heise PlusAbo
Anzeige

Salesforce: Trust in AI agents is good, control is better

Anyone who wants to use AI agents must also be able to contain them. Salesforce aims to make this possible with its Einstein Trust Layer.

listen Print view
Salesforce logo on a building

(Image: Jonathan Weiss/Shutterstock.com)

4 min. read
iX Magazin
By
  • Prof. Jonas Härtfelder
Contents

Salesforce has detailed its security architecture for AI agents. The so-called Einstein Trust Layer removes personal data before handing it over to external language models, checks their responses for toxicity and prompt injection attempts, and logs all processing steps in an auditable manner. In parallel, the company showcased Agentforce Voice for the first time in German.

The Einstein Trust Layer is at the center of the Salesforce architecture. When an AI agent processes a request, the system generates a structured prompt in the background with role information, defined guardrails, and context-specific company data.

Placeholder for personal data

Using Dynamic Grounding, the platform supplements structured data from the Data Cloud at runtime. Before the prompt is passed to an external language model, the Trust Layer removes personal information and replaces it with placeholders. The model is thus intended to process the semantic structure of the request without gaining access to clear data.

After the model response, further checks follow: A Reasoning Engine analyzes the result for toxicity, possible prompt injection attempts, and content consistency. Only when these checks are passed are the placeholders replaced with the original data. According to Salesforce, a zero-retention policy applies to model partners; transmitted content should not be stored. An audit trail documents all steps and makes it traceable which agent accessed which data basis and triggered which action.

Model Agnosticism and Test Environment

The platform is designed to be model-agnostic. Companies can choose between models from OpenAI and Anthropic or integrate their models (Bring Your Own Model). For narrowly defined tasks such as summarizing service cases, Salesforce also uses Small Language Models tailored to CRM domains.

A Prompt Builder allows models to be selected per use case and tested with synthetic test data. This shifts some responsibility for quality and security to administrators who define model selection and guardrails.

Slack and Voice as Application Layer

The Slackbot, available since January, serves as a conversational interface for this agent architecture. New is Canvas: a document bundles content from conversations and connected systems. For more complex requests, the Slackbot delegates to specialized agents with defined areas of responsibility. External systems are connected via integration interfaces. In the test, the bot sometimes responded in English to German input.

With Agentforce Voice, Salesforce extends the existing agent architecture with a voice interface. Like Slack, Voice also serves as an access layer to the same data and process layers. In addition to use in the telephone channel, the voice interface can also be integrated into applications or physical systems such as service robots.

Requests are broken down into subtasks, relevant customer and process data is queried, and defined actions are initiated. Since all interactions are consolidated in the Data Cloud, the agent also has access to previous contacts across channels.

New Billing via Agentic Work Units

In parallel, Salesforce is introducing a new billing unit with the so-called Agentic Work Units (AWU). Instead of consumed tokens, the company measures completed tasks, such as a complete reasoning chain or a successful system call.

According to the company, 2.4 billion AWUs have been processed so far, with significant growth compared to the previous quarter. How transparent these units are compared to token-based models depends on the definition and measurability of the underlying processes.

Videos by heise

Architecture Instead of Model Performance

With the Einstein Trust Layer, Salesforce is shifting the focus from pure model performance to control architecture. Masking, verification mechanisms, and auditability are intended to enable the use of autonomous agents in regulated corporate environments.

It remains to be seen whether the multi-stage verification processes will reliably work in practice. Hallucination checks are also based on probabilistic models; masking also requires that sensitive information is fully recognized. The more complex the connected systems and processes, the more challenging it becomes to enforce these control mechanisms consistently. The productive use of agentic systems is therefore likely to depend less on individual language models than on the stability and transparency of the governance layer.

(nen)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten