Agentforce is a powerful platform capable of transforming manual processes into intelligent automation. But with this power comes risk – agentic AI exposes Salesforce to both old and new threats, some accidental and others malicious.
In September 2025, Israeli cybersecurity firm Noma uncovered a vulnerability chain in the standard Web-to-Lead functionality that led to data exposure to third parties when the compromised data was processed by Agentforce. This real-world example shows the ingenuity of modern cybercriminals and highlights the critical importance of security across all facets of Salesforce governance.
Agentforce can be both a source and a catalyst for security risks. Because agents prompt LLMs for grounded responses, they are vulnerable to threats commonly associated with generative AI, from prompt injection to CSRF attacks. Autonomous AI agents are particularly enticing targets since they rely on natural-language instructions and often have broad permissions to complete a wide range of tasks, which is both a blessing and a curse.
Moreover, agents can compromise your data and metadata even without hacker intervention. Poorly scoped topics, over-permissioned actions, and model drift can cause agents to malfunction and inflict irreparable harm on your business.
Let’s look at best practices to secure Agentforce against both malicious intent and poor design. We’ll also explore hidden pitfalls to avoid when expanding Agentforce across your org.
Agentforce Security Best Practices
Salesforce has invested heavily in securing Agentforce through its Einstein Trust Layer and Shield 2.0. However, even with robust built-in guardrails and failsafe mechanisms in place, securing your Salesforce org remains the responsibility of individual admins, developers, and architects.
Fortunately, there are several practical steps you can take to ensure a higher level of security. The best practices below are design choices and operational approaches that any Salesforce customer can put into practice. You don’t have to be perfect in these areas; you simply need to put in a concerted effort.
Enforce the Principle of Least Privilege
Agents should only have the permissions they absolutely need to perform their intended tasks. Over-permissioned agents or actions can become a major vulnerability if a user account is compromised or if an agent is misused.
Review object access and field-level security, and avoid granting broad CRUD (Create, Read, Update, Delete) access unless necessary. Avoid sharing the same permission sets between several agents so you don’t accidentally grant privileged access. This principle ensures that even if something blows up, the blast radius remains small.
Clarify Agent Scopes
When an agent performs well, there is a temptation to add more topics and actions to make them even more useful. Scope sprawl occurs when agents end up with far wider roles and permissions than originally intended, increasing the risk of data exposure.
To prevent this, keep agent scopes specialized with well-defined mission statements and locked-down topics and actions. Avoid monolithic agents that handle too many tasks, as they are harder to secure and maintain. Use variables and filters to restrict sensitive operations for unverified users. A clear scope makes agents predictable, secure, and easier to govern.
Validate Behavior Continuously
Agentforce relies on LLMs, which evolve through updates and retraining. These changes can lead to model drift, causing agents to misbehave even if you haven’t made any changes to their topics, instructions, or actions.
To account for this, run a standard set of batch tests regularly against a baseline to detect major variations. If agent behavior does suddenly change, you can immediately take action and apply changes to topics and instructions. Continuous validation is your best safety net against silent failures.
Secure External Integrations
Agents connect to external systems via Agent API and Connected App. This connection allows the system to start sessions, add context, send messages, and provide feedback, just like chatting with the agent directly. However, compromised external systems can use agents as a backdoor to access and manipulate Salesforce data. Here too, least privilege access and tightly-scoped topics help mitigate the potential damage.
Agents also interact with external systems the other way around through API actions, Flow HTTP callouts, and Apex REST classes. These enable agents to interact directly with external systems, but also expose them to potential threats. For example, agents may gain unintended access to sensitive data or become vulnerable to man-in-the-middle attacks.
Beyond security concerns, API actions can also reduce agent performance by slowing down responses and causing timeouts. Whenever possible, ingest rather than integrate. Prepare data in advance using Data 360 and secure it with proper permissions and clear instructions.
Use Automated Monitoring and Alerts
Even with strong preventive measures, real-time visibility is essential for detecting suspicious activity. Enable enhanced event logs for agent interactions and configure alerts for patterns like mass data exports or repeated failed agent invocations. Automated monitoring helps you respond quickly to anomalies before they escalate into breaches. Transparency and timely alerts are key to staying ahead of threats.
Common Pitfalls to Avoid
Agents don’t always behave like we’d want them to – they sometimes fail to interpret user intent, classify it correctly, or choose the right action. This unpredictability, known as agentic non-determinism, means outcomes can vary even when inputs remain the same.
Non-determinism is crucial for autonomous agents, as it enables them to adapt and to improvise as contexts change. But from a security perspective, improvisation can become a real headache. Fortunately, non-determinism can be tamed with the right design choices. Avoiding the following pitfalls will make your life with Agentforce a lot easier.
Overloading Agents with Topics and Actions
Adding too many topics or actions to a single agent makes them likely to either misclassify requests or misalign responses. Misclassification occurs when an agent assigns user intent to the wrong topic, while misalignment happens when it selects the correct topic but executes the wrong action, uses incorrect inputs, or produces inaccurate outputs.
To prevent this, limit agents to five or fewer topics, address topic overlap, resolve conflicting instructions, and include example utterances. Keep the number of actions to a minimum and clearly instruct the agent when to use them.
Failing to Restrict Access to Agents
As mentioned, least privilege access is essential, and the same applies to users interacting with agents. Internal employee agents can be restricted to specific users or groups, which is an effective way to reduce risk. For service agents, build security into the user journey by embedding them in authenticated environments such as customer or partner portals.
You may also want to limit user access to particular topics or actions. Variables and filters help control topic and action availability, but they rely on non-deterministic reasoning. For critical processes, add failsafes inside Flow or Apex to ensure that agents follow strict rules 100% of the time.
Forgetting Outdated Integrations
External APIs and plugins become a security threat if compromised, whether they integrate directly with Agentforce or not. Unsecured Connected Apps can alter Salesforce data and indirectly affect agent behavior, so audit and remove unused integrations regularly.
Audit all Connected Apps and external connections regularly, removing unused or redundant integrations. Apply strict security controls such as OAuth scopes and Named Credentials to prevent unauthorized access. Treat every integration as a potential liability to avoid nasty surprises.
Final Thoughts
Agentforce is likely the biggest advancement and also the greatest single security risk in Salesforce’s recent history. This is not to say that Agentforce shouldn’t be used; quite the opposite. It already has the potential to transform many of the tedious, manual processes enterprises struggle with.
However, reckless implementation is not the answer. The last thing you want is to jeopardize your hard-earned business and customer insights with lackluster security measures. What Agentforce requires is a new approach to security, one that recognizes both the power and the peril of autonomous AI.
