Identity
Non-human identity management matters as much as human identity in 2026. Every agent, every Salesforce Connected App, every MCP server, every Zapier or Workato bot now carries credentials that touch customer data. Centralize them in a secrets vault — HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault — and rotate on a schedule expressed in days, not quarters. Salesforce’s recommended pattern is short-lived JWT bearer tokens for server-to-server flows; HubSpot moved private app tokens to scoped, rotatable credentials in 2025. The Okta and CrowdStrike 2026 incident reports both traced root cause to dormant integration users with stale tokens — kill the account when the integration retires, not “soon”.
Data Access
Least privilege applies to agents the same way it applies to humans. Agents should access only what they need to complete the next step. Audit quarterly using the platform’s permission analysis tool — Salesforce Security Center, Microsoft Purview, or HubSpot’s Permission Set audit log. Field-level security has tightened across the major platforms; Salesforce Spring ‘26 enforces FLS by default in Apex SOQL, closing a long-standing leakage path. Data classification — PII, PHI, payment, internal-only — should drive access policy through tags propagated to the agent’s tool definitions, not through tribal knowledge.
Agent: ServiceTriageBot
Scope: Case (read), Contact (read: Email, Phone), Account (read: Name, Industry)
Forbidden: Opportunity, Quote, payment fields, custom Salary__c
Reviewed: 2026-04-15 by CISOAudit
Every AI interaction must log: input prompt, retrieved context, tool calls, tool inputs and outputs, final response, and the human or system that triggered it. Centralize aggregation in a SIEM (Splunk, Microsoft Sentinel, Datadog Cloud SIEM). Retention should match the longest applicable obligation — usually six years for HIPAA, five for PCI-DSS, and the GDPR Article 30 record-of-processing requirement is indefinite while the processing continues. Anomaly detection should fire on unusual data volume per session, off-hours activity, and tool-use sequences that have never occurred before. The difference between detected-in-hours and detected-in-weeks usually comes down to whether the SIEM ingests agent telemetry at all.
Incident Response
Playbooks must be specific to AI incidents, not generic IR documents with “AI” search-and-replaced. Build a kill-switch that halts every agent in seconds — Agentforce supports a “disable all agents” admin action; for custom LangGraph or CrewAI deployments, wire a feature flag on the orchestrator. Data exfiltration response should include vector-store invalidation (an exfiltrated embedding is still sensitive), customer notification under GDPR Article 33’s 72-hour clock, and an EU AI Act Article 73 serious-incident report when the agent is on a high-risk use case. Run a tabletop quarterly with a scenario like “agent answered with a different customer’s data” — the team that has rehearsed wins back hours during the real event.
What Changed in 2026
Three shifts have hardened the posture: MCP standardization means every tool surface is now an attackable interface, prompt injection is acknowledged as the OWASP LLM01 risk and treated as untrusted input by default, and the EU AI Act conformity assessment regime requires documented technical measures for high-risk systems by August 2026. Map your CRM AI use cases to Annex III now to know whether you have months or no time at all.
What to do this week
List every non-human identity touching your CRM. If the list takes more than a day to produce, that is the finding. Then schedule a 60-minute kill-switch tabletop with the IR team and an admin who can actually press the button. Time the response from page to halt; aim for under five minutes.
