How CBA Is Using Agentic AI to re:invent Legacy Modernization

At re:Invent last year, one of the most compelling sessions came from the Commonwealth Bank of Australia (CBA). They shared how they are modernizing thousands of legacy applications using an agentic AI framework built on Amazon Bedrock. This wasn’t another lightweight demo about AI helping developers refactor code. It was a practical operating model—technical, opinionated, and grounded in real modernization pain points. CBA effectively redefined what modernization can look like inside a large, regulated bank.

What stood out most was that their work addresses a problem nearly every financial institution faces: decades of accumulated frameworks, runtimes, and architectures coexisting in the same ecosystem. CBA’s portfolio spans multiple generations of .NET technologies. Some applications are on .NET Core, others remain anchored to legacy .NET Framework releases, and a large portion must be modernized directly to the latest .NET. On top of that, hosting requirements differ—some workloads require Windows containers, while others should move to Linux. It’s a familiar picture for any enterprise with a long technology tail, and it creates barriers that slow down modernization, make it expensive, and make it error-prone.

Traditionally, the assessment phase alone can take weeks. Engineers work through massive repositories, reverse-engineer dependencies, map network flows, reconstruct undocumented patterns, and run repetitive scripts across environments—only to discover half the real design exists in someone’s head. CBA’s engineers echoed this reality. Early attempts at automated dependency analysis repeatedly broke simply due to repository scale and cross-cutting relationships. Their eventual solution—breaking analysis into a series of orchestrated Lambda functions coordinated by Step Functions—was both elegant and practical. They took a monolithic analysis problem and decomposed it into a distributed set of tasks, then reassembled the results into a single, coherent picture.

The real breakthrough, though, came from how they applied agentic AI. Instead of handing developers a set of accelerators and hoping they could build a workflow around them, CBA created “assemblers”—multi-agent workflows designed to analyze the codebase, reason about architecture, generate transformation paths, prepare containerization plans, and produce cyber/security documentation. Each agent has a specialization: one for dependency analysis, one for architecture narratives, one for refactoring plans, one for container configurations, and so on. Collectively, they output a guided modernization blueprint tailored to the actual application, not a generic template.

This approach is powerful because it turns what used to be tribal knowledge into a repeatable, scalable workflow. Modernization stops being people-dependent and becomes system-assisted. One of the more memorable examples came when engineers tested the workflow against a Bankwest application. Everything looked great—until ten minutes later, they received a blunt “Hey, it failed.” That failure ultimately forced them to refine the system until it could handle outliers, edge cases, and the legacy patterns that only show up in real banking environments.

The impact is dramatic. What once required a six-week assessment now takes under an hour. Full modernization cycles that stretched to sixteen weeks are now happening within a single week. Vulnerability detection, cloud-readiness assessment, pattern mapping, network flow generation, and even cyber documentation—all of it is automated through synchronized multi-agent workflows. And importantly, the entire process adheres to banking-grade compliance requirements.

But the best part of CBA’s story is that speed wasn’t the sole motivator. It was trust. Customers expect the bank to operate safely and reliably, and the bank expects its engineering teams to remove unnecessary risk from production environments. Reducing legacy exposure, closing vulnerabilities, and eliminating aging frameworks isn’t simply modernization—it’s resilience, compliance, and operational stability. CBA’s modernization platform strengthens the bank’s ability to run safely, not just efficiently.

How Other Enterprises Can Adopt a Similar Approach—Quickly

For organizations wanting to replicate what CBA has done, the good news is that you don’t need a two-year engineering program to begin. A rapid, low-lead-time engagement can deliver meaningful results in just a few weeks.

A streamlined approach might look like this:

1. Portfolio Slice & Target Selection (1–2 days)

Choose three to five representative applications. The goal is breadth—not selecting only the “clean” or “impossible” workloads. This gives you a realistic view of patterns, dependencies, vulnerabilities, and hosting models across the estate.

2. Stand Up a Modernization Workbench Using AWS (1 week)

AWS services make it possible to stand up a modernization architecture quickly:

• Amazon Bedrock for multi-agent reasoning
  
  
• AWS Step Functions for workflow orchestration
  
  
• AWS Lambda for code scanning, dependency extraction, and transformation stubs
  
  
• Amazon S3 for storing analysis output
  
  
• Amazon ECR for container build artifacts
  
  
• Security Hub and Inspector for automated security findings
  
  
• DynamoDB or OpenSearch for metadata, relationships, and lineage
  
  

3. Automated Assessment (Under 1 Hour per App)

Each run generates:

• dependency maps
  
  
• architecture diagrams
  
  
• code-level transformation recommendations
  
  
• hosting target decisions (Windows vs Linux)
  
  
• containerization instructions
  
  
• cyber/security documentation
  
  
• modernization blockers
  
  

This replaces weeks of manual analysis.

4. Architecture Validation & Human Review (1–2 days)

Senior architects validate assumptions, refine recommendations, and apply enterprise guardrails. AI accelerates the process; humans ensure accuracy and alignment.

5. Deliver a Modernization Roadmap (1 week total)

The final deliverable becomes a practical plan that includes cost models, recommended modernization order, refactoring requirements, complexity scoring, and a repeatable modernization operating model.

This is exactly the type of composable, agentic workflow AWS has been encouraging. Bedrock’s agent features, combined with Step Functions and Lambda, allow organizations to build modernization platforms that are both automated and governed.

Why This Matters

Most modernization blogs stop at “AI can help with code.” CBA demonstrated something far more transformational: a modernization engine that decomposes complexity, automates the painful parts, and scales across thousands of applications. More importantly, it blends automation with governance, security, and real-world engineering patterns.

The takeaway is simple: modernization is no longer a multi-year effort that relies solely on people. With the right architecture, it becomes an always-on capability—continuously updated, continuously validated, and continuously improving.