Salesforce recently introduced a new AI agent framework - internally referred to as Agentforce - designed to help enterprises automate multi-step processes across sales, service, and internal operations. According to a recent Capgemini report, agentic AI is expected to generate up to $450 billion in economic value over the next three years through revenue gains and cost savings. With 93% of business leaders believing that scaling AI agents will provide a major competitive advantage, securing these systems from the outset becomes critical. Yet only 2% of organizations have fully scaled such systems, and trust in fully autonomous AI fell from 43% to 27% last year, underscoring why robust security measures are vital from day one.
While Agentforce delivers powerful automation and reasoning, it also introduces expanded threat surfaces around data access and execution logic. These new capabilities also create novel threat vectors. Common risks include prompt injection, where an attacker manipulates agent behavior through crafted inputs; data exfiltration via overbroad data access; and misuse of tools through poorly validated API or flow invocations. A clear understanding of these threats is essential before deployment.
Agentforce works deeply with sensitive customer, sales, and operational data, making security a key pillar of every implementation. This article explores the built-in security features, common use cases, and best practices for deploying Agentforce securely.
The graphic shows five key parts of Agentforce security: planning prompts, trust checks, secure execution, activity monitoring, and meeting compliance rules. These layers work together to keep data safe and follow regulations.
Salesforce has built Agentforce with enterprise-grade security controls. It follows the shared security model already established across Salesforce products, but adds new layers specific to AI agents.
The diagram explains how AI agents in Agentforce work with the Data Cloud, use the Einstein Trust Layer for safety checks, and run tasks through Flow or Apex to keep processes secure and compliant.
Agentforce supports attribute-based policies in addition to the usual Salesforce RBAC model. This allows for fine-grained access rules like:
The chart matches different user details with what actions they can do, using checkmarks to show where access is allowed. It helps explain how permissions are decided.
Each Agentforce bot uses instructions, topic boundaries, and structured grounding to avoid hallucinations and unauthorized behavior. Admins can:
A flowchart shows the secure lifecycle of an agent request in Agentforce, starting from instructions and boundary checks to executing approved actions and safely delivering responses.
Agentforce deployments can be further hardened using Salesforce-native tools like Shield Event Monitoring for real-time observability, Field Audit Trail for long-term change tracking, and Platform Encryption to safeguard sensitive data at rest and in transit. These enterprise-grade features complement Agentforce’s built-in controls and help meet rigorous internal security and compliance standards.
Agent-triggered flows, Apex classes, or third-party APIs are executed securely with token-based authentication, validation, and logging mechanisms. Security for this includes:
This flowchart outlines the Agentforce agent lifecycle stages, including planning, tool invocation, validation, logging, grounding, and escalation, ensuring secure and compliant execution.
Agentforce connects to real-time data via Salesforce Data Cloud. This connection is secured by:
Designed to detect potentially harmful prompts or anomalous agent behavior, the Einstein Trust Layer offers early-stage protection against prompt injection. It helps enforce privacy and control when using AI across Salesforce. For Agentforce, it ensures:
The process integrates prompt input, similarity search, trust enforcement, language model response, and subsequent action within Agentforce for safe and efficient AI operations.
Agentforce agents are capable of reasoning, planning, and executing workflows. These capabilities span various departments and require security tailoring to the use case.
Agents that automate case handling must:
AI SDR agents can book meetings, draft emails, and update records. Key controls include:
Agents that answer HR or IT questions in Slack or Salesforce must:
For industries under regulatory oversight, such as finance and healthcare, Agentforce can be configured to support compliance frameworks like HIPAA, GDPR, and SOX. For example, ABAC policies help enforce GDPR’s data minimization principle by limiting access to only what's strictly necessary per role or context.
In regulated industries like healthcare and finance:
Security for Agentforce should follow a layered approach. Here are key practices that go beyond default configurations.
In addition to implementing controls, teams should monitor performance using security-specific KPIs. These may include metrics like unauthorized action attempts, prompt rejection rate, agent fallback frequency, and flow validation failures. Tracking these indicators over time provides insight into agent risk posture and helps validate ongoing effectiveness.
Proactive oversight helps teams identify missteps, misfires, or edge-case failures before they escalate. Salesforce teams should regularly monitor how Agentforce agents behave in real-world conditions and adjust configurations accordingly. This includes:
This feedback loop enables continuous refinement of agent behavior and increases organizational confidence in automation outcomes.
Tal is the Cofounder & CTO of Reco. Tal has a Ph.D. from Tel Aviv University with a focus on deep learning, computer networks, and cybersecurity and he is the former head of the cybersecurity R&D group within the Israeli Prime Minister's Office. Tal is a member of the AI Controls Security Working Group with CSA.
This section highlights practical, field-tested tips used by advanced teams to reinforce protection without reducing agent utility.
Use this quick checklist to validate readiness before deploying Agentforce agents into production:
This pre-launch checklist ensures security, governance, and operational alignment.
Agentforce brings in powerful automation and reasoning into enterprise workflows, yet these capabilities pose a new set of security risks. When these trust features are invoked appropriately layer-wise, organizations can confidently push AI agents. In essence, treat each agent as a new identity in your system, granting appropriate access, continuous monitoring, and strict boundaries.
Another important recommendation for enterprises would be to engage cross-functional stakeholders such as security, compliance, owners of the business, and technical teams early on in Agentforce planning and deployment. This ensures that agents will meet internal controls and specific industry requirements starting from day one. Parallel to that, it is very important to apply out-in-field testing to agent behavior to ensure there is no data leakage or policy violation before setting them into production.
Agentforce supports both autonomous and human-in-the-loop actions. You can configure flows to require approvals or escalation paths based on risk, context, or sensitivity.
Unlike standard automation tools, Agentforce introduces reasoning, dynamic planning, and natural language prompt handling, adding complexity and requiring new security layers.
No. With the Einstein Trust Layer, prompts and responses are processed with zero retention, and sensitive fields can be masked before reaching the LLM.
RBAC assigns access based on roles; ABAC adds contextual checks like geography, department, or compliance status, enabling more granular policies for agents.
Yes, with appropriate guardrails. Features like data masking, audit logging, ABAC, and flow isolation support use in industries with GDPR, HIPAA, or SOX requirements.
.svg)
.svg)
