--- name: agent-security-review description: "Pre-production security checklist for Agentforce deployments: permission scope, data exposure, authentication, logging. NOT for general Salesforce security review (see security-health-check)." category: agentforce salesforce-version: "Spring '25+" well-architected-pillars: - Security - Operational Excellence triggers: - "agent go-live security checklist" - "review what data the agent can see" - "does the agent leak pii" - "quarterly agentforce audit" tags: - agentforce - security - review - checklist inputs: - "Agent configuration export" - "persona + channel map" - "data classification" outputs: - "Signed-off review doc" - "remediation ticket list" dependencies: [] version: 1.0.0 author: Pranav Nagrecha updated: 2026-04-17 --- # Agent Security Review Agentforce agents touch user PII, internal data, and external APIs with the permissions of whatever user invokes them. A structured review covers four axes: (1) least-privilege user, (2) data classification of every grounding source, (3) action write-scope, (4) audit trail completeness. ## When to Use Any agent before first production activation; any time channel, persona, or Invocable list changes materially; quarterly for long-lived agents. Typical trigger phrases that should route to this skill: `agent go-live security checklist`, `review what data the agent can see`, `does the agent leak pii`, `quarterly agentforce audit`. ## Recommended Workflow 1. Export the agent: topic instructions, Invocable actions, grounding DMOs/sObjects, channel configs. Checksum and archive. 2. Map the agent's run-as user to a dedicated permission set; verify no profile-level permissions leak through. 3. Classify every grounding source: public, internal, confidential, regulated. Redact/mask confidential+regulated fields at the Trust Layer. 4. Enumerate Invocable write scope: which sObjects/fields can be created/updated/deleted. Apply FLS + CRUD checks in Apex; tighten or split the user. 5. Verify audit trail: every Invocable logs to `Agent_Audit__c`; every conversation is retained per retention policy; Shield Event Monitoring streams cover ApexExecution + ContentTransfer. ## Key Considerations - Default agent-run-as is the invoking user — this is often over-privileged for admin testers. Use automated user for agent invocation. - Data Cloud grounding can pull data the invoking user cannot see; verify masking at DMO level. - Invocables bypass `with sharing` if written as `without sharing` — audit every action class's sharing declaration. - Audit trail must include prompt + response for forensic replay; conversation storage has retention implications (GDPR). ## Worked Examples (see `references/examples.md`) - *Write-scope tightening* — Service agent can 'Update any Case field' via a generic UpdateRecord action. - *Regulated-field masking* — RAG grounding includes Contact.Social_Security_Number__c. ## Common Gotchas (see `references/gotchas.md`) - **Agent run-as has View All** — Agent sees cross-owner records even when user shouldn't. - **Conversation retention unset** — GDPR subject request cannot locate conversation logs. - **Shield Event Monitoring not streamed** — Agent anomaly is invisible to SOC. ## Top LLM Anti-Patterns (full list in `references/llm-anti-patterns.md`) - Running the agent as the invoking user by default — privileged reviewers leak permissions upward. - Generic 'UpdateRecord' actions — any field becomes attack surface. - Skipping DMO classification — grounding becomes a data-leak vector. ## Official Sources Used - Agentforce Developer Guide — https://developer.salesforce.com/docs/einstein/genai/guide/agentforce.html - Einstein Trust Layer — https://help.salesforce.com/s/articleView?id=sf.generative_ai_trust_layer.htm - Invocable Actions (Apex) — https://developer.salesforce.com/docs/atlas.en-us.apexref.meta/apexref/apex_classes_invocable_action.htm - Agentforce Testing Center — https://help.salesforce.com/s/articleView?id=sf.agentforce_testing_center.htm