We Built the Same Agent Three Times Before It Worked

Two months ago, our DevOps team set out to build an AWS governance agent. Something that could look across a multi-account AWS organization, find orphaned resources, flag security issues, check tag compliance, and tell you where you're bleeding money — in plain English. We had AWS Strands Agents SDK, Amazon Bedrock AgentCore, and a reasonable amount of optimism. What followed was two months of building, tearing down, and rebuilding. Three fundamentally different architectures. 18,000 lines of code written and then deleted. And a final system that's simpler than any of the ones that came before it. This is the story of how we got there. Iteration 1: "The LLM Will Figure It Out" The first version was the obvious one. Give the LLM a set of AWS API tools — describe_instances , list_security_groups , get_cost_and_usage — and let it call them directly. We built an AgentRouter that received user queries, a CoordinatorAgent that managed multi-agent flow, and wired it all to boto3 calls. The LL