[object Object]

The Model

Every agent has data access scopes — what records it can read, what it can write, what it can delete. Scopes enforce at the API layer; the Einstein Trust Layer audits every call. Agents cannot exceed their declared scope, and the scope is bound to a Permission Set assigned to the agent’s Connected App user, not to the invoking end user. That distinction matters: an agent running on behalf of a low-privilege rep can still read fields the rep cannot, which is exactly why the scope must be tighter than the broadest user it serves.

Least Privilege

Default to minimum necessary. A prospecting agent reads Lead and Account; it doesn’t need Case or Opportunity. A support agent reads Case, Knowledge__kav, and the Contact it’s tied to; it doesn’t need closed-won opportunities. Narrow scopes reduce blast radius and keep prompt-injection attacks from exfiltrating unrelated PII.

Agent: SDR_Outreach_Agent
  Read:  Lead, Account, Contact (FirstName, LastName, Email, Title, AccountId)
  Write: Task (Subject, WhoId, ActivityDate)
  Deny:  Opportunity, Case, User, all custom PII fields

Use Field-Level Security on the agent user’s profile, not just object-level. An agent with read on Contact but no FLS on SSN__c will not see — or hallucinate — that field.

Audit

Every data access logs to the Trust Layer audit trail and is queryable via AgentInteractionLog and AgentDataAccess objects. Review quarterly — is the agent actually using all its scope? Shrink unused access. An audited agent costs less and poses less risk.

SELECT Field, COUNT(Id)
FROM AgentDataAccess
WHERE AgentId = '0XX...' AND CreatedDate = LAST_N_DAYS:90
GROUP BY Field
ORDER BY COUNT(Id) DESC

Fields with zero reads in 90 days are candidates for removal. Document the decision in the Permission Set description so the next reviewer knows why.

Users activating agents see declared scopes. “This agent will access: your contacts, open opportunities, recent activity.” Transparency at activation reduces downstream surprise and complaint, and is increasingly a compliance expectation under EU AI Act Article 13 and similar regional rules. Store the consent timestamp and scope hash on the AgentConsent__c record so revocation and scope-drift detection are both trivial.

Common Failure Modes

  • Granting Modify All Data to make integration “just work” — never acceptable for an agent.
  • Reusing a single Connected App across multiple agents, which collapses audit attribution.
  • Letting Flow-invoked actions bypass the agent’s scope by running in system mode without checks.
  • Forgetting that WITH USER_MODE in Apex is required for the agent’s FLS to apply inside custom Actions.

What to Do This Week

Export the current Permission Set for one production agent, diff it against the last 90 days of AgentDataAccess reads, and remove any object or field with zero usage.

[object Object]
Share