Trust and Agentforce
With Salesforce, it’s easy to build safe AI agents because agents are designed to help mitigate the risks associated with generative AI technology.
Required Editions
| Available in: Lightning Experience |
| Available in: Enterprise, Performance, Unlimited, and Developer Editions. Required add-on licenses vary by agent type. |
The Agentforce platform is integrated with the Einstein Trust Layer, and the feature includes AI guardrails. Agents also respect standard Salesforce access controls.
Einstein Trust Layer
Agentforce is integrated with the Einstein Trust Layer, which is a secure AI architecture natively built into Salesforce.
Designed for enterprise security standards, the Trust Layer lets you benefit from generative AI without compromising your customer data. It also lets you use trusted data to improve generative AI responses.
| Einstein Trust Layer service | Description |
|---|---|
| Zero Data Retention Policy | Einstein Trust Layer uses a zero-data retention policy, so no data is stored or used for model training by third-party LLMs. Customers’ use of other features including agents may result in data storage. For more information, contact your Salesforce account executive. |
| Dynamic Grounding with Secure Data Retrieval | Relevant information from trusted company data, your knowledge base, or other sources you configure, is used to answer a question. |
| Prompt Defense (System policies and prompt injection detection) | System policies help limit hallucinations and decrease the likelihood of unintended or harmful outputs by the LLM. |
| Toxicity Detection | Potentially harmful LLM responses are detected and flagged. |
| Audit and Feedback | Prompts, responses, and trust signals are logged and stored in Data 360, giving you visibility into the results of each user interaction. Feedback can be used for improving instructions, prompt templates, and more. |
Data masking through the Einstein Trust Layer is disabled to improve the performance and accuracy of agents. All data accessed by agents, including personally identifiable information (PII), is protected in transit and isn't stored or used for training purposes by external LLM providers, as part of our strict zero-data retention policy. See Data Masking Limitations in Agentforce.
AI Guardrails
The Agentforce platform includes ethical guardrails to minimize AI hallucinations and security guardrails to prevent threats and malicious attacks, such as prompt injections.
For more granular control, use agent subagent instructions to create boundaries, set context, and define agent behavior. You can modify the instructions for a standard agent subagent, or you can create a custom subagent from scratch. Use instruction adherence to see how well the agent is interpreting and following the subagent instructions.
Different agent types can have their own settings and guardrails to define agent behavior. For example, Agentforce Service agent templates use subagent instructions to determine when to escalate a conversation from the agent to a service rep. The SDR agent type has admin-defined engagement rules for the conditions when the agent can start working on the lead and how and when agent emails can be sent.
Permissions and Access
AI agents respect standard Salesforce access controls such as licenses, permissions, field-level security, and sharing settings, so an agent always acts securely.
- Agent types: The default Agentforce agent is available to admins and users with the Agentforce Default permission sets. Some agent types are built to work with specific clouds or licenses, so they require another license.
- Standard Agent Subagents: Many standard subagents are available to all users who have permission to access the default Agentforce agent.
- Standard Agent Actions: Many standard actions are available to all users who have permission to access the default Agentforce agent. Some standard actions are built to work with specific clouds or products, so they require another license or permission.
- Custom Agent Actions: Access to a custom action depends on the Apex class, flow, or prompt template the action references. For example, if a custom action is built using a flow, the custom action adheres to the permissions, field-level security, and sharing settings configured in the flow.
Trusted URLs
Agentforce enforces your business’s trusted URL allowlist. This prevents your agent from calling or generating any malicious links and keeps your sensitive data secure.
When an agent attempts to include an unapproved URL in a response, the unapproved URL is replaced with “URL_Redacted.” We also show an error message in the plan canvas when the agent attempts to call or generate an unapproved URL, so you can evaluate whether a blocked URL should be allowlisted or removed from your agent’s configuration.
When citations are configured for your agent, source URLs used to generate agent responses are shown in the agent conversation, even if the domain isn't included in your trusted URLs.
To use a URL with an agent, add it to your trusted URLs.
Agent Compliance
Agentforce is included as a Covered Service in the Einstein Platform and Agentforce SOC 2 and SOC 3 reports. Agentforce is HIPAA eligible and covered under the Salesforce Business Associate Addendum Restrictions, and has also achieved ISO 27001, 27017, and 27018 certifications.
- Data Masking Limitations in Agentforce
In Einstein Trust Layer, pattern-based and field-based data masking for large language models (LLMs) is disabled for agents.
