Tim Lyons

All right. Good morning. Good morning. Thank you for coming. We thought we'd have no one here on the last day of the conference, so appreciate you. I don't know who paid you to come, but thank you.

I'm Tim Lyons, a strategic industry advisor at Salesforce. What that really means is I spent most of my career as a tech executive at companies like Morgan Stanley, Bank of America, Prudential, and Merck. Eoghan and I go back 25 years. Our wives were Fulbright Scholars together, so we call ourselves half-brights because our wives were Fulbrights. There's two of us to come up with the idea.

He joined a company that we were both at called OwnBackup. It was changed to Own Company. Horrible name for a company, Own, but we were acquired by Salesforce last year, and so now we're Salesforce employees.

Eoghan Casey

I came from a cybersecurity background. Most of my career was in digital forensics, incident response, and then the cleanup, the risk remediation afterwards. Tim recruited me into the proactive securing of data in the cloud. I was in the DOD Cyber Crime Center in a senior leadership role and saw all of this data going up into the cloud so quickly that it couldn't be secured in time. All the deadlines for putting data in the cloud advanced before the deadlines for ATOs, the security processes. So we tried to get some security in place in advance.

I feel a little bit like my prior career is catching up with me if you read the newspapers. But we're here today to talk more about how you can build on top of secure platforms and build multi-agent orchestration with security baked in. First, I think, some discussion about how do you choose the right business roles to implement with multi-agent.

Tim Lyons

It was good sitting through some of the sessions this week, learning a little about vibe coding, but also some of the other sessions about how do you make these solutions more successful. How do you think about orchestrating multiple agents on multiple platforms over time? This isn't just about Salesforce. Then Eoghan can go through defense in depth in a multi-agent environment and how do you monitor those systems.

So what are we hearing? We went to the concert last night. We're old-timers. Tears for Fears. Was anyone there? There we go. Shout it all out. Jennifer was there. It was amazing.

I think one of the things that's important is we need to be clear on how we pick successful processes. If you've seen the MIT study on 95% of AI projects failing, that's a 5% success rate. Let's get better than that.

Eoghan Casey

There are multiple platforms. Which one do you use? How do you start? It's pretty complex. We're hearing from many CIOs: how are you different than Microsoft, than Google, than Oracle? There's a lot of complexity and confusion. We were going to talk through an approach to it and also how to accelerate, because if you hit the point where you're not securing before deploying, you're not going to deploy. So where do you start?

Tim Lyons

You probably heard this quite often this week, but clearly business alignment is really important. My gut is a lot of the 95% failures are experimentation, and that's a good thing. But how do you really think about where to start? I think it's really important to think about reinventing work. This is not necessarily a technology discussion or technology approach. Let's think about how you reinvent using agents, how you reinvent using AI. You saw some of those examples in the WEX presentation and a few others. The OpenAI presentation this morning was "smash your process," and it was the T-Mobile CIO quote, I think.

Eoghan Casey

Looking at some of the back-office automation, often, I'm not saying it's always the right answer, but it can yield the largest ROI when you're thinking about where to start. On the partnership side, this is more about reusing. You don't have to necessarily rebuild everything. You have a lot of things in your environments that you can reuse. That includes not just the technology layers that we've been talking about, but your data and the permissions on that data, so the security layer on top of this.

Rather than try to pull data from a place where you've spent a lot of time securing it into an environment where it may not have the same level of security, how do you also bring some of the security that we've been talking about in AI onto the platform? Make sure that you're not losing some of the data security in the transition into AI security. It's a delicate balance, but if you can reuse as much as you have and can, you'll be faster and more secure. Ultimately, I hope, more successful.

Tim Lyons

When you're reinventing or rethinking the business process, it also is an opportunity to think about secure by design.

Eoghan Casey

Exactly. Partnership is a key component here: internal partnership as well as external partnership. We're thinking internal partnership between your security folks. Some people have talked about involving security in from T zero; I call it day zero. But also there's external partnership and vendor relationships. I've been in consulting, I've been in government, and I know it's not always easy. But if you can get people who've been thoughtful about how they've invested in some of the supporting technologies, it will give you a leg up in your innovation.

Tim Lyons

This is a follow-on to focus on a specific business problem. Think big, start small, move quickly. Start with a role in a business that can be reinvented, because in that role there are lots of jobs to be done. Pick maybe one business process that can be identified. Ensure process knowledge is available and curated.

Eoghan Casey

If you're looking at how to best guide an agent or multi-agent environments, you're going to need to have data organized. How that's organized is either a potentially lengthy process of curation, or, as we heard with Tim O'Reilly, potentially you can use AI to help with that. Ultimately, the better organized and potentially structured you have your data, and the instructions, the guardrails, and as much of the framework that is available in the systems that you're using, that will really guide success. It will guide the agents into more accurate and predictable results.

Tim Lyons

As you take that one process, pick other processes in that specific role. The end goal is you're going to try to have a whole role be reinvented through various types of agents, and then manage the components. Then you'll have multiple agents. The goal is think big, start small.

This might be a little complicated, but I wanted to show an example of a role that has a lot of specific jobs to be done. Let's imagine an insurance wholesale broker. Within that role, you might have a book-of-business process, a sales process, a new-business process. All of these are specific jobs to be done, or interactions for that overall role. What we're saying is: pick something, start somewhere, and focus on reinventing all of this by thinking big, starting small.

Ultimately, over time, you'll have the orchestrator agent. I think you heard this yesterday with what they call the AI nanny. Clearly there is a human in the loop. I was going to come up with a hula hoop today, a human in the loop, but I thought that might be too wacky. Over time you have an orchestrator agent, and at the end of the day, you are reinventing an overall role. You have an end goal versus one specific task.

Eoghan Casey

A key point here is this can be across multiple platforms. You can have agents from different environments, but you need to ultimately have an orchestrator that will have the necessary instructions and guardrails and underlying security framework to manage all of them securely. If you just have agent-to-agent communication as you get more complex, it's going to be chaotic and very difficult to secure, difficult to monitor. It's going to be not particularly successful in the sense that you won't have a well-organized process, and potentially room for error, room for misuse, if people can slip in through some of the agent.

You will have agent-to-agent communications in some places strategically where information needs to be passed. But as much as you can control the chaos with some orchestration, with a strong security framework, this will be better in terms of the results and more secure. This is what we're working with in our environments.

Are there any comments at the moment? In terms of folks who have been working, we've heard some examples of success. The WEX example was a nice one. There's been others, but largely on a single platform with agents of the same type. Has anyone been working with multiple agents across multiple platforms?

Q&A

Audience member: Lots of them.

Eoghan Casey: Good answer.

Audience member: I work for IBM.

Eoghan Casey: Oh, okay. You have everything then. One of each.

Eoghan Casey

These challenges are emerging. You will eventually get to the point where you need to be thinking about how to deal with this. I would encourage you, even if you have not heard of Agentforce, if you haven't seen it, at least learn from it. Look into it. There's a lot of great innovation and work that's been put into the fabric, the framework, for securing agent AI and the underlying data connections. There are a lot of no-copy data connections that have security really baked in.

I've been in Salesforce since February, since we were acquired, and I was very impressed. It's a learning opportunity to see how people who've invested a lot in this and are building quickly are doing this. Why is this so important, to bring security in so early and to have it be baked in if you can?

CIOs are pressured now to innovate, to bring AI in for efficiencies, or maybe just because they need an AI checkbox on some board slide. Ultimately, it's here. We've seen the successes that it can bring in development and in business, but their number one concern is security and privacy. They won't really be embracing these solutions and these technologies that we're developing unless we address that number-one fear of maintaining the three pillars of information security: confidentiality, integrity, and availability. Also, in some industries, the compliance piece is becoming more complex. To do that on your own in development environments is risky and very challenging, because you're not subject matter experts in compliance, and I'm not, and I've been doing it for too long.

What are we talking about when we talk about a secure framework to do AI, trusted development, or AI deployment in a trusted environment? We heard a bit about this. I think it was an interesting definition this morning of what is an agent. What I find important to remind people, and I find this in conversations every day that I'm having now with CISOs and InfoSec people: don't forget about the basics. Data security underlies a lot of the great potential that we have here. If we don't have strong data security at the core, we're going to be losing control of our data in the AI. Having a trusted data platform that has AI with a secure, trusted framework built in at the base is something you should never underestimate. And if you can reuse something you have, that's even better.

One thing that I'd like to emphasize is that we're going now at greater speed, and we're going to deal with more data as we're pulling from multiple sources and we get multiple agents. How do we manage that risk in a way that aligns with the business? This has been touched on in some of the conversations yesterday, but it's one of the most challenging things. It takes a lot of different perspectives in an organization to figure out what risk management is going to look like in these environments.

Again, I've been impressed by what Salesforce has done with their Agentforce platforms in terms of governance and compliance work. But you ultimately have to make a decision in your business, with the process that you've chosen, on what levels of risk you can accept and what levels of security go along with that. Security generally brings in some inconvenience. You can't just let things flow freely. With sensitive data, you have to think about masking or encryption depending on the context, and then be prescriptive about the security requirements in the data warehouse.

This gets back to the basics. Make sure that you've thought about the underlying security model before you start pushing data through these complex systems that we've been talking about. Have systems also that can carry forward those permissions, those protections. If you don't have that prescriptive protection going through these systems from bottom to top, something will be exposed. I can guarantee it, and I've seen it already.

I'll be transparent. Carl is one of my colleagues from Own who knows more about Salesforce than anyone that I've met. I was scratching my head and saying, there's an LLM component here that I'm not quite comfortable or sure about. Where is the sensitive data that I'm putting, or that's in the system that's secure at the data layer, when it's going out to the LLM? How do I know that's secure? What's the answer? Does anyone know? You sign a piece of paper, and they're not going to save that information; they're not going to store it. It's like, ooh, that's not going to work for me in a government context or in a highly regulated industry. So you have to start thinking: can you bring an LLM into your trust boundary and start to work with it that way? You need to be making those decisions. Carl answered my question, which was: if you can't answer that question, then you have to have an answer. Put it in your trust boundary.

As we get faster, we have to enhance our ability to monitor. This is something I think we're going to talk more about in the future: how do we use AI to help us monitor AI? Ultimately it raises the importance of having backups. I've seen a number of situations, implementations that are relatively simple, where people are actually processing things so fast they're overriding data that they need. You need ways to back that out. If you're running these systems, sometimes you can't test everything in a sandbox. You have to run certain things in the real world to see what happens. Ultimately, the requirements for security are going to have to be in depth, have to be in layers. All of these are going to lead to success in any individual agent, but definitely you're going to need to think about these things or use these things in a multi-agent environment.

Okay. Tim led into this with security from day zero. The fastest path to success is building security in from the beginning, so you don't get hit with a barrier at the end when you're trying to deploy and the security requirements haven't been met.

Reliable data is key. We've talked a bit about that. Also, make sure that you're protecting it, classifying it — when I say classified, I don't mean the government context; I mean labeling as sensitive and encrypting it when needed — and making sure that, when possible, that is maintained in the agentic exchanges. It's difficult. Sometimes you have to give the agent the data, and sometimes it's going to be in logs. You'll find that the data is in places where you didn't have it before as a result of your development, and so you really have to work hard to make sure that you're on top of that.

I'll say also that DevSecOps in these cloud environments: we can do it. It's something that's a little bit more complicated. We have the technology, so we should be thinking about how do we engage security throughout the development lifecycle, through to deployment and back through even the planning stage. Ultimately, we have to meet all of these regulatory compliance and compliance goals. That's the basics. The layer on top of that is when you add the complexities of an agent, with the need for instructions, guardrails, potential prompt injection attacks, and the ability to control these things. It becomes more complex. If you get too focused on that, you might forget about the basics I just talked about before.

There are ways to manage these things. In Salesforce, what has been done with Agentforce is quite innovative in providing a framework that has all the configurable components you need to make sure you're structuring all of your guardrails, instructions, and topics. It's very thorough and audit-as-you-go. It's auditing everything from prompt to what's being pulled in in terms of data, what instructions it's following, and the full conversation between agent and whatever's prompting it. That's a huge amount of audit data, but we need it.

Again, I think we're going to need AI to help us more. We are developing internally new prompt-injection attack detection mechanisms. But that's, as Steve Wilson pointed out, always changing, and it's going to be an ongoing process. I will say from experience, we're not always going to be successful. There are going to be people who figure out how to get through our protections, or under if they go for data poisoning, or just find a gullible employee, and then you're in.

What we have here in terms of the combinations of things, I wanted to put this in terms of the Salesforce trust layer, not to be too product-focused, but to say it's a great learning opportunity. I've found it very illuminating. We all have to go through it. You have an Agentforce champion here, and you have a legend here. Salesforce has made it a goal that 100% of 75,000 employees are trained up on understanding how this works, so we can talk about it, but also be thoughtful in terms of how, if we're going to find opportunities to use it, we know the risks and know how we can help others be successful.

Tim Lyons

Do you want to say anything about the champion experience?

Eoghan Casey

It was a bit painful becoming an Agentforce champion. I'll just say I'm a champion. I had a couple eggs, like the Rocky movie, and I made it through. It's interesting to see as a culture the team building that comes out of people saying, "I've never had to do something like that before. It was so hard. I failed the first time and I was so determined to succeed the next time." Learning all of the intricacies is not easy. It's a learning opportunity, but you have to do it if you're going to be successful in securing an agent, or even more importantly if you're going to be developing a multi-agent system.

What we typically describe here is you have an existing system. Salesforce has been known for customer relationship management for a long time, and so has a lot of data that is critical to many businesses: healthcare patient scheduling and records, financial services loan processing; we talked about the insurance wholesaler. All that data is very well structured in terms of its metadata, and there's a lot of security in place that I wish more people would use more of. There's a lot of opportunity to secure the data in the environment that it's in. That can propagate through the agent implementation. We have a lot of templates, a lot of structures that allow development of these agents in a much more efficient manner, providing a framework so that you don't forget something. It's built into the system, and there are checks along the way. You have the ability to take some of the data from those trusted business sources and reuse them in the process.

This goes back to Tim's point of reuse: try not to reinvent, try not to copy data from one place to another. If you can keep it where it is secured, try to take advantage. Reuse the good security that has been in place in the organization with that data in the past, and don't break it.

Then you ultimately get some prompt-injection detection, which we continuously have a dedicated group working on. I'm impressed by what they do. I'm not entirely sure I understand all of it, but they're working hard to keep up. Ultimately, looking for toxicity is something in the audit side of things. We're starting to have this bubble up in the observability layer, where there's now an observability plane within the Agentforce systems. It's all built on a very robust inference engine, what we call the Atlas Reasoning Engine, and also the Einstein Trust Layer, which has a lot of this baked in so you don't have to build it all.

Be very thoughtful as you go through the process of giving data to an LLM. If you have a zero-copy agreement and you're happy with that, that's one thing. If you can't do that, put it inside the trust boundary. Ultimately, if you can have a system that already has that in place and all the governance in place, you can focus on your project and your innovation, and the audit will be automatic and ultimately exposed.

Tim Lyons and Eoghan Casey

I think that's pretty much it.

Tim: I just realized, you're really good with your hands when you're presenting.

Eoghan: It's my European cultural background.

Tim: We wanted to come and give you a little bit of a strategy, but also encourage you not to think of security as too complex or too difficult to build in. There are some things that exist out there today, but if you can learn from what people are doing, like the Agentforce systems, of how to make those secure frameworks more usable for development, that will build security in as you go throughout the development lifecycle, increase your chance of success, reduce your risk, and ultimately come back to the business need, which is find that process that's going to give you the biggest ROI and incrementally start small.

Eoghan: Think big.

Tim: We're happy to answer questions if you have specifics. Talk later also about any of this. I'm curious: how many people before walking into this room had heard of Salesforce as a data company? An AI company? Oh, that was more than yesterday. It's transforming. Maybe it's the Matthew McConaughey Super Bowl ads.

Thank you all for your attention, and thank you.