← Back to AI & Future
AI-004 AI & Future 25 min read For: Solution Architects

Agentforce Architecture: The Technical Foundation of Autonomous Agents

Agentforce is not a feature — it is a runtime. Understanding how Topics, Actions, and the Atlas reasoning engine work together is the prerequisite for designing agents that are both capable and safe.

VS

Vishal Sharma

Salesforce AI & Platform Specialist · Updated May 2026

What you will learn in this tutorial
  • The core architectural components of Agentforce: Topics, Actions, and the reasoning loop
  • How the Atlas reasoning engine decides what to do next at each step
  • How Agentforce connects to Salesforce data, external systems, and automation
  • The security and guardrails model that governs what agents can and cannot do
  • Capacity constraints and what they mean for agent design at scale
  • The architectural decisions that separate well-designed agents from fragile ones

The Shift from Reactive to Autonomous Execution

Every prior Salesforce AI feature — Einstein Lead Scoring, Next Best Action, Einstein Bots — follows the same pattern: the platform computes a recommendation, a human or a workflow acts on it. The intelligence and the execution are separated. Agentforce collapses that separation. An agent receives a goal, reasons about how to achieve it, selects tools to call, calls them, evaluates the result, and continues — all within a single conversation turn or across multiple turns — without requiring a human to approve each step.

This is what the industry means by "agentic": the AI is not advising; it is acting. For architects, the implication is significant. Every decision you make about what an agent can access, what actions it can invoke, and under what circumstances it should escalate to a human has direct operational consequences. A misconfigured flow invoked by a human is caught before it does damage. A misconfigured action invoked by an agent at scale is not.

🔑
Agentforce is an execution runtime, not a chatbot: The correct mental model is not "a smarter bot" — it is "an autonomous process that uses language as its interface." That distinction changes how you think about permissions, error handling, capacity, and governance. Design agents as you would design automated processes, not conversational experiences.

Topics, Actions, and the Instruction Layer

An Agentforce agent is defined by three things: its system prompt (the role and behavioural instructions), its Topics, and its Actions. Topics are logical groupings of intent — they tell the agent which domains it is responsible for and how it should approach requests that fall within those domains. Actions are the discrete operations the agent can invoke: Apex methods, flows, external API calls, or prompt templates.

When a user (or system) sends a message, Atlas — Agentforce's reasoning engine — classifies the request against the agent's Topics. If the message matches a Topic, Atlas identifies the relevant Actions available within that Topic, determines which action to invoke based on the instructions and the current conversation context, calls it, and then evaluates whether the result satisfies the goal or whether additional steps are needed.

Topics are not routing rules: A common design mistake is treating Topics as static intent classifiers — the same role that utterances played in Einstein Bots. Topics in Agentforce are more open-ended. They describe the scope of what the agent handles and the approach it should take, rather than mapping specific phrases to specific outcomes. This flexibility is powerful but also the source of most non-determinism: the agent's behaviour within a Topic is shaped by the LLM's interpretation of the instructions, not by a deterministic decision tree.

💡
Actions are the binding constraint on agent capability: An agent can only do what its Actions allow. The quality of your Action library — how well-defined the inputs and outputs are, how granular versus coarse the operations are — determines whether the agent can complete complex multi-step tasks reliably. Poorly defined Actions with vague input schemas produce unpredictable agent behaviour even with excellent reasoning.

The Atlas Reasoning Engine

Atlas is the Salesforce-hosted reasoning layer that sits between the LLM and the platform. It is responsible for the reasoning loop: receiving the user's input, determining what action to take, executing it, evaluating the result, and deciding whether the goal is achieved or further steps are needed. Atlas is not a single LLM call — each turn in an agentic conversation may involve multiple LLM invocations: one to classify intent, one to plan the next action, one to formulate a response.

The reasoning loop in Agentforce follows what Salesforce calls a "plan-act-observe" cycle. Atlas plans what to do based on the current goal and available Actions. It acts by invoking the chosen Action. It observes the result and updates its understanding of the current state. It then repeats the cycle until it determines the goal is complete, it cannot proceed (escalation), or it hits a configured limit.

Grounding is applied at the Atlas layer: Before Atlas passes context to the LLM, it retrieves relevant data from the org — CRM records, Einstein Search results, Data Cloud unified profiles — and injects them into the prompt. This is the grounding mechanism. The LLM never has direct access to Salesforce data; it only sees what Atlas retrieves and includes in the prompt. This is also how the Trust Layer enforces data access: Atlas applies the running user's sharing rules and field-level security when retrieving records to include in the grounding context.

How Agentforce Connects to Data and Systems

Agentforce Actions can invoke three types of operations: Flows (Screen Flows or Autolaunched Flows), Apex (invocable methods), and external API calls via named credentials. Each type has different implications for what the agent can do, how it is governed, and what can go wrong.

Flows are the primary recommended mechanism for Actions because they are declarative, auditable, and can be changed without a deployment. An agent that updates a case status, creates a task, or sends a notification via a Flow benefits from all of Salesforce's built-in record-level security and field-level security enforcement. The Flow runs in the context of the named credential or the running user, depending on how the Action is configured.

Apex invocable methods are appropriate when the logic is too complex for a Flow or requires performance optimisations that declarative tools cannot achieve. The tradeoff is that Apex bypasses some of the guardrails that Flows enforce by default. Any Apex method exposed as an agent Action needs explicit security review — it is running at the agent's instruction, not a human's explicit trigger.

External API calls expand the agent's reach beyond Salesforce but introduce a different risk surface: the agent can send data externally. Named credential governance, outbound firewall rules, and explicit data classification of what the agent is permitted to transmit are not optional if agents can invoke external APIs.

⚠️
Agent Actions run with real permissions: An agent runs as the user who initiated the session, which means it operates with that user's data access. If a sales rep triggers an agent and the agent can invoke an Action that modifies records, it modifies records as that rep. If the agent can query sensitive objects, it reads sensitive objects. There is no automatic privilege reduction — what the user can do, the agent can do. Scope Actions to the minimum permission set necessary.

Security Model and Guardrails

Agentforce's security architecture operates at multiple layers. The Trust Layer is the brand name for Salesforce's suite of guardrails: it includes the data masking that prevents sensitive data from being sent to the LLM, the toxicity filters that block harmful outputs, and the audit logging that records what the agent did and why.

At the platform level, the Einstein Trust Layer intercepts every prompt before it is sent to the LLM and applies two operations: data de-identification (masking field values that are classified as PII based on org-level classification settings) and content policy enforcement. The LLM receives a version of the prompt where sensitive values have been replaced with tokens. The response is re-hydrated with the original values before being returned to the agent. This means the LLM never processes the actual sensitive data — only a token representation of it.

At the agent level, guardrails are configured in the agent's system prompt and via Topic-level instructions. You can specify that an agent should never take actions above a certain risk threshold without human confirmation, that it should decline requests outside its defined Topics, and that it should escalate to a human agent in specific scenarios. These are instructions to the LLM — they are effective for most cases but are not cryptographically enforced. A sufficiently clever adversarial prompt can sometimes bypass LLM-level instructions. For high-risk operations, the guardrail needs to exist at the Action level, not just in the instructions.

Capacity, Limits, and Design Constraints

Agentforce is metered. Every agent conversation consumes Einstein Conversation credits, and each Action invocation within a turn consumes additional capacity. For architects designing agents intended to run at volume — high-traffic customer service channels, fully automated back-office processes — understanding the credit consumption model is not optional; it directly affects the business case and the architecture.

Conversation turns are limited within a single session, and the reasoning loop has a maximum number of iterations per turn. These limits are intended to prevent runaway agents that loop indefinitely, but they also constrain the complexity of tasks an agent can complete in a single turn. Complex multi-step processes may need to be broken across multiple sessions, which introduces state persistence requirements. Agentforce does not natively persist intermediate state between sessions — if a multi-turn workflow is interrupted, you need an external state store (a custom object or a Platform Event queue) to resume correctly.

The LLM context window is another hard constraint. As the conversation history grows, Atlas must decide what context to retain and what to truncate. Very long agent sessions where the agent has invoked many Actions and accumulated substantial conversation history will begin to lose earlier context, which can cause the agent to repeat steps it has already taken or forget earlier decisions. Design long-running agent workflows to externalise state rather than relying on the LLM's in-context memory.

💡
Design agents to be stateless within the LLM and stateful in the platform: An agent that writes its intermediate results to Salesforce records — a task, a custom object, a field on the related case — can be interrupted and resumed without losing progress. An agent that relies on its conversational context to remember what it has done so far is fragile at the edges of the context window.

Key Takeaways

  • Agentforce is an autonomous execution runtime, not a chatbot — the agent calls real Actions that produce real changes, so permissions and scope must be designed with the same rigour as any automated process.
  • The Atlas reasoning engine runs a plan-act-observe loop, making multiple LLM invocations per turn; grounding is applied before each LLM call using the running user's data access permissions.
  • Topics define scope and behavioural approach; Actions define capability — the quality of your Action library is the primary determinant of how reliably the agent can complete complex tasks.
  • The Einstein Trust Layer de-identifies PII in prompts before they reach the LLM and re-hydrates the response, but LLM-level instructions are not cryptographically enforced — high-risk guardrails must live at the Action level.
  • Agentforce credits are metered per conversation turn and per Action invocation; capacity planning is required for any agent deployed at meaningful volume.
  • Agents should externalise state to Salesforce records rather than relying on conversational memory — LLM context windows are finite and truncate silently as session length grows.

Check Your Understanding

Q1. An Agentforce agent needs to update a case record and send a notification as part of a single task. What is the recommended Action type for this operation?

A. A direct SOQL update via Apex, because it is more performant than declarative tools
B. An Autolaunched Flow, because it is declarative, auditable, and enforces record-level and field-level security by default
C. An external API call, because it keeps the logic outside the Salesforce platform for easier maintenance
D. A standard screen flow, which prompts the customer to manually complete the case update

Q2. How does the Einstein Trust Layer prevent sensitive data from being processed by the external LLM?

A. Salesforce runs its own on-premises LLM so no data ever leaves the platform
B. Sensitive fields are excluded from grounding entirely and the LLM never receives records containing them
C. Sensitive values are replaced with tokens before the prompt is sent to the LLM, and the response is re-hydrated with the original values before being returned
D. The data is converted into an encrypted PDF attachment that the LLM decodes using a shared private key

Q3. A complex agent workflow spans many turns and the agent starts repeating steps it already completed earlier in the session. What is the most likely architectural cause?

A. An Apex exception in one of the Action invocations is resetting the agent's state
B. The LLM context window is truncating earlier conversation history, causing the agent to lose memory of completed steps
C. The Atlas reasoning engine has a bug in its deduplication logic that causes it to replay completed steps
D. The user is repeatedly typing the exact same query, forcing the agent to execute identical actions

Related Tutorials

AI-001

Agentforce vs Einstein Bots: What's Actually Different?

 AI-005

Data Cloud as the AI Foundation: Why Clean Data Wins

 ARCH-001

Salesforce Multi-Tenancy: What It Means for Your Architecture

Discussion & Feedback