AI agents in Salesforce can do things autonomously — update records, send communications, create cases, trigger workflows — without a human approving each action. That's the point. That's why they're valuable.
It's also why governance matters more with AI agents than with almost any other Salesforce feature.
This guide is for admins who have been handed responsibility for Agentforce deployments and need a practical framework for keeping those deployments safe, auditable, and correctable.
What "Governance" Actually Means for AI Agents
In this context, governance covers four things:
- Access control: what is the agent allowed to touch?
- Audit trails: what did the agent do, when, and why?
- Escalation paths: when does the agent hand off to a human?
- Incident response: what do you do when the agent does something wrong?
Most Agentforce deployments think about the first two. The last two are where real-world problems get expensive.
Access Control: Start With the Minimum
Every Agentforce agent runs under a specific user's permissions. This user — typically a dedicated integration or system user — defines the blast radius if something goes wrong.
The wrong approach: clone an admin user and use that as your agent's running user. This gives the agent access to almost everything in your org, which means a misconfigured action can affect almost everything.
The right approach:
- Create a dedicated agent user with a custom profile
- Assign only the object permissions, field permissions, and record access the agent's topic genuinely requires
- Block access to sensitive objects and fields explicitly (compensation data, financial records, executive communications)
- Review the permission set quarterly — as the agent's scope expands, access should be added deliberately, not assumed
Field-Level Governance: The Control Most Teams Miss
Agentforce Summer '26 introduced explicit field-level controls for autonomous updates — you can specify which fields an agent is and isn't allowed to write.
This is not optional. Without it, an agent with write access to a record can update any field it has profile-level access to — including fields you never intended it to touch.
Set explicit field-level autonomous update controls for:
- Any field that drives financial calculations or reporting
- Fields that trigger downstream automations (status fields, stage fields)
- Fields that are customer-visible (names, email addresses, contract terms)
- Any field covered by your data privacy or compliance obligations
Treat this like you'd treat field-level security for human users: the default is restricted, and access is granted deliberately.
Audit Trails: Understanding What Your Agent Did
Salesforce provides the Einstein Activity Log for reviewing agent actions. This log records:
- What input the agent received
- Which topic and actions it invoked
- What changes it made to records
- Whether it escalated or resolved
Make a habit of reviewing this log regularly — not just when something goes wrong. Weekly reviews catch drift (cases where the agent is behaving differently than designed) before it becomes a problem.
Also useful: build a custom report in Salesforce that surfaces agent-created or agent-modified records, filtered by date range and object. This gives you a business-readable view of agent activity without needing to read raw logs.
Escalation Paths: When the Agent Should Stop and Ask
Every Agentforce agent topic should have explicit escalation criteria — conditions under which the agent stops trying to resolve autonomously and routes to a human.
Escalation criteria to define upfront:
- Confidence threshold: if the agent's confidence in its resolution falls below X%, escalate
- Sentiment trigger: if the customer expresses frustration, anger, or legal intent, escalate immediately
- Value threshold: any action affecting an account worth above £Y goes to a human
- Data sensitivity: any request involving financial data, contract changes, or PII changes escalates
- Repeat issue: if the same customer has contacted support 3+ times about the same issue, escalate
These criteria become the agent's escalation instructions. They should be reviewed and updated as you learn from real-world agent behaviour.
Incident Response: What To Do When Something Goes Wrong
At some point, your agent will do something unexpected. A record will be updated incorrectly. An email will go to the wrong person. A case will be resolved when it shouldn't have been.
Before this happens, have a written incident response plan that covers:
- How to identify the issue (monitoring alerts, customer reports, manager review)
- How to pause the agent immediately (know the deactivation path in Setup — it should take under 2 minutes)
- How to assess the blast radius (how many records were affected? which customers?)
- How to remediate (what changes need to be reversed, and how?)
- How to prevent recurrence (what configuration change would have prevented this?)
Running through this scenario in a tabletop exercise before go-live is worth the hour it takes.
MeetTheMind Insight 💡
The admin role in an AI-enabled Salesforce org has changed. It used to be primarily about configuration and user support. Now it includes something closer to operational oversight of autonomous systems.
That's a more complex responsibility. The tools Salesforce provides — field-level controls, activity logs, escalation paths — are genuinely useful. But they only work if someone is actively using them. Governance isn't a one-time setup; it's an ongoing practice.
If you're an admin who's just been handed an Agentforce deployment, my advice is simple: start with the access control, build the audit habit, and know your deactivation path. Everything else can be refined over time.
Key Takeaways
- AI agent governance covers access control, audit trails, escalation paths, and incident response
- Create a dedicated minimum-permission agent user — never clone from admin
- Set explicit field-level autonomous update controls for sensitive fields
- Review the Einstein Activity Log weekly, not just when incidents occur
- Define escalation criteria before go-live: confidence, sentiment, value, sensitivity, repetition
- Have a written incident response plan and know how to deactivate the agent in under 2 minutes