Agentforce Security and the Shared Responsibility Model

1. The Einstein Trust Layer: The Secure AI Foundation

The core of Agentforce's security is the Einstein Trust Layer. This is a built-in set of security and privacy controls that intercepts all interactions (prompts and responses) between your Salesforce org and the Large Language Models (LLMs) that power the agents.

Its key features include:

• Zero Data Retention: Prompts and responses are not retained by the third-party OOTB LLM providers. Your data is not used to train their models.

• Toxicity and Prompt Injection Detection: The layer helps to protect both user inputs (prompts) and LLM outputs (responses) from malicious content, hate speech, and common attack vectors used in prompt injection.

• Audit Trails: Track the use of generative AI in your Salesforce org and ensure that AI usage complies with your security, privacy, regulatory, and AI governance policies. For more information, please refer to: https://help.salesforce.com/s/articleView?id=ai.generative_ai_audit_trail.htm&type=5

2. Access Controls:

This is the most critical security concept for administrators to understand. Many AI agents, such as agents that connect to Messaging channels, operate as Salesforce users in your organization. The permissions that you give to these agent users determine the actions that AI agents can take.

Salesforce Agentforce supports two distinct interaction models, Employee and Customer, each with a tailored security architecture.

• Employee Agents (Internal): These agents typically operate within secure environments like Lightning Experience. They execute in the context of the logged-in user, meaning they automatically respect your existing security framework, including user licenses, permission sets, field-level security, and sharing rules.

• Customer Agents (External): Because these agents interact via public channels (e.g., Messaging or Web Chat), they operate as a dedicated Agent User. This is a specialized Integration User that allows the agent to securely perform actions and access data that an external guest user cannot.

Security Best Practice: When configuring a Customer Agent, use Agent Creator to generate a "New Agent User." This ensures the agent starts with minimal access. You should then manually grant only the specific permissions required, adhering strictly to the Principle of Least Privilege (PoLP).

3. Administrative Guardrails & Agent Configuration

Beyond user permissions, administrators have direct control over the behavior and scope of each agent using tools like the Agent Builder and Prompt Builder.

These administrative guardrails include:

• Restricting Topics: You can define the specific topics and business functions an agent is allowed to discuss or handle.

• Limiting Actions: You can (and should) limit an agent to only execute pre-defined, approved actions, such as specific Salesforce Flows, Apex classes, or API calls. This prevents the agent from performing unintended or malicious operations.

• Configuring Rejection Responses: Admins can configure custom messages that the agent delivers when a user's request is out-of-scope, unethical, or violates a defined security policy.

• Data Grounding: Agents are "grounded" in your specific Salesforce data (like Data Cloud, Knowledge articles, or specific records) to provide relevant and accurate responses. Your Field Level Security (FLS) and object security settings can also control which data is available for this grounding.

4. Integration with Salesforce Shield & Security Center

For organizations with advanced compliance and security needs, Agentforce's security can be enhanced by other Salesforce security products which Salesforce recommends:

• Salesforce Shield:

  • Event Monitoring: Comprehensive security and operational logging system that records granular actions performed by users, agents or automated processes. Offers real-time visibility into agent/user activities and other security-related events. 

  • Field Audit Trail: Creates a detailed history of changes to your data by Agents/users, which is crucial for compliance.

• Security Center: Provides a single, holistic view of your security, compliance, and governance posture across all your Salesforce orgs, including Agentforce-related activities.

Summary of Responsibilities:

Salesforce's Responsibility:

• Securing the core platform & infrastructure.

• Providing the Einstein Trust Layer (zero-retention, Toxicity and Prompt Injection Detection etc.).

• Detecting broad threats like toxicity and prompt injection.

• Providing audit logging capabilities.

Customer’s Responsibility:

• Implementing the Principle of Least Privilege for all users.

• Correctly configuring Profiles, Permission Sets, and FLS.

• Building secure Agent Guardrails (restricting topics and actions).

• Regularly monitoring and auditing agent and user activity.

• Ensuring data in Data Cloud is clean, accurate, and secure.

• Enable Enhanced Event Logs

• Enable Human-in-the-loop for custom actions

Conclusion:

Agentforce is designed to be as secure as it is intelligent. However, in an era of autonomous AI, the traditional boundaries of access control are more important than ever. By embracing the shared responsibility model outlined here, you can confidently deploy agents that not only solve complex business problems but also uphold the highest standards of data privacy and trust, the core pillar of the Salesforce ecosystem.