, Converse, and ConverseStream.
Organization-level enforcement is managed through the AWS Organizations console. Administrators enable Bedrock policies, create a policy specifying the guardrail Amazon Resource Name (ARN) and version, and configure input tag settings. This policy can then be attached to the organization root, specific OUs, or individual accounts via the Targets tab.
Member accounts attached to these policies will see the organization-enforced guardrail listed under their organization-level enforcement configurations. This structure allows different policies and associated guardrails to be attached to different member entities to accommodate varying team requirements.
Technical Considerations and Availability
AWS noted that specifying an incorrect or invalid ARN in a policy will lead to policy violations, the failure to enforce safeguards, and the inability to use Amazon Bedrock models for inference.
One current limitation of this capability is that Automated Reasoning checks are not supported.
Cross-account safeguards are available in all AWS commercial and GovCloud Regions where Bedrock Guardrails is currently supported. Pricing for the feature is based on the specific safeguards configured for each enforced guardrail.
