AI agents today are gaining access to the most sensitive systems an organization owns with almost no guardrails.
What could possibly go wrong?

This talk presents original security research into a critical prompt injection vulnerability discovered in Salesforce Agentforce, where a single unauthenticated lead form submission was sufficient to exfiltrate large volumes of CRM data—without exploiting infrastructure, credentials, or traditional software flaws.

The attack chain is deceptively simple.

Untrusted lead form input is concatenated directly into an agent's prompt context, without instruction isolation. When an internal employee later asks the agent to "review" the lead, attacker-supplied instructions are executed as first-class goals. The agent queries additional CRM records and sends them externally using built-in email tools, bypassing approval, validation, and detection controls.

Through a step-by-step walk-through of the exploit flow, this session shows how a public-facing business form becomes a reliable data-exfiltration primitive once it is routed through an autonomous agent. The vulnerability requires no authentication, no special permissions, and no technical exploitation beyond understanding how agent prompts are constructed and executed.

The session closes with concrete architectural lessons for building and deploying enterprise agents safely, focusing on instruction isolation, tool-use constraints, approval boundaries, and auditability. These are not Salesforce-specific mistakes, but systemic failure modes emerging across real-world agentic systems now being deployed across enterprises and corporations in production.