Generative AI Security: Preparing for Salesforce Einstein Copilot

This article was written in collaboration with Mike Smith, Distinguished Security Architect at Salesforce. It covers how Salesforce Einstein Copilot’s security model works and the risks you must mitigate to ensure a safe and secure rollout.
Collaborative Article
4 min read
Last updated April 9, 2024
Einstein Copilot data security with Varonis

Salesforce is officially rolling out Einstein Copilot to eagerly-awaiting customers. This new conversational AI assistant will revolutionize how sales, marketing, and customer service agents interact with customers and access internal documentation within the CRM tool.

Einstein Copilot can understand natural language queries to answer questions, provide insights, and perform tasks across Salesforce to help streamline daily processes and increase productivity.

The new AI will bring great leaps in productivity and streamline processes, but it will also come with risks that you must take the necessary steps to mitigate.

In this blog, we will discuss:

Salesforce Einstein Copilot use cases

Some of the key use cases for Einstein Copilot are:

  • Helping sales reps find leads, create opportunities, update records, schedule and summarize meetings
  • Enabling service agents to resolve cases faster, quickly access knowledge articles, and escalate issues
  • Assisting marketers in creating campaigns, writing emails, segmenting audiences, and analyzing results
  • Helping merchants optimize their online stores, create new Salesforce sites, manage inventory, process orders, and more
  • Providing users with the ability to analyze their data, create reports and dashboards, and discover trends and patterns

And all of this can be done with a simple prompt from the user in plain language. 

How Salesforce Einstein Copilot works

Below is a simple overview of how Einstein Copilot processes prompts:

  • A user inputs a prompt within Salesforce Marketing, Sales, or Service Cloud
  • Einstein Copilot ingests the prompt, runs a similarity search, and identifies relevant context against the connected data sources
  • The prompt to the large language model (LLM) and response are processed through the Einstein Trust Layer
  • Einstein Copilot generates an answer within Salesforce

Retrieval_Augmented_Generation_(RAG)_with_SalesforceEinstein Copilot processing model (Source)

The Einstein Trust Layer

Salesforce is committed to securing the data that customers process through Einstein Copilot. To do this, they have developed the Einstein Trust Layer.

Customer data flowing through Einstein Copilot is encrypted within the Trust Layer, and none of that data is retained on the backend. Any sensitive data like PII, PCI, and PHI is also masked.

The Einstein Trust Layer will also attempt to reduce the amount of biased, toxic, and unethical responses through its toxic language detection capabilities, reducing the burden on the end user.

Salesforce has stated it will not use customer data to train the LLMs behind Einstein Copilot, and it will not be sold to third parties.

Einstein Trust Layer-1The Einstein Trust Layer ensures your data is safe. (Source)

Protecting your Salesforce data — a shared responsibility

One of the key components of Salesforce security is its shared responsibility model. The shared responsibility model defines the roles and responsibilities of Salesforce and its customers regarding the secure use of data, AI, and the overall platform.

In this model, Salesforce is responsible for securing the infrastructure, platform, and services that enable AI (as shown by the Einstein Trust Layer) and the secure processing of customer data through Einstein Copilot.

At the same time, customers are responsible for securing the applications and configurations that connect to the AI, including:

  • Permissions – Einstein Copilot will surface all organizational data that an individual user can access
  • Data – Einstein Copilot relies on up-to-date data to provide high-quality and accurate results
  • Usage – Customers must ensure Einstein Copilot is used properly and responsibly

This ensures both parties work together to form the highest level of security and trust.

Shared responsiblity modelThe shared responsibility model between customers and cloud service providers (CSP) like Salesforce (Source)

Best practices to prepare your Salesforce Orgs for Einstein Copilot

Lock down permissions to sensitive data. 

Einstein Copilot inherits the access and permissions of the Salesforce user, so it’s imperative to mitigate risk by locking down critical data, ensuring that each user (and thereby Einstein Copilot) can only access what they need to do their job.

To understand each user’s permissions, you’ll need to parse their:

  • Profile
  • Permission Sets
  • Permission Set Groups
  • Role/hierarchy
  • Muted permissions

However, Salesforce permissions are highly complex and require significant effort to analyze and understand — especially considering a large enterprise can have up to 1,000 Permission Sets with dozens of permissions in each one.

On top of that, security teams must rely on Salesforce teams to help them complete this process, and because Salesforce admins have their plates full with keeping the business running, completing this process can be overwhelming.

Update and purge old internal data and documentation.

Einstein Copilot relies on your internal documentation and data to ground generative AI prompts with helpful context and provide accurate and relevant information.

As Salesforce says, “Good AI starts with great data.”

Einstein Copilot pulls data from the Salesforce Data Cloud, which unifies multiple data sources, including your Salesforce environment and cloud storage (like AWS and Snowflake).

Data is the source of truth for generative AI, and to ensure the best Einstein Copilot experience and reduce the risk of hallucination, your data needs to be:

  • Secure
  • Available
  • Clean
  • Timely

Along with ensuring your permissions are locked down and correct, you should also perform an initial record and documentation review across the data stores Einstein Copilot pulls from and update or purge out-of-date, stale, and inaccurate information.

Then, you can set up a regular review process to keep your internal documentation clean and up to date. 

Salesforce Gen AI experienceHow Einstein Copilot uses your data to build gen AI experiences in Salesforce (Source)

Identify sensitive data that AI shouldn't access.

There is bound to be data in your environment that you don’t want Einstein Copilot to be trained on or surface answers from; with Salesforce, you can create zones that section off data you don’t want Einstein Copilot to access. However, it is up to the customer to determine what that data is and where it lives. 

Ensure proper use.

Many departments — from support to marketing — will use Einstein Copilot to generate customer and public-facing content. However, as we mentioned previously, the quality and accuracy of AI output often rely on the quality of the input. 

Salesforce's Prompt Builder ensures your users are generating proper responses from the AI. This feature enables admins to set up guard rails for specific processes within the workflow (for example, customer support responses) to ensure appropriate, on-topic, and quality AI output.

The Prompt Builder will provide the user with a template to feed into Einstein Copilot, dynamically grounding the prompt with information like customer names, accounts, context, and relevant articles that may further help the AI’s response.

Salesforce AI prompt guardrails

Create prompt guardrails through the Einstein Trust Layer (Source).

This will also help you safeguard against prompt injection attacks, in which a malicious actor tries to provide instructions that trick the model into giving a response it shouldn’t. 

Prepare your Salesforce Orgs for Einstein Copilot with Varonis

Before you start your AI journey with Einstein Copilot, it is essential you understand your Salesforce security posture and ensure that your data is prepared for a safe and smooth rollout.

The Varonis Data Security Platform helps organizations gain an overview of their Salesforce security posture by:

  • Greatly simplifying permissions analysis
  • Automatically discovering and classifying sensitive data
  • Surfacing stale data
  • Identifying critical misconfiguration
  • Managing third-party app risk
  • Continuously monitoring sensitive data activity and detecting risky behavior
  • Integrating with and enhancing Salesforce Shield

Try Varonis for free.

Varonis can help your organization prepare for a safe and smooth Einstein Copilot rollout. 

Request a demo today and get started with a complementary Salesforce risk assessment. Getting started is free and easy, and the results are yours to keep.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:


Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.


See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.


Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

Copilot Security: Ensuring a Secure Microsoft Copilot Rollout
This article describes how Microsoft 365 Copilot's security model works and the risks that must be considered to ensure a safe rollout.
6 Prompts You Don't Want Employees Putting in Copilot
Discover what simple prompts could expose your company’s sensitive data in Microsoft Copilot.
Introducing Varonis for Microsoft 365 Copilot
Varonis for Microsoft 365 Copilot is the industry's first purpose-built cybersecurity solution to secure Microsoft’s AI-powered productivity tool before and after deployment.
Understanding and Applying the Shared Responsibility Model at Your Organization
To avoid significant security gaps and risks to sensitive data, organizations need to understand the shared responsibility model used by many SaaS providers.