Branded “This Week in Cloud” banner showing a cloud technology logo, floating news cards, network lines, and a weekly cloud news roundup theme on a blue digital background.

This Week in Cloud: MicroVMs, Managed Agents, and Open-Source Security Gets Serious

The infrastructure for AI agents is hardening fast, and this week the announcements to prove it came from every direction. AWS shipped a fundamentally new compute primitive aimed squarely at the untrusted-code problem, Azure moved its observability agent to general availability, the industry convened a coordinated security response to AI-accelerated vulnerability discovery, and a sharp analytical piece revealed how AWS, Azure, Google, and Anthropic are all quietly rebuilding their agent runtimes around the same architectural idea. The direction of travel is clear; the disagreements are in the details.


AWS Lambda Gets a New Compute Primitive: Firecracker-Backed MicroVMs

AWS Lambda MicroVMs are now available, offering VM-level isolated sandboxes with no shared kernel between sessions, near-instant launch and resume from pre-initialised snapshots, and state preservation of up to 8 hours. Each MicroVM supports up to 16 vCPUs, 32 GB of memory, and 32 GB of disk, and is powered by Firecracker, the same lightweight virtualisation technology that underpins hundreds of trillions of standard Lambda invocations monthly. The launch model is image-then-instantiate: you supply a Dockerfile and a zip artifact in S3, Lambda initialises your application and snapshots the running memory and disk state, and every subsequent launch resumes from that snapshot rather than booting cold. Idle MicroVMs can be suspended automatically via a lifecycle policy and resumed transparently on the next inbound request, with the client seeing no interruption. MicroVMs are available today in US East, US West (Oregon), Europe (Ireland), and Asia Pacific (Tokyo) on ARM64.

Why it matters: The classic Lambda model trades isolation for statelessness. MicroVMs close that gap for the specific class of multi-tenant applications, AI coding assistants, interactive notebooks, vulnerability scanners, game servers running user scripts, where you need strong per-user isolation without either the cold-start penalty of containers or the management overhead of full VMs. Platform teams building agentic products or multi-tenant execution environments should evaluate this before rolling a custom Firecracker harness.


Azure Copilot Observability Agent Reaches General Availability

Azure’s push toward agentic cloud operations has two concrete deliverables this week: the Azure Copilot observability agent is now generally available, and the Azure Resource Manager MCP Server has entered public preview. The observability agent continuously analyses telemetry across application topology, dependencies, and baseline behaviour, and can begin investigating an incident before engineers start their own analysis. One reference customer cited recovering an estimated 250 engineering hours monthly. The Azure Resource Manager MCP Server, meanwhile, exposes cost and usage data through a standardised interface that allows AI agents and developer tools to query pricing and resource data without custom integrations. The broader framing is a closed-loop operations model where observability feeds into optimisation, governed by policy and with humans remaining in the loop.

Why it matters: The MCP Server for Azure Resource Manager is the more immediately actionable of the two. It means cost and usage intelligence can be surfaced inside developer tools, custom copilots, and agentic workflows without bespoke integration work. For platform teams managing AI workloads, where usage patterns are more variable and less predictable than traditional infrastructure, that kind of in-workflow cost signal is genuinely useful.


Akrites: Industry Unites to Outpace AI-Powered Vulnerability Discovery

Akrites, launched Thursday by the Linux Foundation, is a coordinated security body with 20 founding members including AWS, Anthropic, Google, Microsoft and its GitHub subsidiary, OpenAI, Cisco, Red Hat, NVIDIA, Chainguard, Sonatype, Citi, and JPMorganChase. The initiative exists because frontier AI models can now scan major open-source projects and surface multiple exploitable vulnerabilities in a single pass. A capability available to both defenders and attackers. The core mechanism is a shared Security Incident Response Team (SIRT) that consolidates findings from member organisations, validates them using CVE and CVSS standards, and coordinates a single patch-and-disclose process with project maintainers. When no active maintainer exists, Akrites will step in as fallback. Seed funding comes from Alpha-Omega, the OpenSSF project backed by Anthropic, AWS, Google, Microsoft, and OpenAI, with an annual budget of over $7 million. Membership is structured across three tiers: Premier for critical infrastructure operators and their vendors, General for contributors without large engineering commitments, and Associate for open-source foundations at no cost.

Why it matters: The existing coordinated disclosure model was built for a world where finding a serious vulnerability took weeks of expert effort. AI has compressed that to near-real-time, and the Asana MCP server incident last year illustrated what happens when tenant isolation breaks at the application layer rather than the infrastructure layer. For security teams managing open-source dependencies, Akrites represents a potential reduction in the noise of duplicated reports and an increase in the probability that a fix arrives before exploitation.


The Session Is the New Unit of Compute – But the Isolation Model Varies by Provider

An analysis by Janakiram MSV on The New Stack documents a quiet convergence across AWS, Azure, Google, and Anthropic: all four have rebuilt their agent runtimes around the session rather than the individual request. AWS AgentCore routes each session to a dedicated Firecracker microVM, keyed by a runtimeSessionId header, with an 8-hour maximum lifetime and memory sanitisation on termination. Microsoft Foundry-hosted agents create a per-session VM-isolated sandbox with a dedicated Entra identity and a 30-day maximum lifetime. Google Agent Engine retains request-level scaling for the reasoning loop but separates untrusted code execution into an isolated sandbox and externalises conversation state to a Sessions and Memory Bank service. Anthropic Managed Agents decompose the architecture into a session, a stateless harness, and a sandbox — with the substrate decoupled, so the loop can run on Anthropic while tool calls execute in a Cloudflare microVM or V8 isolate. The binding between users, sessions, and tenant context is explicitly left to the application in all four models, not the platform.

Why it matters: The architectural shift from request-routing to session-routing changes the cost model, the security posture, and the operational primitives for teams building multi-tenant agents. Per-session billing means concurrency and idle time become the cost drivers rather than request volume; per-session isolation means user-to-session binding becomes an application-layer correctness requirement, not just a performance optimisation. Engineers designing agent platforms need to understand which primitive their chosen provider offers and what they still own.


The thread connecting this week’s announcements is that AI infrastructure is forcing a rethink of primitives that have been taken for granted for twenty years. The request-response model, the shared kernel, the periodic cost review, the per-organisation vulnerability report filed with a maintainer, all of these are being rebuilt because agents are long-running, stateful, multi-tenant, and capable of executing untrusted code at scale. Lambda MicroVMs and AgentCore are essentially the same answer to the same problem, packaged differently. Akrites is what happens when vulnerability discovery accelerates faster than the disclosure process can handle. The open question is whether these architectural shifts stay inside the cloud platforms or migrate to Kubernetes-native equivalents, which would reshape the portability calculus considerably.