Agentforce Security in Salesforce: Features, Use Cases & Best Practices

Salesforce recently introduced a new AI agent framework - internally referred to as Agentforce - designed to help enterprises automate multi-step processes across sales, service, and internal operations. According to a recent Capgemini report, agentic AI is expected to generate up to $450 billion in economic value over the next three years through revenue gains and cost savings. With 93% of business leaders believing that scaling AI agents will provide a major competitive advantage, securing these systems from the outset becomes critical. Yet only 2% of organizations have fully scaled such systems, and trust in fully autonomous AI fell from 43% to 27% last year, underscoring why robust security measures are vital from day one.

‍

While Agentforce delivers powerful automation and reasoning, it also introduces expanded threat surfaces around data access and execution logic. These new capabilities also create novel threat vectors. Common risks include prompt injection, where an attacker manipulates agent behavior through crafted inputs; data exfiltration via overbroad data access; and misuse of tools through poorly validated API or flow invocations. A clear understanding of these threats is essential before deployment.

‍

Agentforce works deeply with sensitive customer, sales, and operational data, making security a key pillar of every implementation. This article explores the built-in security features, common use cases, and best practices for deploying Agentforce securely.

‍

Built-in Security Features in Agentforce

‍

Salesforce has built Agentforce with enterprise-grade security controls. It follows the shared security model already established across Salesforce products, but adds new layers specific to AI agents.

‍

Attribute-Based Access Control (ABAC)

‍

Agentforce supports attribute-based policies in addition to the usual Salesforce RBAC model. This allows for fine-grained access rules like:

• "Only sales agents in the EU can trigger pricing workflows."
• "Agents can’t access healthcare data unless the compliance flag is true."

‍

Guardrails and Grounding

‍

Each Agentforce bot uses instructions, topic boundaries, and structured grounding to avoid hallucinations and unauthorized behavior. Admins can:

• Restrict the topics an agent can respond to
• Limit actions to only pre-defined flows or APIs
• Configure rejection messages when prompts cross boundaries

Tool Execution Controls

‍

Agentforce deployments can be further hardened using Salesforce-native tools like Shield Event Monitoring for real-time observability, Field Audit Trail for long-term change tracking, and Platform Encryption to safeguard sensitive data at rest and in transit. These enterprise-grade features complement Agentforce’s built-in controls and help meet rigorous internal security and compliance standards.

‍

Agent-triggered flows, Apex classes, or third-party APIs are executed securely with token-based authentication, validation, and logging mechanisms. Security for this includes:

• Token-based authentication
• Input validation before execution
• Execution logs and visibility into result paths

‍

Data Cloud Integration

‍

Agentforce connects to real-time data via Salesforce Data Cloud. This connection is secured by:

• Row-level and field-level security enforcement
• Dynamic consent and preference management
• Data residency and region-aware compliance support

Einstein Trust Layer

‍

Designed to detect potentially harmful prompts or anomalous agent behavior, the Einstein Trust Layer offers early-stage protection against prompt injection. It helps enforce privacy and control when using AI across Salesforce. For Agentforce, it ensures:

• Zero data retention for LLM prompts/responses
• Data masking for PII before sending prompts
• Toxicity and prompt injection detection
• Audit trails for each agent action

‍

Use Cases Where Security Matters

‍

Agentforce agents are capable of reasoning, planning, and executing workflows. These capabilities span various departments and require security tailoring to the use case.

‍

Customer Support Agents

‍

Agents that automate case handling must:

• Avoid data leakage across customers
• Escalate only to authorized support queues
• Obey SLAs and compliance constraints

Sales Development Reps (SDRs)

‍

AI SDR agents can book meetings, draft emails, and update records. Key controls include:

• Preventing accidental outreach to restricted leads
• Logging all communications for audit
• Avoiding over-disclosure of pricing or strategy

Internal Employee Agents

‍

Agents that answer HR or IT questions in Slack or Salesforce must:

• Respect department-level access
• Limit visibility of sensitive HR documents
• Authenticate users before sensitive actions

Industry-Specific Agents

‍

For industries under regulatory oversight, such as finance and healthcare, Agentforce can be configured to support compliance frameworks like HIPAA, GDPR, and SOX. For example, ABAC policies help enforce GDPR’s data minimization principle by limiting access to only what's strictly necessary per role or context.

‍

In regulated industries like healthcare and finance:

• Agents must recognize compliance flags
• Access must be logged and reportable
• Any PHI/PII must be redacted before prompt submission

Best Practices for Agentforce Security

‍

Security for Agentforce should follow a layered approach. Here are key practices that go beyond default configurations.

‍

‍

In addition to implementing controls, teams should monitor performance using security-specific KPIs. These may include metrics like unauthorized action attempts, prompt rejection rate, agent fallback frequency, and flow validation failures. Tracking these indicators over time provides insight into agent risk posture and helps validate ongoing effectiveness.

‍

Agent Behavior Monitoring and Tuning

‍

Proactive oversight helps teams identify missteps, misfires, or edge-case failures before they escalate. Salesforce teams should regularly monitor how Agentforce agents behave in real-world conditions and adjust configurations accordingly. This includes:

‍

• Using the Plan Tracer to simulate how agents interpret prompts, select tools, and generate responses.
• Reviewing execution logs to understand agent reasoning steps, failed flows, or risky tool invocations.
• Testing with edge-case prompts (e.g., ambiguous, malformed, or policy-violating inputs) to verify guardrail performance.
• Tuning system instructions to reduce hallucinations and re-align agent tone, permissions, or escalation logic.

This feedback loop enables continuous refinement of agent behavior and increases organizational confidence in automation outcomes.

‍

Insight by
Dr. Tal Shapira
Cofounder & CTO at Reco

Tal is the Cofounder & CTO of Reco. Tal has a Ph.D. from Tel Aviv University with a focus on deep learning, computer networks, and cybersecurity and he is the former head of the cybersecurity R&D group within the Israeli Prime Minister's Office. Tal is a member of the AI Controls Security Working Group with CSA.

Expert Insight:

This section highlights practical, field-tested tips used by advanced teams to reinforce protection without reducing agent utility.

• Use Declarative Guardrails: Rely on topic boundaries and agent instructions rather than trying to suppress behavior post-response.
• Audit Flows Triggered by Agents: Implement a naming or tagging convention to identify flows triggered by agents and review them regularly for exposure risks.
• Prompt Review Process: Introduce peer review or automated checks for prompt templates, especially if they include sensitive topics.
• Isolate High-Risk Agents: Run agents that interact with financial, legal, or HR data in sandboxed orgs or restricted environments.
• Use a Multi-Org Strategy: For especially sensitive use cases, deploy agents in separate Salesforce orgs to isolate data, limit blast radius, and comply with least privilege principles. This strategy aligns with Salesforce guidance on secure agent development using sandbox environments.
• Test Agent Behavior with Simulated Prompts: Regularly test how agents handle edge cases, misdirection, or policy violations using simulated prompts and the Plan Tracer.
• Limit External Calls: Only allow agents to access external APIs via a proxy that can filter, log, and throttle requests as needed.
• Auto-Rotate Keys and Tokens: If your agent tools use bearer tokens, enforce short TTLs and rotate keys periodically.
• Human Escalation Paths: Always provide an agent fallback to human interaction, especially when confidence scores are low or data is ambiguous.

‍

Agentforce Security Readiness Checklist

‍

Use this quick checklist to validate readiness before deploying Agentforce agents into production:

‍

‍

This pre-launch checklist ensures security, governance, and operational alignment.

‍

Conclusion

‍

Agentforce brings in powerful automation and reasoning into enterprise workflows, yet these capabilities pose a new set of security risks. When these trust features are invoked appropriately layer-wise, organizations can confidently push AI agents. In essence, treat each agent as a new identity in your system, granting appropriate access, continuous monitoring, and strict boundaries.

‍

Another important recommendation for enterprises would be to engage cross-functional stakeholders such as security, compliance, owners of the business, and technical teams early on in Agentforce planning and deployment. This ensures that agents will meet internal controls and specific industry requirements starting from day one. Parallel to that, it is very important to apply out-in-field testing to agent behavior to ensure there is no data leakage or policy violation before setting them into production.