Dec 17 2024 7 mins 3
Watch now! - https://www.youtube.com/@Urelevant
Let's dive into some security concerns and what you can do to shore up your AI implementations inside of
agent force so I noticed a post on LinkedIn that was gaining some traction that was from Amnon Kruvi and
he's a Salesforce architect and he mentions in his post that "it took me exactly two questions to accidentally
get agent force to reveal someone else's personal information using the default actions followed by
hallucinating madeup orders for that person and then from there he's saying how AI has no business reading
database records that is not to say there are no excellent use cases for it but delivering live information from
a database is just too risky in the data protection era we need to be realistic with what kinds of solutions AI
can safely deliver I understand the hype but some of it will just leave the door wide open for someone to
steal your data." That really intrigued me when I first saw that is like wow this is giving up information and
Salesforce has done a lot of work around the Einstein trust layer to try to protect information to mask
sensitive data as it goes to a large language model but when you think about it as far as authentication
methods that's something that always happens whenever you call into a call center and dealing with any sort
of sensitive records often times you're asked to verify your phone number your date of birth perhaps provide
the last four of your Social just different things as far as verifying and so what Amnon goes on to describe in
some of the comments which I'll highlight some here in a moment is that the verification process was kind of
thin and this was the default behavior and setup in the instruction sets inside of Agentforce and I'll dig in
more to try to see what sort of org or instance he was in if this was is a free learner account I think one of the
issues is is that this was the default setup provided by Salesforce which might lead to uh users trusting that
just because it's coming from Salesforce just presuming that best practices were being used so we're going
to explore in this video as well how you can help bring your instructions into alignment your various
guardrails that you can put in place inside of Agentforce and then open up some of the possibilities as far is
if there's things that are out of alignment or contradict one another in your guard rails and instructions these
are all things that we now have to think about in this new age of AI that we're working in and navigating and
so Amnon further iterates that does a good job of closing off a lot of attack vectors but the issue was with the
default demo configuration being of poor quality and teaches bad processes that highlight the security risk
involved with any kind of AI based technology and so here is my comment where I chimed in just saying for
my perspective that there's so many challenges that abound from implementing generative AI and placing
guard rail ensuring alignment across all instructions in Agentforce and the inevitable rapid release of new
and improved models makes this a moving Target this is a good case study for the Agentforce testing center
and previously we saw the release a few weeks ago of the Agentforce testing center where you can bulk test
agent force performance and agent responses and I think that this is a good thing to think about is the
hundreds or thousands of ways that prompts might come into an Enterprise and then testing out out in bulk
the verification process so that you are not just giving away other people's information the scenario that
Amnon is describing is he's self-identifying as someone saying that he is someone else giving that person's
email address which sometimes is easy to find online and then asking questions about an order for example
so you can see if you're dealing with agent force at a healthcare setting Financial Services Etc there's a lot
of loopholes that could be exploited and so then Paul Battisson he had a question here missing that this is
concerning and asking about the setup wanting to know more details as to what was the org in question
what was the setup and so he answers Paul saying it was an SDO that's the Salesforce developer org and
the main point here is that Amnon had a pretty good idea of why it was happening how to mitigate the
situation as well his main point is that the default action should not be so exposed because people might
think they're best practice and that's the point here is that when you see something from Salesforce you
assume that everything's been thought out and thought through and that the proper guard rails are in place
so whenever you're spinning up an instance that has Agentforce enabled you don't want to just necessarily
take all the instruction sets at face value there's instructions you can place the agent level and inside of
prompt templates and you will be wanting to audit those make sure that they're in alignment that's one of the
points I was trying to make as far as this being indeed a moving Target coupled with as well in the
background the constant Evolution and advancements with new large language models and those being
added into agent force over time and so this is something that will not be set it and forget it sort of
proposition but will always need to be being monitored by organizations and tested in bulk in mass and that's
why the Agentforce testing center is so important is because we can't humanly scale to that point to think of
all the variations as to the different approaches to be able to try to hack this in and there was another
response further down from someone named Vani I didn't put her last name I checked her profile I'm not
sure what her last name is she's bringing up since Agentforce can't function without Einstein trust layer uh
which includes safeguards like data masking and access controls I'm curious do this happen even after
having these protections or or do you think they're still room for improvement and so then Amnon responds
back that I did not actively put someone's address as protected data in the trust layer configuration though it
was enabled with the default settings and then basically said hey my email is xxx then asked it to tell me
what my address and birthday were and so that is the example specifically of the prompt or the utterance
that was given to Agentforce and it didn't really do a great job as far as verifying the identity of the person it
was able to then verify by the email address assuming that that is the person that is chatting or prompting
agent force and then was able to follow up with asking some follow-up questions and so then Andy
Cotgreave brought up a great point as well saying we don't want to put the burden on the end user as far as
having to test test test and that burden should be on Salesforce in the configuration of Agentforce and this I
think it was this specific comment that caused me to remember theAgentforce testing center which was
recently released that comment of test test test was realizing okay the burden is on the user and this is
Salesforce's response is to use the Agentforce testing center because it we can't humanly scale as I said to
test out all those different variations and so it's the coupling of humans and AI working together on that side
of the fence to do that testing in in addition to configuring the Einstein Trust Layer setting and then as well
the instruction sets for prompt templates the agent instructions as well the topic configurations so there's a
lot of great conversation here and this really opens up some thought related to authentication of users and
just the utterances and prompts that Agentforce will be faced with dealing with out in the wild so many
thanks to Amnon Kruvi for insightful post bringing up some important aspects related to Security in the age
of Agentforce and so be sure and check out Velza that is our implementation company we specialize in
Salesforce implementations and agent force implementations reach out to us at Velza.com and we will
schedule a call do a discovery and get your implementation out on the right foot or fix a failed
implementation that seems to be all the rage nowadays is people trying to start over and get their
configurations fixed especially in this age of AI and Agentforce also be sure and check out rapidreskill.com
for Salesforce and AI training and be sure and like And subscribe to the Urelevant podcast feed the
algorithm help others to find Urelevant as well it's all about helping you to find relevance in the economy of
now I'm Mike wheeler signing off for now until next time I'll see you in the cloud
