Strong security foundations drive innovation
Security isn’t the cost of doing business anymore. It’s the reason you can move faster than the competition. Amy Herzog, AWS’s Chief Information Security Officer, couldn’t have been more direct when she opened re:Inforce 2025 with a point every executive should think about: “Everything starts with security.”
Organizations often treat cybersecurity as a reactive effort, something you bolt on after you’ve already scaled. That approach is slow, risky, and expensive. AWS pushes a different view: If you embed security at every layer, from your access policies to your infrastructure, you move more freely. You iterate faster. Because when the foundation is secure, teams don’t waste time second-guessing whether a feature or product launch is introducing vulnerabilities.
Executives planning long-term digital strategy should see robust security architecture as a growth engine. It means fewer incidents, less operational drag, and more trust from customers and regulators. That’s especially critical as AI, machine learning, and edge computing push our systems into more distributed and unpredictable configurations. The takeaway? Security isn’t slowing you down, it’s keeping you scalable.
Enhanced identity and access management (IAM) as a cornerstone of cloud security
Identity and access are still your weakest links if you haven’t modernized your controls. Most breaches don’t come from clever zero-days; they come from someone getting into a system they shouldn’t have been able to touch in the first place. AWS knows this. Their updates to IAM focus on making access smarter, more controlled, and easier to audit.
The IAM Access Analyzer’s Internal Access Findings is important. It gives real-time visibility into which users, internal or external, have access to which assets. Security teams get a unified dashboard that shows what’s publicly accessible and what’s misconfigured, removing the guesswork. It’s high-leverage tooling that keeps access decisions transparent and fast.
They’ve also made MFA mandatory for root users across all account types. Long-term credentials? They’re moving away from them in favor of temporary, short-lived credentials that limit risk exposure by default. And for developers, tools like Amazon Verified Permissions for Express.js make it easier to implement granular access control directly in APIs, something that’s been traditionally complex and error-prone.
The result is clear: tighter access controls and fewer ways for attackers to move laterally inside your cloud environment. You don’t need a hundred new tools to make your environment secure, just the right ones that are deeply integrated. As a decision-maker, that means lower cost, less friction, and stronger controls without slowing down product cycles.
Advanced monitoring and incident response against evolving threats
It’s not enough to have security tools. You need visibility across everything, systems, APIs, containers, clusters, and you need that information in real time. Otherwise, you’re flying blind. Amy Herzog told it straight during the keynote: “You can’t protect what you can’t see.” AWS is closing that gap fast with new capabilities in monitoring and response.
GuardDuty Extended Threat Detection now includes support for Amazon EKS clusters. That fills a large visibility gap for enterprises running Kubernetes on AWS. It’s now possible to automatically detect threats targeting workloads running inside containers with the same threat intelligence and anomaly detection GuardDuty is known for. No extra setup, no additional agents required.
Then there’s the new AWS Security Hub, which is now in preview. It’s a meaningful upgrade. It doesn’t just surface alerts, it correlates data, adds context, and provides visualizations to help teams prioritize and take action faster. When your environment spans thousands of instances and dozens of services, this level of visibility is exactly what your SOC needs.
For leadership, this means less noise and sharper focus. Teams can address real security issues quickly, not waste time chasing alerts that don’t matter. AWS is also expanding their MSSP (Managed Security Service Provider) competency to make it easier to find partners specialized in infrastructure, applications, data protection, and incident response. It’s a more complete ecosystem to back up your team when speed matters.
Strengthened data and network protection to uphold digital sovereignty
Data control isn’t just a compliance check, it’s operational strategy. Enterprises operating across countries with different regulations need real assurance that their data location, access, and encryption can meet their governance requirements without slowing down progress. Amy Herzog made the point clearly: “You shouldn’t have to choose between digital sovereignty and innovation.”
AWS is putting forward real solutions. AWS Certificate Manager now lets you export public TLS certificates and private keys. That gives you control over where and how they’re deployed, whether inside AWS or integrated with external systems. AWS Backup now offers multi-party approval for logically air-gapped vaults, meaning critical data can be accessed independently, even in the most restricted scenarios.
Network security improvements also stand out. AWS Network Firewall has a new managed rule group called active threat defense, designed to block live, relevant threats with current threat intelligence. AWS Shield has a new network security director to highlight misconfigurations and guide remediation. These aren’t cosmetic updates, they’re structural fixes that reduce exposure across your infrastructure.
For C-suite teams managing risk, these systems provide greater flexibility in how, where, and with whom sensitive data is secured. Frontline control doesn’t require constant developer involvement. These services are designed to operationalize security without throttling momentum. That’s what strong modern cloud security should deliver, not more complexity, but better outcomes with fewer steps.
Migration and modernization anchored in a shared responsibility model
Cloud adoption isn’t a simple infrastructure move. It’s a shift in how you handle responsibility. Security in the cloud is not just AWS’s job, it’s a shared model. AWS secures the platform, but your team must secure the workloads, configurations, and access that sit on top of it. This message from Amy Herzog is clear: Success in the cloud starts with understanding your part of the equation.
Many organizations make the mistake of treating cloud migration as a one-time transition. That doesn’t work. You need to modernize the entire stack, your applications, your control layers, and your patching processes. No single point can be left unattended. AWS helps by embedding security controls directly into services like AWS Lambda, Amazon S3, and AWS Key Management Service. These controls aren’t optional. They’re maintained and patched continuously by AWS, reducing your operational load.
Executives need to ensure their teams are not only launching in the cloud, they’re maintaining operational discipline over time. Regular patching has to be part of every team’s process. Configuration drift, outdated dependencies, unmonitored access: these aren’t theoretical concerns. They lead to real risks if ignored, especially at enterprise scale.
Security at AWS is being designed to reduce guesswork. That means fewer manual updates and more consistent safety nets. This alignment between automation, shared responsibility, and continuous modernization gives your organization clarity and agility. You know what parts you own, what’s covered, and how to respond.
Integrating AI innovation with robust security measures
There’s momentum around AI right now, and it’s not slowing down. But if the foundation isn’t secure, you’re not scaling responsibly. That was Amy Herzog’s closing focus, teams can’t afford to treat security and AI development as separate tracks. They move together, or you end up with exposed systems that can’t sustain growth.
Security fundamentals don’t change just because the tech is newer. You still need guardrails. You still need to verify inputs, control access, and ensure transparency in how systems learn, adapt, and make decisions. With AWS’s approach, those fundamentals are embedded, not layered on after launch. Teams deploying AI services can rely on existing IAM controls, centralized monitoring through Security Hub, and encrypted data flows through services like S3 or KMS.
Leadership teams should avoid the trap of pushing rapid AI adoption without reviewing the underlying architecture. It’s not a trade-off between speed and safety. With the right setup, security accelerates AI readiness. It ensures data inputs are trusted. It reduces exposure to malicious manipulation. It keeps governance aligned with experimentation.
AWS is also investing in skills development. Through platforms like Pluralsight, teams can build capability in cloud-native security practices and understand how AWS services are evolving to support secure AI deployments. Training isn’t filler. It’s a runway for talent, and a key factor in whether your organization builds responsibly or stalls.
When security is managed well, it doesn’t slow down innovation, it moves it forward, with fewer surprises. As Herzog said to close the keynote, “A secure foundation doesn’t slow you down, it speeds you up.” That’s not just rhetoric. It’s an operating principle.
Main highlights
- Security as an innovation driver: Leaders should treat security as a core enabler, not overhead. Embedding strong controls early allows teams to move faster, iterate safely, and scale with confidence.
- Identity access must tighten: Prioritize short-term credentials, enforce MFA for all root access, and lean on visibility tools like IAM Access Analyzer to reduce the attack surface and strengthen compliance.
- See more, respond faster: Executives should invest in threat detection tools such as GuardDuty for container environments and the expanded AWS Security Hub to cut alert fatigue and improve incident response.
- Data control builds trust: Adopt AWS’s latest tools like exportable certificates, threat-aware firewalls, and air-gapped backup approvals to maintain digital sovereignty and meet regional compliance mandates.
- Cloud migration demands clarity: Decision-makers must fully align teams around the shared responsibility model and ensure patching and configuration hygiene remain ongoing, not one-time tasks.
- AI adoption only works with security in place: Ensure security governance scales with AI experimentation by embedding control frameworks early and upskilling teams through platforms like Pluralsight.
