If you’ve used Salesforce’s generative AI tools at work, chances are that data masking was working diligently in the background to safeguard your company’s sensitive information. This crucial piece of security infrastructure automatically swaps out personally identifiable information (PII) and other protected data with fictional but realistic approximations — allowing LLMs to generate accurate responses without exposing confidential information to the underlying model.
Data masking has been an integral part of how we secure customer privacy at Salesforce. But as AI enters the agentic era, data masking is proving to be more of a double-edged sword than a silver bullet. That’s because the process of masking sensitive data often obscures the very details AI agents need to do their jobs accurately and reliably.
To equip Agentforce with the data and context it needs to make informed decisions, we’ve made some changes to the way data masking works. At the same time, we’re planning to offer new approaches to ensure the same level of trust and security you’ve come to expect from Salesforce. But before we dive into what’s new, let’s review what’s staying the same.
Mask on, mask off
Data masking works by redacting any sensitive information entered into an LLM prompt before it’s sent back to the model. Einstein Trust Layer supports two types of data masking: pattern-based and field-based. The former looks for specific text patterns, such as the number of digits in a social security number, while the latter uses Salesforce metadata to identify fields classified for security measures. Once the LLM returns a response, the data is “demasked” so users see their original input.
For many common generative AI use cases, data masking will maintain its current functionality. Out-of-the-box generative AI features such as Service Replies and Field Summaries will continue to apply data masking before prompts are sent back to the LLM. Data masking will also remain enabled for prompt templates executed within Prompt Builder or via Flow. A simple rule of thumb: If a generative AI interaction occurs outside of Agentforce, data masking will work the same as it always has.
So, what does this mean for Agentforce?
Context is king
Last year, we made the decision to disable data masking for Agentforce use cases. The reasons for this are simple: data masking adds latency and hinders the planner and action workflows within Agentforce. Many customers report accuracy degradation in agent responses when masking is enabled. Imagine asking an agent to look up a CRM record and put together a list of similar accounts. To identify records with similar characteristics, the agent would need specific details from the reference account. With masking disabled, your agent can now access this information, but that doesn’t mean your sensitive data is sitting around unprotected.
As shown above, an array of robust security measures are designed to ensure that customer data is never compromised. Our zero-retention agreements with major LLM providers are the first line of defense, preventing customer data from being retained or used for training by the LLM provider. Next, user-defined guardrails and data access controls allow you to set stringent rules governing what Agentforce is allowed to do and what data it can access.
Our roadmap also includes a number of planned releases that will further bolster data privacy and security for Agentforce.
Looking ahead
Soon, we’ll be adding Agentforce support for foundation models hosted within the Salesforce trust boundary, beginning with Anthropic’s Claude family of LLMs. This approach prevents customer data from leaving the trust boundary, while enabling customers to take advantage of the latest frontier models such as Anthropic Claude Sonnet.
From a security, compliance, and trust point of view, Salesforce-managed instances of Anthropic models differ in several important ways from OpenAI/Azure models. As shown in the diagram below, the Salesforce-hosted instance of Anthropic will be accessed differently than other 3rd party LLMs currently available. With this architectural design, leveraging Amazon Bedrock, all LLM traffic remains within the Salesforce VPC (secure network architecture) and traffic is encrypted using TLS 1.2 at a minimum at all times
Regardless of which model you choose, customer data will never be stored or used to further train any generative AI models without your consent.
As the future of enterprise AI continues to take shape, the features and policies governing data privacy will evolve in tandem. But one thing you can count on staying the same? Our fundamental commitment to trust and security.
