In 2016, most enterprises treated Salesforce security as the vendor's problem. The platform was a CRM, the consequences of a governance failure were contained, and the conversation rarely reached the CIO. That model worked until it didn't.

In 2026, Salesforce is the system of record for revenue, service, partner ecosystems, and regulated data flows across financial services, healthcare, manufacturing, and government. Autonomous agents now execute business workflows inside it at machine speed. And in 2025, a single coordinated campaign by organized threat actors hit more than 700 organizations - not by breaching Salesforce, but by exploiting the gaps the customer is responsible for closing. Jaguar Land Rover. Marks and Spencer. Co-op. Allianz Life. TransUnion. None were Salesforce platform failures. All were customer-side governance failures.

This white paper traces how that happened. It contrasts the security posture of 2016 with the operating discipline 2026 demands, examines the structural gaps that made the 2025 attacks possible, and lays out what a defensible governance model looks like for enterprises running Salesforce as Tier 1 infrastructure - including the new dimension that Agentforce introduces. It is written for the CIOs and Enterprise Architects who now own the consequence.

Read More