Principles Applied
Every agent request gets verified, with no implicit trust based on network location or prior successful auth. The five-year-old NIST SP 800-207 zero-trust architecture document maps cleanly onto agent traffic if you treat each tool call as a fresh request from an untrusted client. Continuous verification, least privilege per action, and monitoring at every layer become the operational baseline. The 2026 update is that the agent itself is now the identity boundary — not the user who invoked it, not the network it runs on. Salesforce’s Trust Layer, Microsoft Purview’s AI policies, and Google Agentspace all moved this direction in late 2025.
Authentication
Short-lived JIT tokens per agent interaction beat long-lived service accounts. Issue tokens with a TTL measured in minutes (5-15 is the common range), bound to the specific tool surface and the specific user context. Mutual TLS protects the agent-to-tool channel where the tool supports it; AWS PrivateLink and Azure Private Endpoint give a network-layer assurance that complements the application-layer auth. Long-lived API keys for agents are now treated as legacy debt — Okta’s 2026 customer survey found 41% of breaches traced to a service account credential older than 18 months.
Token: agent-svc-jwt
Subject: agentforce-triage-bot
On-behalf-of: [email protected]
Scope: case:read, contact:read
Expires: 2026-04-28T14:32:11Z (14 min)
Audience: salesforce-trust-layerAuthorization
Per-action authorization checks beat blanket permissions. A “case-triage” agent that can read Cases should not be able to update them just because the agent identity exists; sensitive actions like refund issuance, account merge, or contract amendment require fresh authorization (a step-up token, a human approval, or both). Enforce policy at the service layer using OPA, Cedar, or the platform’s native engine — never trust the agent to enforce its own restrictions, because a prompt-injection payload will simply ask it not to. The policy decision point should be downstream of the agent runtime so a compromised orchestrator cannot bypass it.
Monitoring
Every agent request must log with full context: prompt, retrieved chunks, tool calls, tool responses, decision, and the user’s identity. Anomaly detection should baseline what normal looks like for each agent — a triage bot suddenly reading 2,000 Contact records in five minutes is a signal even if every individual access was authorized. Behavioral baselining tools (Microsoft Sentinel UEBA, Splunk UBA) extended their models to non-human identities in 2025. Deviations trigger an investigation rather than an automatic block, because false positives are still high in this space.
Common Failure Modes
The dominant failure is treating the agent’s underlying LLM as the security boundary. The model is not a security boundary — it is a probabilistic text generator that can be tricked by an attacker who controls any input it sees, including a CRM Note field, an email body, or a knowledge-base article. The boundary lives at the policy enforcement point downstream. Second failure: inheriting the invoking user’s full Salesforce or Dynamics permissions instead of an intersected, least-privilege subset. Third: logging the prompt but not the retrieved context, which makes incident reconstruction impossible.
Implementation Sequence
A defensible 90-day sequence: weeks 1-3, inventory every agent and its current credentials; weeks 4-6, replace service accounts with JIT tokens; weeks 7-9, push policy enforcement to the service layer using OPA or platform-native rules; weeks 10-12, wire complete telemetry into the SIEM and run a tabletop. Most teams skip the inventory and never finish; the inventory is the project.
What to do this week
Pick one agent in production and produce its full call graph: identities used, tools accessed, data classifications touched. If you cannot produce the diagram in two days, that gap is the most important finding of the quarter.
