The Security Review
Salesforce reviews agent code and configuration for vulnerabilities. OWASP LLM Top 10 considerations. Data access scopes. Prompt injection defenses. Authentication and secrets handling. Logging and audit readiness.
Data Access Scopes
Agents declare which CRM data they read and write. Principle of least privilege. Overly-broad access requests prompt scope reduction before certification. Customers see declared scopes before activation.
Compliance Posture
For regulated industry agents, additional review — HIPAA handling, GDPR compliance, financial data segregation. Certifications cascade: platform certification plus regulatory-specific validation.
ISV Timeline
Budget 2-4 weeks for initial security review on a well-prepared agent. Longer for complex or novel architectures. Remediation cycles add time if issues surface. Don’t submit for certification with known gaps; reviewers will find them.