name: agent-security-review description: "Pre-production security checklist for Agentforce deployments: permission scope, data exposure, authentication, logging. NOT for general Salesforce security review (see security-health-check)." category: agentforce salesforce-version: "Spring '25+" well-architected-pillars:

• Security
• Operational Excellence triggers:
• "agent go-live security checklist"
• "review what data the agent can see"
• "does the agent leak pii"
• "quarterly agentforce audit" tags:
• agentforce
• security
• review
• checklist inputs:
• "Agent configuration export"
• "persona + channel map"
• "data classification" outputs:
• "Signed-off review doc"
• "remediation ticket list" dependencies: [] version: 1.0.0 author: Pranav Nagrecha updated: 2026-04-28

Agent Security Review

Agentforce agents touch user PII, internal data, and external APIs with the permissions of whatever user invokes them. A structured review covers four axes: (1) least-privilege user, (2) data classification of every grounding source, (3) action write-scope, (4) audit trail completeness.

Recommended Workflow

1. Export the agent: topic instructions, Invocable actions, grounding DMOs/sObjects, channel configs. Checksum and archive.
2. Map the agent's run-as user to a dedicated permission set; verify no profile-level permissions leak through.
3. Classify every grounding source: public, internal, confidential, regulated. Redact/mask confidential+regulated fields at the Trust Layer.
4. Enumerate Invocable write scope: which sObjects/fields can be created/updated/deleted. Apply FLS + CRUD checks in Apex; tighten or split the user.
5. Verify audit trail: every Invocable logs to Agent_Audit__c; every conversation is retained per retention policy; Shield Event Monitoring streams cover ApexExecution + ContentTransfer.

Key Considerations

• Default agent-run-as is the invoking user — this is often over-privileged for admin testers. Use automated user for agent invocation.
• Data Cloud grounding can pull data the invoking user cannot see; verify masking at DMO level.
• Invocables bypass with sharing if written as without sharing — audit every action class's sharing declaration.
• Audit trail must include prompt + response for forensic replay; conversation storage has retention implications (GDPR).

Worked Examples (see references/examples.md)

• Write-scope tightening — Service agent can 'Update any Case field' via a generic UpdateRecord action.
• Regulated-field masking — RAG grounding includes Contact.Social_Security_Number__c.

Common Gotchas (see references/gotchas.md)

• Agent run-as has View All — Agent sees cross-owner records even when user shouldn't.
• Conversation retention unset — GDPR subject request cannot locate conversation logs.
• Shield Event Monitoring not streamed — Agent anomaly is invisible to SOC.

Top LLM Anti-Patterns (full list in references/llm-anti-patterns.md)

• Running the agent as the invoking user by default — privileged reviewers leak permissions upward.
• Generic 'UpdateRecord' actions — any field becomes attack surface.
• Skipping DMO classification — grounding becomes a data-leak vector.

Official Sources Used

• Agentforce Developer Guide — https://developer.salesforce.com/docs/einstein/genai/guide/agentforce.html
• Einstein Trust Layer — https://help.salesforce.com/s/articleView?id=sf.generative_ai_trust_layer.htm
• Invocable Actions (Apex) — https://developer.salesforce.com/docs/atlas.en-us.apexref.meta/apexref/apex_classes_invocable_action.htm
• Agentforce Testing Center — https://help.salesforce.com/s/articleView?id=sf.agentforce_testing_center.htm