AI Security

Safely Connecting an AI Assistant to Salesforce CRM Data

Published 2026-06-26 by AISecAll Editorial

TL;DR: Use a dedicated Salesforce Connected App with scoped OAuth scopes, route all AI calls through a server‑side proxy that validates prompts, masks PII, and logs every request. Enforce least‑privilege, short‑lived tokens, and a human‑in‑the‑loop for write‑back actions.

What Salesforce data can an AI assistant realistically need?

Identify the exact objects and fields the assistant must read or write. Typical read‑only use‑cases include:

• Contact name, email, and phone for quick lookup.
• Opportunity stage and amount for sales‑forecast queries.
• Account address for location‑based suggestions.

Write‑back scenarios (e.g., creating a follow‑up task) should be limited to a single object and a handful of fields. Document this matrix in a shared spreadsheet so every team member knows the data boundary.

How to create a least‑privilege Salesforce Connected App

Follow Salesforce’s official guide to register a Connected App (Salesforce Docs). Configure the app with these settings:

1. OAuth Scopes: Grant only api for read/write on the objects you listed, and refresh_token if you need long‑running sessions.
2. IP Relaxation: Disable “Relax IP restrictions” unless you run the proxy from a static IP range you control.
3. Refresh Token Policy: Set to “Refresh token is valid until revoked” and rotate the token every 30 days.
4. Session Timeout: Choose the shortest acceptable timeout (e.g., 15 minutes) for interactive sessions.

Export the client_id and client_secret – store them in a secret manager, never in code.

Why a server‑side proxy is essential

Directly exposing the Salesforce token to a LLM is a recipe for credential leakage. A lightweight proxy (Node.js, Python Flask, or Cloudflare Workers AI) can:

• Validate the user’s prompt against a whitelist of allowed intents.
• Mask or redact any PII before sending it to the model.
• Enforce rate limits per user or per API key.
• Log request/response pairs for audit and compliance.

Example proxy flow:

User Prompt → Proxy (validate & mask) → OpenAI Function Call → Salesforce REST API → Proxy (log & filter) → User

How to protect against prompt injection

Prompt injection can trick the model into revealing the Salesforce token or performing unauthorized writes. Mitigate with these controls:

• Static System Prompt: Keep the system prompt on the server; never let the LLM see the token.
• Input Sanitization: Strip or escape characters like \, ", and JSON delimiters before constructing function calls.
• Intent Whitelisting: Only allow intents that map to pre‑approved Salesforce actions (e.g., lookup_contact, create_task).
• Human Review for Writes: Require a confirmation step before any POST or PATCH request reaches Salesforce.

How to mask or redact PII before sending to the LLM

Use a simple regex‑based redaction library or a dedicated data‑privacy service. Replace names, emails, and phone numbers with placeholders:

John Doe → {NAME}
[email protected] → {EMAIL}
+1‑555‑123‑4567 → {PHONE}

When the model returns a response, re‑inject the original values only after the human‑in‑the‑loop approves the output.

What audit logs should you capture?

Log entries must be immutable and searchable. Include:

• Timestamp (UTC) and user identifier.
• Prompt text (after redaction) and the model’s raw response.
• Salesforce API endpoint, HTTP method, and status code.
• OAuth token hash (not the token itself) for token‑rotation tracking.
• Decision flag indicating whether the request was auto‑approved or required human sign‑off.

Store logs in a write‑once bucket (e.g., AWS S3 with Object Lock) or a SIEM that supports tamper‑evidence.

How to rotate credentials and revoke access quickly

Implement a scheduled job that:

1. Requests a new access token using the refresh token.
2. Updates the secret manager entry.
3. Invalidates the previous token via the Salesforce Connected App UI.

If suspicious activity is detected (e.g., unexpected write calls), revoke the token immediately from the Connected App page and rotate the client secret.

Monitoring and ongoing maintenance

Set up weekly reviews that check:

• Log anomalies: spikes in write calls, failed authentication, or repeated prompt‑injection attempts.
• Token expiration dates and rotation status.
• Changes in Salesforce object schemas that might affect field mappings.
• Model updates from the LLM provider that could alter prompt handling.

Document any findings in a shared security runbook and adjust the proxy rules accordingly.

When to involve a human reviewer

Any operation that modifies data—creating tasks, updating opportunity stages, or adding notes—should trigger a confirmation UI. The UI can display the redacted model output and ask the user to approve or edit before the proxy forwards the request to Salesforce.

Putting it all together

Below is a high‑level diagram of the secure integration:

User → Web UI (prompt) → Proxy (sanitize, log) → OpenAI Function Call → Proxy (map to Salesforce API) → Salesforce → Proxy (log, filter) → UI (response) → User

By keeping secrets on the server, enforcing least‑privilege scopes, and adding human checkpoints, a small business can reap the productivity benefits of an AI assistant without exposing sensitive CRM data.