Microsoft’s AI CEO, Mustafa Suleyman, recently posted on X, saying he finds it funny when people call today’s AI “underwhelming”. Reminiscing on growing up playing Snake on a Nokia phone, Suleyman insisted that fluent conversations with “super smart AI” should be mindblowing.

But judging by the replies under his post, people aren’t laughing with him. They’re frustrated. The top comments were about how aggressively Microsoft keeps injecting AI into every corner of Windows 11. People like AI when it solves their problems, not when it becomes the problem.

And that’s exactly where Microsoft is losing the plot. AI on Windows isn’t underwhelming because the models aren’t powerful enough. It’s because Copilot keeps showing up where it doesn’t belong. And Microsoft keeps treating the OS as a promotional vehicle for Copilot.

All the AI Microsoft has crammed into Windows 11 so far

For all the frustration around Microsoft forcing AI into the OS, Windows 11 does ship with a growing list of AI features. Copilot, as expected, is the centrepiece of it all. It is similar to ChatGPT as it uses the exact same models. In fact, Microsoft started rolling out GPT 5.1 to Copilot.

Copilot Voice and Copilot Vision are the basics

Microsoft has been working long on Copilot Voice and Copilot Vision, both of which I have used several times, with a higher-than-expected success rate. Copilot Voice, which is basically being able to invoke the AI with “Hey Copilot”, works better and sometimes even faster than calling Gemini on my phone.

I mostly use Copilot Voice to ask for trivial stuff, like the time in London, or currency conversions. A few seconds after I stop talking, it turns off automatically, and that’s what keeps me coming back to “Hey Copilot”. It is non-intrusive, which can’t be said about some of the stuff you’ll see later.

Also, Microsoft is rolling out the “Bye” command, which you can say to Copilot Voice to turn it off immediately.

I like the idea of Copilot Vision, where it can look at whatever is open on my screen and give contextual guidance. I have used it several times while working with some new software. But the issue with Copilot Vision is that it is too slow, to the point that it takes less time for me to ask the regular Copilot. Also, Copilot Vision may make errors in guiding you about UI elements.

If both these were like assistants, Microsoft’s major push is on “Windows evolving into an agentic OS”, and Copilot Actions were what started it.

But it began in the Microsoft Edge browser as Copilot Actions on Web, which allowed users to interact directly with websites by letting Copilot click buttons, fill out forms, and complete tasks such as bookings, purchases, or reservations on their behalf.

However, Microsoft Edge is now marketed as an AI browser, with the company’s AI CEO going as far as to call it “the first AI browser in the enterprise.”

Its agent mode performs multi-step workflows on approved sites. Copilot in Edge can look at your calendar, tasks, and browsing graph to summarise what matters for the day, and multi-tab analysis or multi-tab reasoning lets Copilot read up to dozens of open tabs and give you a single comparison or summary. You’ll need to enable the Copilot Mode in Edge.

YouTube summarization and video translation are in the list of useful AI features in Edge, as I have used them multiple times for research and works well.

But I still keep coming back to the natural way of using a browser, and I guess that’s how most people feel, which is why these features feel intrusive to everyone.

Coming back to a company trying to change years of behavioral instinct, Microsoft introduced the Ask Copilot experience in the taskbar, potentially replacing the Windows Search. Microsoft wants the taskbar to be an AI hub, with Copilot Actions that call AI agents to do tasks on your PC on your behalf.

As things stand, Microsoft’s magnum opus for AI has to be the “Experimental Agentic Features” in Windows 11, which is a toggle that unlocks Agent Workspace, agent accounts, local tool access, and the entire foundation for agentic computing. However, Microsoft confirmed that Agentic features hallucinate and are unsafe, but they are going full throttle with it.

Ask Copilot is also where Microsoft is placing more of these agents over time, including first-party ones like Researcher, and the company says more first-party and third-party agents will appear here over time.

Microsoft has also been testing a File Explorer integration that lets AI apps like Claude and Manus access your local files through standard prompts. Once you allow it, these apps can summarize documents, draft presentations from folders or even turn your local content into a basic website using that context.

Microsoft’s idea here is to make Windows a “canvas for AI”, where agents, not just apps, work on your data and do tasks on your behalf.

AI everywhere, even where it makes no sense

Of course, AI-fication isn’t limited to the Windows OS, and has been making its way to all Microsoft apps. Perhaps the most pointless inclusion of AI is in the Notepad, which now, even shows you Copilot steaming text in a supposedly simple text editor.

You can punch in raw text, right-click it, and have Notepad rephrase, shorten, or expand it with GPT-powered suggestions, and thus defeat the whole purpose of Notepad. The app was originally supposed to help you jot down quick thoughts, or, like a real notepad, it would help you think. But if AI is doing that for you, then what is being human anymore!

The Windows 11 File Explorer, which has been criticized for being too slow to launch, has its fair share of AI as well. Right-clicking on images gives you options to Blur background or Erase objects, which route through the Photos app’s AI models to detect the subjects and apply edits without opening the full editor.

For documents, File Explorer can hand off to AI to summarise or extract key points, especially when connected with Copilot and Microsoft 365. These can be useful, but it comes at the cost of an even slower File Explorer that, despite getting the ability to preload, still feels slow.

A funny inclusion of AI is in the Bing Wallpaper app, which opens a browser window to show Bing results when you click the desktop, and shows visual search results about the subject in the image. Totally useless.

The same visual intelligence feature is one of the most useful features when it is paired with the Snipping Tool, and is now something as powerful and productive as Google Lens for Windows.

Speaking of productivity, Outlook, OneDrive, Word, Excel, PowerPoint, and OneNote all have Copilot in them. Microsoft 365 Copilot can summarise long email threads, draft replies, generate presentations, build charts from spreadsheets, and pull context from your files stored in OneDrive without you manually searching for them. But is it safe for your organization? Well, this is what Microsoft prefers its enterprise customers use.

There is also the dedicated Microsoft 365 Copilot app that is more like an AI-first hub where you can chat with Copilot, create documents, and search across your work in one place. I really miss the old Office app, and its name!

OneNote, which is one of my favourite note-taking applications, has got Microsoft 365 Copilot Notebooks. Not minding the poor naming scheme, it’s a powerful tool that “Bring together everything you need for your task or project such as Copilot chats, Word documents, PowerPoint decks, Excel files, and more into a single, focused space.”

This has serious potential to be a long-term memory layer for projects and notes, like a second brain, especially for someone like me who uses OneNote to chart and journal my entire day…

The Windows Settings app has its own AI Agent as well. It uses a lightweight language model called Settings Mu, which is optimized using Settings data to help you find and adjust system settings.

The Microsoft Store also has AI‑generated review summaries for apps that consolidate user feedback into short, readable descriptions, helping you quickly understand the overall mood about an app without scrolling through hundreds of reviews.

I saved my favourite for the last, and it is AI in the Photos app. I’m specifically talking about the AI object Erase and background removal tool, both of which I use every single day for work.

And that’s my general thought about AI in Windows. There is substance and use in many of these tools, which are already available in other platforms as well, like Android and macOS. But Microsoft’s inability to communicate stuff to regular people makes users hate their implementation the most.

Why do so many people think AI in Windows 11 is underwhelming?

Mustafa Suleyman might be baffled as to why people don’t appreciate Microsoft’s AI and agentic OS push, but users are clear about what they want and what they don’t want.

One user replied to the AI CEO’s post, “The problem is you’re injecting a solution into a “problem” that doesn’t exist. You (or your organization, whoever is in charge of decisions on products) keeps inserting AI into anything. People do NOT want that.”

The consensus is that it’s not that the tech is bad. It’s that it’s being forced into every corner in Windows, which are places where people just don’t need or want it.

AI, in its current state, is extremely intrusive

All the big tech companies have invested too much of their worth into AI, to the point that it makes it unviable for them to back off. Their only solution is to make regular people use AI as much as possible to justify the continued investments.

I believe that an AI tool feels most useful when it doesn’t have any marketing hype about the AI itself, but instead focuses on the results.

And that creates the illusion of a tool. AI should be the underlying technology, and not the hype word. I know for a fact that the more Microsoft uses the word “Copilot”, the more they’ll be hated on, even if the AI evolves into something more useful.

Any social media post that Microsoft makes about Copilot is being scoffed at by users. The company might be currently testing their biggest bet on AI with agents in Windows, but such agents are invoked from “Ask Copilot”. Honestly, I do not see a reality where users are going to like it when it is released to the general public.

AI overload creates privacy & trust issues

Microsoft’s Recall feature, which technically sounds extremely useful, faced severe backlash and forced the company to recall it and schedule it for a later roll-out, making it an optional feature.

Microsoft later explicitly stated that the Recall feature works locally inside the operating system and does not rely on the cloud, and yet the users don’t seem to care because the narrative about AI being a privacy nightmare has already been established.

And it became stronger when Microsoft themselves acknowledged that AI agents inside Windows 11 can hallucinate, misbehave, and fall for brand-new forms of attacks. This isn’t fearmongering from security researchers, but Microsoft admitting it in their support documentation.

Windows Latest covered the privacy issues with Experimental Agentic features in detail, where I broke down the fact that AI agents in Windows 11 are vulnerable to Cross Prompt Injection, malicious UI elements, documents, and even malware. These agents can be tricked into copying files, leaking sensitive data, or acting unpredictably. And that’s because they “see” the UI the same way a human does, but without a human’s judgment.

When the same company that wants AI agents inside your file system also tells you those agents might get confused by a rogue textbox, trust obviously falls apart. People already don’t trust Windows 11 with something as simple as telemetry. Now Microsoft is asking them to trust autonomous agents with access to Documents, Downloads, Pictures, Videos, Desktop, and Music.

People don’t think AI in Windows is underwhelming because the tech isn’t good enough. People think it’s underwhelming because it creates stress. It creates doubt. It creates the feeling that the OS is no longer fully yours.

At some point, Microsoft needs to pause and look at the state of Windows 11 itself. The OS is still being criticized for basic stability issues. If Microsoft genuinely wants people to embrace AI on Windows, they need to fix Windows first. Make the OS fast, stable, and predictable again, like the golden age of Windows 7.

When the fundamentals feel solid, people will be more open to experimenting with new ideas, like AI. But when the house is already creaking, adding more roofing material only makes everyone want to run outside.

The post As Windows 11 turns into an AI OS, Microsoft Copilot boss does not understand how AI is underwhelming appeared first on Windows Latest

In this episode, Fabrizio Ferri Benedetti (from Passo Uno) and I discuss the concept of documentation theater with auto-generated wikis, why visual IDEs like Antigravity beat CLIs for writing, and the liberation vs. acceleration paradox where AI speeds up work but creates review bottlenecks. We also explore the dilemmas of labeling AI usage, why AI needs a good base of existing docs to function well, and how technical writers can stop doing plumbing work and start focusing on more challenging, high-value strategic initiatives instead, which might push the limits of what AI can even do.

We’re rounding up the most exciting and impactful announcements from AWS re:Invent 2025, which takes place November 30-December 4 in Las Vegas. This guide highlights the innovations that will help you build, scale, and transform your business in the cloud.

We’ll update this roundup throughout re:Invent with our curation of the major announcements from each keynote session and more. To see the complete list of all AWS launches, visit What’s New with AWS.

(This post was updated Nov. 30, 2025.)

---

Analytics

AWS Clean Rooms launches privacy-enhancing dataset generation for ML model training
Train ML models on sensitive collaborative data by generating synthetic datasets that preserve statistical patterns while protecting individual privacy through configurable noise levels and protection against re-identification.

Compute

Introducing AWS Lambda Managed Instances: Serverless simplicity with EC2 flexibility
Run Lambda functions on EC2 compute while maintaining serverless simplicity—enabling access to specialized hardware and cost optimizations through EC2 pricing models, with AWS handling all infrastructure management.

Containers

Announcing Amazon EKS Capabilities for workload orchestration and cloud resource management
Streamline Kubernetes development with fully managed platform capabilities that handle workload orchestration and cloud resource management, eliminating infrastructure maintenance while providing enterprise-grade reliability and security.

Networking & Content Delivery

Introducing Amazon Route 53 Global Resolver for secure anycast DNS resolution (preview)
Simplify hybrid DNS management with a unified service that resolves public and private domains globally through secure, anycast-based resolution while reducing operational overhead and maintaining consistent security controls.

Partner Network

AWS Partner Central now available in AWS Management Console
Access Partner Central directly through the AWS Console to streamline your journey from customer to Partner—manage solutions, opportunities, and marketplace listings in one unified interface with enterprise-grade security.

Security, Identity, & Compliance

Simplify IAM policy creation with IAM Policy Autopilot, a new open source MCP server for builders
Speed up AWS development with an open source tool that analyzes your code to generate valid IAM policies, providing AI coding assistants with up-to-date AWS service knowledge and reliable permission recommendations.

We’re at a real inflection point in the AI landscape, a threshold where models move from useful assistants to genuine collaborators. Models that understand the objective, factor in constraints, and execute complex multi-tool workflows. Models that not only support processes, but help restructure them for reliability, scale, and operational efficiency.

Anthropic’s newest model, Claude Opus 4.5, embodies that shift. Today, we are excited to share that Opus 4.5 is now available in public preview in Microsoft Foundry, GitHub Copilot paid plans, and Microsoft Copilot Studio.

Building on the Microsoft Ignite announcement of our expanded partnership with Anthropic, Microsoft Foundry delivers its commitment to giving Azure customers immediate access to the widest selection of advanced and frontier AI models of any cloud. Foundry empowers developers to accelerate innovation with an integrated, interoperable, and secure AI platform that enables seamless deployment, integration, and scaling for AI apps and agents.

We’re excited to use Anthropic Claude models from Microsoft Foundry. Having Claude’s advanced reasoning alongside GPT models in one platform gives us flexibility to build scalable, enterprise-grade workflows that move far beyond prototypes.

—Michele Catasta, President, Replit

Opus 4.5 for real work

Opus 4.5 sets a new bar for coding, agentic workflows, and enterprise productivity: outperforming Sonnet 4.5 and Opus 4.1, at a more accessible price point. Its versatility across software engineering, complex reasoning, tool use, and vision unlocks new opportunities for organizations to modernize systems, automate critical workstreams, and deliver ROI faster.

By prioritizing rapid integration of the latest models, Foundry allows Azure customers to stay ahead of the curve and maximize the impact of their agentic AI systems; all while maintaining centralized governance, security, and observability at scale.

1. Built for production engineering and agentic capabilities

According to Anthropic, Opus 4.5 delivers state-of-the-art performance on industry standard software engineering benchmarks, including new highs on SWE-bench (80.9%). Early testers consistently describe the model as being able to interpret ambiguous requirements, reason over architectural tradeoffs, and identify fixes for issues that span multiple systems.

Opus 4.5 accelerates engineering velocity by completing multi-day development work in hours with:

• Improved multilingual coding performance
• More efficient code generation
• Stronger test coverage
• Cleaner architectural and refactoring choices

Capability / Benchmark	Claude Opus 4.5	Claude Sonnet 4.5	Claude Opus 4.1	Gemini 3 Pro
Agentic coding (SWE-bench Verified)	80.90%	77.20%	74.50%	76.20%
Agentic terminal coding (Terminal-bench 2.0)	59.30%	50.00%	46.50%	54.20%
Agentic tool use — Retail (t2-bench)	88.90%	86.20%	86.80%	85.30%
Agentic tool use — Telecom (t2-bench)	98.20%	98.00%	71.50%	98.00%
Scaled tool use (MCP Atlas)	62.30%	43.80%	40.90%	_
Computer use (OSWorld)	66.30%	61.40%	44.40%	_
Novel problem solving (ARC-AGI-2 Verified)	37.60%	13.60%	_	31.10%
Graduate-level reasoning (GPQA Diamond)	87.00%	83.40%	81.00%	91.90%
Visual reasoning (MMMU validation)	80.70%	77.80%	77.10%	_
Multilingual Q&A (MMLU)	90.80%	89.10%	89.50%	91.80%

Claude Opus 4.5 benchmark results from Anthropic

Opus 4.5 is also one of the strongest tool-using models available today, capable of powering agents that work seamlessly across hundreds of tools. Developers gain access to several important upgrades:

• Programmatic Tool Calling: Execute tools directly in Python for more efficient, deterministic workflows.
• Tool Search: Dynamically discover tools from large libraries without using up space in the context window.
• Tool Use Examples: More accurate tool calling for complex tool schemas.

Together, these capabilities enable sophisticated agents across cybersecurity, full-stack software engineering, financial modeling, and other workflows requiring multiple tool interactions. Opus 4.5 shows strong, real-world intelligence applying these tools creatively within constraints. In testing, the model successfully navigated complex policy environments, such as airline change rules, chaining upgrades, downgrades, cancellations, and rebookings to optimize outcomes. This kind of adaptive, constraint-aware problem-solving reflects a meaningful step forward in what agentic AI systems can accomplish.

Manus deeply utilizes Anthropic’s Claude models because of their strong capabilities in coding and long-horizon task planning, together with their prowess to handle agentic tasks. We are very excited to be using them now on Microsoft Foundry!

—Tao Zhang, Co-founder & Chief Product Officer, Manus AI

2. Improved developer experience on Foundry

Opus 4.5 paired with new developer capabilities offered on Foundry is designed to help teams build more effective and efficient agentic systems:

• Effort Parameter (Beta): Control how much computational effort Claude allocates across thinking, tool calls, and responses to balance performance with latency and cost for your specific use cases.
• Compaction Control: Handle long-running agentic tasks more effectively with new SDK helpers that manage context efficiently over extended interactions.

These enhancements provide greater predictability and operational control for enterprise workloads.

3. Enhanced office productivity and computer use

Opus 4.5 also doubles down as Anthropic’s best vision model, unlocking workflows that depend on complex visual interpretation and multi-step navigation. Computer use performance has improved significantly, enabling more reliable automation of desktop tasks.

For knowledge workers, the model delivers a step-change improvement in powering agents that create spreadsheets, presentations, and documents. It produces work with consistency, professional polish, and genuine domain awareness making it a fit for finance, legal, and other precision-critical verticals. The model better leverages memory to maintain context and consistency across files throughout sprawling professional projects.

4. Safety and security

According to Anthropic, Opus 4.5 also delivers meaningful improvements in safety and security. The model shows a reduced rate of misaligned responses, stronger robustness against prompt-injection attacks, and more reliable behavior across complex tasks.

These improvements align with Microsoft’s commitment to providing enterprise customers with models that meet high bars for safety, governance, and operational integrity

Use cases

Opus 4.5 serves the following use cases

• Software development: Deploy agents that handle complex, multi-system development tasks with minimal supervision.
• Financial analysis: Connect insights across regulatory filings, market reports, and internal data for sophisticated predictive modeling and proactive compliance monitoring.
• Cybersecurity: Correlate logs, vulnerability databases, and threat intelligence for professional-grade threat detection and automated incident response.
• Enterprise operations: Manage sophisticated workflows requiring coordination across multiple tools, systems, and information sources.

Pricing and availability

Opus 4.5 delivers frontier performance and sets a new standard for a variety of use cases at one third the price of previous Opus-class models.

Model	Offer type	Deployment type	Regions	Price (1M tokens)	Availability
Claude Opus 4.5	Serverless Pay-go	Global Standard	East US2, Sweden Central	Input- $5 Output- $25	November 24, 2025 (public preview)

Get started today

Claude Opus 4.5 is available now in Microsoft Foundry and coming soon in Visual Studio Code via the Foundry extension. Visit the Foundry portal to begin building with Opus 4.5.

The post Introducing Claude Opus 4.5 in Microsoft Foundry appeared first on Microsoft Azure Blog.

It’s been a while since I wrote one of these, but I’m picking up the series again.

This is a question that came in through email from a prior student, which I’ll summarize as: with a distributed availability group, what are the semantics of log truncation?

As I’m not an AG expert (I just know enough to be dangerous ha-ha), I asked Jonathan to jump in, as he is most definitely an AG expert! I’ll use AG for availability group and DAG for distributed availability group in the explanation below. Whether the AGs in question have synchronous or asynchronous replicas is irrelevant for this discussion.

Log truncation (the act of marking zero or more VLFs as able to be reused) can only mark a VLF as reusable if nothing might need to use any of the log records in the VLF. An example of the many things that might need to use a log record is a transaction that hasn’t yet committed (because it might roll back) – if the log record is lost from being overwritten by the VLF being reused, the transaction would not be able to roll back.

With a simple AG, with a primary replica and secondary replica, a VLF on the primary replica can only be marked for reuse once that VLF is hardened (written to the log drive) on the primary replica and hardened on the secondary replica, and then backed up on one of the replicas. (Note that hardening on the secondary replica does NOT mean that the log records have to be replayed, only that they’ve been written to disk – this is a common misconception with both AGs and database mirroring.)

With a DAG, it’s a bit more complicated.

Imagine we have a DAG from AG1 to AG2. AG1 has a primary replica and secondary replica. AG2 has a primary replica and secondary replica. The primary replica of AG2 is essentially another secondary replica of AG1, and functions as a log forwarder to its own secondary replica. You can think of a DAG as an AG of AGs.

So log flows like this:

• AG1 primary replica -> AG1 secondary replica
• AG1 primary replica -> AG2 primary replica -> AG2 secondary replica

From my simple AG example above, you would then think that a VLF on AG1 primary replica can be marked for reuse once that VLF is hardened on the primary replica , hardened on the AG1 secondary replica, hardened on the AG2 primary replica, and then backed up on any AG1 replica.

But that is not the case. There’s an extra twist.

A VLF on the AG2 primary replica cannot be marked for reuse until that VLF has been hardened on the AG2 secondary replica. If that VLF cannot be marked for reuse on the AG2 primary replica, then it cannot be marked for reuse on the AG1 primary replica. And so the log in the primary replica may have to grow.

Summary: with a DAG, a VLF in the AG1 primary replica cannot be marked for reuse until it has been hardened on its own secondary replicas and all other secondary replicas in the DAG topology (and then backed up somewhere in AG1). It’s just an extension of the regular AG log-clearing semantics.

The post The Curious Case of… log truncation in a distributed availability group appeared first on Paul S. Randal.

Today, we’re announcing IAM Policy Autopilot, a new open source Model Context Protocol (MCP) server that analyzes your application code and helps your AI coding assistants generate AWS Identity and Access Management (IAM) identity-based policies. IAM Policy Autopilot accelerates initial development by providing builders with a starting point that they can review and further refine. It integrates with AI coding assistants such as Kiro, Claude Code, Cursor, and Cline, and it provides them with AWS Identity and Access Management (IAM) knowledge and understanding of the latest AWS services and features. IAM Policy Autopilot is available at no additional cost, runs locally, and you can get started by visiting our GitHub repository.

Amazon Web Services (AWS) applications require IAM policies for their roles. Builders on AWS, from developers to business leaders, engage with IAM as part of their workflow. Developers typically start with broader permissions and refine them over time, balancing rapid development with security. They often use AI coding assistants in hopes of accelerating development and authoring IAM permissions. However, these AI tools don’t fully understand the nuances of IAM and can miss permissions or suggest invalid actions. Builders seek solutions that provide reliable IAM knowledge, integrate with AI assistants and get them started with policy creation, so that they can focus on building applications.

Create valid policies with AWS knowledge
IAM Policy Autopilot addresses these challenges by generating identity-based IAM policies directly from your application code. Using deterministic code analysis, it creates reliable and valid policies, so you spend less time authoring and debugging permissions. IAM Policy Autopilot incorporates AWS knowledge, including published AWS service reference implementation, to stay up to date. It uses this information to understand how code and SDK calls map to IAM actions and stays current with the latest AWS services and operations.

The generated policies provide a starting point for you to review and scope down to implement least privilege permissions. As you modify your application code—whether adding new AWS service integrations or updating existing ones—you only need to run IAM Policy Autopilot again to get updated permissions.

Getting started with IAM Policy Autopilot
Developers can get started with IAM Policy Autopilot in minutes by downloading and integrating it with their workflow.

As an MCP server, IAM Policy Autopilot operates in the background as builders converse with their AI coding assistants. When your application needs IAM policies, your coding assistants can call IAM Policy Autopilot to analyze AWS SDK calls within your application and generate required identity-based IAM policies, providing you with necessary permissions to start with. After permissions are created, if you still encounter Access Denied errors during testing, the AI coding assistant invokes IAM Policy Autopilot to analyze the denial and propose targeted IAM policy fixes. After you review and approve the suggested changes, IAM Policy Autopilot updates the permissions.

You can also use IAM Policy Autopilot as a standalone command line interface (CLI) tool to generate policies directly or fix missing permissions. Both the CLI tool and the MCP server provide the same policy creation and troubleshooting capabilities, so you can choose the integration that best fits your workflow.

When using IAM Policy Autopilot, you should also understand the best practices to maximize its benefits. IAM Policy Autopilot generates identity-based policies and doesn’t create resource-based policies, permission boundaries, service control policies (SCPs) or resource control policies (RCPs). IAM Policy Autopilot generates policies that prioritize functionality over minimal permissions. You should always review the generated policies and refine if necessary so they align with your security requirements before deploying them.

Let’s try it out
To set up IAM Policy Autopilot, I first need to install it on my system. To do so, I just need to run a one-liner script:

curl https://github.com/awslabs/iam-policy-autopilot/raw/refs/heads/main/install.sh | bash

Then I can follow the instructions to install any MCP server for my IDE of choice. Today, I’m using Kiro!

In a new chat session in Kiro, I start with a straightforward prompt, where I ask Kiro to read the files in my file-to-queue folder and create a new AWS CloudFormation file so I can deploy the application. This folder contains an automated Amazon Simple Storage Service (Amazon S3) file router that scans a bucket and sends notifications to Amazon Simple Queue Service (Amazon SQS) queues or Amazon EventBridge based on configurable prefix-matching rules, enabling event-driven workflows triggered by file locations.

The last part asks Kiro to make sure I’m including necessary IAM policies. This should be enough to get Kiro to use the IAM Policy Autopilot MCP server.

Next, Kiro uses the IAM Policy Autopilot MCP server to generate a new policy document, as depicted in the following image. After it’s done, Kiro will move on to building out our CloudFormation template and some additional documentation and relevant code files.

Finally, we can see our generated CloudFormation template with a new policy document, all generated using the IAM Policy Autopilot MCP server!

Enhanced development workflow
IAM Policy Autopilot integrates with AWS services across multiple areas. For core AWS services, IAM Policy Autopilot analyzes your application’s usage of services such as Amazon S3, AWS Lambda, Amazon DynamoDB, Amazon Elastic Compute Cloud (Amazon EC2), and Amazon CloudWatch Logs, then generates necessary permissions your code needs based on the SDK calls it discovers. After the policies are created, you can copy the policy directly into your CloudFormation template, AWS Cloud Development Kit (AWS CDK) stack, or Terraform configuration. You can also prompt your AI coding assistants to integrate it for you.

IAM Policy Autopilot also complements existing IAM tools such as AWS IAM Access Analyzer by providing functional policies as a starting point, which you can then validate using IAM Access Analyzer policy validation or refine over time with unused access analysis.

Now available
IAM Policy Autopilot is available as an open source tool on GitHub at no additional cost. The tool currently supports Python, TypeScript, and Go applications.

These capabilities represent a significant step forward in simplifying the AWS development experience so builders of different experience levels can develop and deploy applications more efficiently.