Agentforce + Claude: How to Build AI Agents You Can Trust

A Talk on the Agentforce World Tour Milan Stage

Today, June 11th 2026, I had the privilege of taking the stage at the Agentforce World Tour Milan, at MiCo, with a talk titled "Agentforce + Claude: Building Agents You Can Trust". With me on stage was Armando De Lucia, ICT lawyer and LegalTech Manager at Studio Legale De Lucia, because the topic demanded it: building trustworthy AI agents is a matter of architecture and regulation together.

After the session, many people asked me for the slides. I promised something better: instead of a PDF to scroll through, here you'll find all the contents of the talk properly explained, with infographics to follow the thread. Consider it the extended edition of the presentation.

Why Trust Is the Real Problem with AI Agents

The starting point of the talk fits in one sentence: an agent is worth as much as the trust you place in what it does with your data.

You can build the most powerful agent in the world, but if you don't know what it does with your customers' data, where it sends it and who can prove it afterwards, you will never put it in front of a critical process. And rightly so. That's why trust is not a brochure slogan: it is an architecture requirement, to be designed the same way you design scalability or security.

How the Salesforce Trust Layer Works

Inside the Salesforce perimeter, every request to an Agentforce agent travels a precise five-step path:

1. Request: the user or a system queries the agent.
2. Grounding: the agent retrieves the Salesforce data relevant to the context.
3. Trust Layer: the filter that protects the prompt before it reaches the model.
4. Model: the LLM (Claude, in this case) processes the protected prompt.
5. Filtered response: the output goes back to the user, verified and audited.

The Trust Layer is the heart of the mechanism and guarantees three things:

• Dynamic grounding: responses are enriched with the relevant Salesforce data, securely and in context.
• Data masking and zero retention: PII is masked before reaching the model, and data is neither retained nor used for training. This is a contractual guarantee with the LLM providers.
• Toxicity detection and audit trail: responses are filtered for harmful content and every interaction is tracked and verifiable.

What Happens When the Agent Leaves the Perimeter

Here comes the part that is often underestimated. When Claude is invoked outside Agentforce, via CLI, custom MCP servers or direct APIs, the flow looks identical but the central piece is missing: the Trust Layer does not step in.

The power of the model is the same, but the guarantees are now yours to implement. The concrete risks are three:

• Access control: data leaves according to the permissions of the identity in use. If you don't restrict them with field-level security and dedicated permission sets, the agent sees everything that identity can see.
• Contractual guarantees: no zero retention, no audit trail. You cannot ensure the data is not retained or used for training, nor prove afterwards what was processed.
• Third parties and accountability: with a third-party agent, data reaches an external party. An agent that invokes tools autonomously can forward that data to endpoints and data centers potentially outside the EU, without approval and without a trace.

One point I made sure to stress during the talk: even inside the perimeter you are not "compliant by design". The Trust Layer provides the baseline protections, but they must be configured and verified with a case-by-case analysis. The architecture does not make you compliant: it makes the path much simpler and provable. Outside the perimeter, staying compliant is possible, but some products must be ruled out upfront because they do not offer the necessary guarantees.

How to Connect an External Agent to Salesforce Safely

The real-world scenario in companies is hybrid: the agent does not always live inside Salesforce. It is often an external agent, Claude or others, that needs to read and write Salesforce data to complete a task. Exposing the whole platform to that agent means widening the risk surface and losing control over what gets called and how. Even a Sandbox data refresh is a potential data breach scenario to protect against.

The answer is governing the data exit, with four concrete options:

1. Governing the exit towards the agent: expose your systems as MCP servers governed through Omni Gateway, with MCP Bridge. A single control point between Salesforce and the agent.
2. Custom endpoints: same result by building your own endpoints, exposing only the operations you need.
3. Least privilege: dedicated integration user and permission sets for the agent, with field-level security excluding unnecessary PII fields.
4. Risk assessment: analysis of the actual data breach risk and, where needed, dedicated agent profiles.

The principle is one: the agent does not walk into Salesforce and take what it wants. Salesforce decides what leaves, towards whom and with which permissions.

What the AI Act Requires from AI Agent Builders

In the second part of the talk the floor went to Armando De Lucia, because the choice of the system architecture is itself a compliance choice. The legal side is the bridge between technology and people.

The AI Act (EU Regulation 2024/1689) places the protection of people's fundamental rights on whoever develops the system, with obligations that grow with the risk level. The LegalTech best practice is clear: risk assessment before delivery and compliance by design and by default. People's rights and freedoms must be assessed in the analysis and design phase, not afterwards.

What statistically happens in companies? The exact opposite: kick-off, design, delivery, go-live, and only then someone wonders whether everything is compliant. That is after-the-fact compliance, and the bill is steep: partial redesign, unplanned additional delivery, project economics taking the hit and, in the worst cases, a product positioning problem.

How Much a Mistake Costs: the Penalties

AI Act penalties scale with the severity of the violation:

• Most serious: up to EUR 35 million or, for companies, up to 7% of total worldwide annual turnover of the preceding financial year.
• Medium: up to EUR 15 million or up to 3% of worldwide annual turnover.
• Minor: warnings and non-monetary measures.

For an SME, even the middle tier can be fatal. We covered this in detail in our article on the AI Act for Italian companies.

Italian Law 132/2025: the Extra Rules for Building for Italy

If you build for the Italian market there is one more regulatory layer. Law 132/2025 requires that the use of AI systems guarantees lawful, fair and transparent processing of personal data, compatible with the purposes for which it was collected and compliant with EU law on data and privacy. It then adds specific principles for sensitive domains: healthcare, labour, intellectual professions, public administration, justice, copyright.

Which Team You Need to Build Compliant Agents

The operational consequence of all this is that the team changes. The classic trio, project manager, business analyst and developer, is no longer enough. The team you need today pairs the project manager with an AI Engineer and a LegalTech Engineer.

Bringing a legal tech professional into the project is not a cost: it is compliance by design. It is the difference between making the right choices at analysis time and chasing compliance after go-live. We wrote a dedicated guide on the role: who the legal tech analyst is and what they do.

Trust Is Designed and Verified

The closing message of the talk works as a summary of everything. Agentforce and Claude together enable powerful agents, but trust is designed at the architecture level and verified at the regulation level. Building your agent safely is not optional: it is an architecture and regulatory requirement at the same time. It is the same principle we apply outside the Salesforce world too, as we told in our piece on compliance by design.

If you are considering an AI agent project on your data, inside Salesforce or outside, let's start from the assessment: request the free Pre-Assessment and let's find out together where the risks are and where it pays to start.