einstein-trust-layer
Use this skill when configuring, auditing, or troubleshooting Salesforce Einstein Trust Layer security controls for generative AI features including Agentforce, Einstein Copilot, and Prompt Builder. Trigger keywords: trust layer, data masking, zero data retention, ZDR, toxicity detection, AI audit trail, grounding controls, PII masking LLM, Einstein generative AI security. NOT for agent action development, LWC component authoring, or non-AI data governance (see data-quality-and-governance skill for that).
Best use case
einstein-trust-layer is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Use this skill when configuring, auditing, or troubleshooting Salesforce Einstein Trust Layer security controls for generative AI features including Agentforce, Einstein Copilot, and Prompt Builder. Trigger keywords: trust layer, data masking, zero data retention, ZDR, toxicity detection, AI audit trail, grounding controls, PII masking LLM, Einstein generative AI security. NOT for agent action development, LWC component authoring, or non-AI data governance (see data-quality-and-governance skill for that).
Teams using einstein-trust-layer should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/einstein-trust-layer/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How einstein-trust-layer Compares
| Feature / Agent | einstein-trust-layer | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Use this skill when configuring, auditing, or troubleshooting Salesforce Einstein Trust Layer security controls for generative AI features including Agentforce, Einstein Copilot, and Prompt Builder. Trigger keywords: trust layer, data masking, zero data retention, ZDR, toxicity detection, AI audit trail, grounding controls, PII masking LLM, Einstein generative AI security. NOT for agent action development, LWC component authoring, or non-AI data governance (see data-quality-and-governance skill for that).
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Einstein Trust Layer This skill activates when a practitioner needs to configure, validate, or troubleshoot the Einstein Trust Layer — the security infrastructure Salesforce places between users, CRM data, and external LLMs. It covers all five protective components: secure data retrieval and grounding, data masking, zero data retention, toxicity detection, and audit trail. --- ## Before Starting Gather this context before working on anything in this domain: - **Data 360 must be provisioned.** The Einstein Trust Layer depends on Data 360 for audit trail storage. Without it, audit trail cannot be enabled and some Trust Layer features will be unavailable. - **Einstein Generative AI must be turned on.** Navigate to Setup > Einstein Setup and toggle "Turn on Einstein" to On before accessing the Trust Layer configuration page. - **Which Einstein features are in scope?** Data masking behavior and applicability differ by feature. As of Spring '25, data masking is available for embedded features (Service Replies, Work Summaries, Prompt Builder previews) but disabled for Agentforce agents by default. Confirm the features before setting expectations. - **The most common wrong assumption:** Practitioners assume Trust Layer controls are on by default and apply uniformly. In practice, data masking must be explicitly enabled, and it does not apply to all Einstein features identically. - **Context window constraint:** When data masking is active, all models are limited to a context size of 65,536 tokens. Prompts that exceed this limit will fail or be truncated. --- ## Core Concepts ### Zero Data Retention (ZDR) Salesforce holds contractual zero data retention agreements with external LLM providers (including OpenAI). Under these agreements, prompts and responses sent through the LLM gateway are never stored or used for model training by the provider. Data passes through OpenAI's enterprise API and is discarded immediately after the response is generated — it does not persist outside Salesforce infrastructure. ZDR applies specifically to data sent to external LLMs. It does not mean that Salesforce itself does not store anything — the audit trail within Data 360 retains interaction records for compliance purposes. ### Data Masking Before a prompt is sent to an external LLM, the Trust Layer uses named entity recognition (NER) and pattern-matching to identify PII and PCI data. Detected entities are replaced with typed placeholders (e.g., `PERSON_0`, `EMAIL_0`, `CREDITCARD_0`). A temporary mapping is held within the Trust Layer. When the LLM returns its response, the Trust Layer demasks — restoring original values before presenting the result to the user. Default masked data types include: names (individual and organizational), email addresses, phone numbers (business and mobile), credit card numbers, and US Social Security Numbers. Administrators can configure which data types to mask from the setup UI. Important constraints: - No model can guarantee 100% detection accuracy. Cross-region or multi-country data patterns may reduce detection effectiveness. - Data masking requires valid-format data to trigger. A malformed SSN or an invalid credit card number will not be masked. - Context window is capped at 65,536 tokens when data masking is active. - There is no programmatic way to handle masked data from the Models API — masking is fully managed by the Trust Layer. - Policy updates can take a few minutes to propagate after saving. ### Toxicity Detection After the LLM returns a response, the Trust Layer scores it for harmful content using a combination of rule-based filtering and a Salesforce Research transformer model (Flan-T5-base, trained on approximately 2.3 million prompts). Toxicity is scored across multiple categories including toxicity (general rudeness/unreasonableness), hate speech, violence, physical harm, sexual content, and profanity. The overall score is a composite value ranging from 0 to 1, with 1 representing maximum toxicity. The toxicity score accompanies the response and is recorded in the audit trail. Applications can consume the score to decide whether to present the response to the user. ### Grounding Controls Grounding connects AI prompts to organizational data so responses are contextually accurate. The Trust Layer supports three grounding modes: - **Client-side grounding:** Merge fields on a record page populate with the currently displayed record's data during user interactions. - **Server-side grounding:** Flows or Apex calls query the database directly to inject context at processing time. - **Dynamic grounding:** Data providers (Flows, Data Cloud) are called at prompt execution time to retrieve related information, enabling semantic retrieval and external API integration. Grounding determines what CRM data is exposed to the LLM. Prompt defense is applied post-grounding to add guardrail instructions that reduce prompt injection risk and hallucination. ### Audit Trail The audit trail records every AI interaction passing through the Trust Layer. Each record includes: the original prompt, safety scores from toxicity detection, the raw LLM output, user acceptance/rejection decision, and any user modifications before the output was used. Records are stored in Data 360. Audit trail is not active out of the box — it requires explicit enablement. Retention period is configurable. The audit trail is accessible for compliance review and can be surfaced through reports and dashboards within the org. --- ## Common Patterns ### Pattern: Enabling Trust Layer Security Controls for a New Org **When to use:** When activating Einstein Generative AI for the first time and establishing the security baseline before deploying any AI feature to users. **How it works:** 1. Verify Data 360 is provisioned (required dependency). 2. Navigate to Setup > Einstein Setup. Toggle "Turn on Einstein" to On. 3. Click "Go to Einstein Trust Layer." 4. Enable "Large Language Model Data Masking." Select which sensitive data categories to mask (names, emails, phones, SSNs, credit cards are recommended as a default). 5. Enable the audit trail. Configure the retention period to match your compliance policy. 6. Verify that the Zero Data Retention agreement with external providers is active (confirm in the Trust Layer setup UI). 7. Test data masking by previewing a prompt template in Prompt Builder with a record containing known PII — confirm placeholders appear in the preview and are restored in the response. **Why not skip setup:** Without explicit enablement of data masking, PII fields in grounded prompts are sent in plain text to the external LLM. ZDR alone does not prevent exposure during processing — masking prevents the LLM from ever seeing raw PII. ### Pattern: Diagnosing Toxicity Detection False Positives **When to use:** When valid AI responses are being suppressed or flagged incorrectly, causing user-facing errors or missing outputs. **How it works:** 1. Access the audit trail in Data 360 and find the interaction records for the flagged responses. 2. Review the toxicity scores by category. A composite score near 1 on a specific subcategory (e.g., violence) in a legitimate service context indicates a false positive from context misinterpretation. 3. Review the original prompt and grounding data — prompt injection or ambiguous field values can raise scores artificially. 4. Adjust the prompt template to provide clearer context instructions to the LLM (via prompt defense additions). 5. Re-test with the updated template and monitor audit trail scores. **Why not disable toxicity detection:** Toxicity detection is a Trust Layer control that cannot be selectively disabled per-feature without removing it org-wide. The correct remediation is prompt and grounding refinement. --- ## Decision Guidance | Situation | Recommended Approach | Reason | |---|---|---| | PII in CRM must not reach external LLM | Enable data masking with all PII/PCI categories selected | Masking intercepts before transmission; ZDR alone does not prevent in-flight exposure | | Compliance requires logs of all AI interactions | Enable audit trail with retention period matching policy; store in Data 360 | Audit trail is the only mechanism for interaction-level logging in the Trust Layer | | Prompt responses seem unaware of record context | Use client-side grounding for record-page features; dynamic grounding for server-side flows | Grounding mode must match the execution context or record data will be missing | | EU data residency requirement | Confirm org is provisioned in an EU data center; Trust Layer routes through Salesforce infrastructure, not directly to LLM providers | LLM gateway keeps data within Salesforce routing; EU org provisioning determines residency | | Agents not masking PII in prompts | Verify the feature scope — data masking for agents may be disabled; check release notes for current coverage | As of Spring '25, data masking is not applied to Agentforce agents by default | | Toxicity detection blocking valid responses | Review audit trail scores by category; refine prompt template instructions | Detection uses ML scoring; context-specific guardrail instructions reduce false positives | --- ## Recommended Workflow Step-by-step instructions for an AI agent or practitioner activating this skill: 1. Gather context — confirm the org edition, relevant objects, and current configuration state 2. Review official sources — check the references in this skill's well-architected.md before making changes 3. Implement or advise — apply the patterns from Core Concepts and Common Patterns sections above 4. Validate — run the skill's checker script and verify against the Review Checklist below 5. Document — record any deviations from standard patterns and update the template if needed --- ## Review Checklist Run through these before marking Trust Layer configuration complete: - [ ] Data 360 is provisioned and accessible in the org - [ ] Einstein Generative AI is enabled in Einstein Setup - [ ] Data masking is enabled with the correct sensitive data categories selected - [ ] Audit trail is enabled with a retention period aligned to compliance requirements - [ ] Zero Data Retention agreement with external LLM providers is confirmed active - [ ] Prompt templates tested in Prompt Builder confirm PII placeholders appear (not raw values) in preview - [ ] Toxicity detection is active and audit trail records show toxicity scores - [ ] Grounding mode (client-side, server-side, dynamic) matches the feature's execution context - [ ] EU data residency requirements confirmed against org data center provisioning --- ## Salesforce-Specific Gotchas Non-obvious platform behaviors that cause real production problems: 1. **Data masking is disabled for Agentforce agents by default** — Practitioners who enable data masking in Trust Layer setup assume it applies to all AI features. As of Spring '25, data masking applies to embedded features (Service Replies, Work Summaries, Prompt Builder previews) but is not applied to agent prompts. PII in agent-grounded prompts can be sent in plain text to the external LLM. Always check release notes and the feature-specific Trust Layer coverage before assuming masking is active. 2. **Zero data retention applies to external LLMs only, not to the audit trail** — ZDR means the external LLM provider (e.g., OpenAI) does not retain the data after processing. The audit trail within Salesforce Data 360 does store interaction records, including the original prompt and LLM output. Practitioners who cite ZDR as a reason not to configure audit trail retention policies are creating a compliance gap — the audit trail must be independently governed. 3. **Invalid-format PII is not masked** — The masking engine validates data format before applying placeholders. A social security number with incorrect formatting, a malformed email, or an invalid credit card number will pass through to the LLM unmasked. This is a silent failure — there is no error or warning. Testing masking with realistic production-format data is required to validate coverage. 4. **Context window shrinks to 65,536 tokens when data masking is active** — Large prompt templates or heavily grounded prompts that work without masking may exceed the reduced context window and fail at runtime. Prompt size must be validated with masking active, not just in isolation. 5. **Audit trail requires explicit activation and is not retroactive** — Interactions that occur before audit trail is enabled are not logged. There is no backfill mechanism. Organizations that enable generative AI features before setting up the audit trail will have a compliance gap for that period. --- ## Output Artifacts | Artifact | Description | |---|---| | Trust Layer configuration checklist | Completed checklist confirming masking, ZDR, toxicity, and audit trail status | | Audit trail review | Interaction records in Data 360 showing prompt, toxicity scores, LLM output, and user decision | | Prompt Builder test results | Masked preview output confirming PII substitution is working before feature goes live | | Data masking policy | Configured sensitive data category selections in Trust Layer setup | --- ## Related Skills - agentforce/agentforce-agent-design — use alongside this skill when building agents to validate what data is grounded and whether Trust Layer coverage applies to agent prompts - data/data-quality-and-governance — for broader data governance, classification, and Shield Platform Encryption concerns outside of AI interaction security
Related Skills
network-security-and-trusted-ips
Configure and audit Salesforce network security controls — trusted IP ranges (org-wide Network Access), login IP ranges on profiles, CSP Trusted Sites for Lightning components, CORS allowlists for external JavaScript, and TLS requirements — and troubleshoot login-blocked-by-IP or CSP violation errors. NOT for org-wide session settings, MFA configuration, or real-time Transaction Security Policies.
csp-and-trusted-urls
Configure Content Security Policy via Trusted URLs and CSP Trusted Sites so Lightning, LWR, and LWC can call third-party scripts, APIs, and frame sources. NOT for clickjack configuration.
einstein-analytics-data-model
Use this skill when working with CRM Analytics (Einstein Analytics) extended metadata (XMD) — the multi-layer metadata system that controls field display labels, aliases, number formatting, date formatting, measure/dimension classification, and color palettes on CRM Analytics datasets. Trigger keywords: XMD API, dataset field formatting CRM Analytics, wave dataset labels, main XMD update, dataset versioning Analytics. NOT for dataflow development, recipe node configuration, dataset ingestion setup, standard dashboard design, or SAQL query construction — those are covered by analytics-dataflow-development and analytics-recipe-design.
zero-trust-salesforce-patterns
Architecture pattern for assembling a zero-trust posture in Salesforce — there is no single zero-trust toggle. The pattern composes High-Assurance Sessions, Real-Time Event Monitoring (RTEM) Transaction Security Policies, Login Flows for conditional access, Event Monitoring for continuous verification, Mobile Security for device compliance, and a Permission Set Group strategy that defaults-deny. Covers the gotcha that not all RTEM event types support TSP enforcement (IdentityVerificationEvent and MobileEmailEvent do NOT). NOT for MFA-only rollouts (see security/mfa-enforcement-strategy), NOT for the LLM-side Einstein Trust Layer (different concept), NOT for Apex CRUD/FLS enforcement patterns (see apex/apex-stripinaccessible-and-fls-enforcement).
einstein-bot-architecture
Use when designing conversational AI architecture on Salesforce: Einstein Bot dialog design, Agentforce Agent topic planning, intent models, NLU training strategy, bot-to-agent handoff, escalation paths, knowledge article surfacing, and bot analytics. Triggers: 'einstein bot architecture', 'agentforce dialog design', 'bot handoff to agent', 'intent model training'. NOT for bot implementation code, Apex action authoring, Flow screen design, or Omni-Channel routing rule configuration.
einstein-activity-capture-api
Use when querying Einstein Activity Capture (EAC) activity metrics, accessing synced email and event data via Apex, reporting on captured activities, or understanding EAC's read-only API surface and SOQL limits. Triggers: 'ActivityMetric SOQL', 'EAC data not in reports', 'UnifiedActivity query', 'query synced emails from EAC', 'activity capture SOQL returns no rows'. NOT for email template design, email deliverability configuration, or enabling/disabling EAC through Setup UI.
einstein-search-personalization
Einstein Search personalization: configure search result ranking, promoted results, searchable objects, and Natural Language Search (NLS) for Lightning Experience. Triggers when users ask about search personalization signals, why search results feel irrelevant, how to enable NLS conversational queries, or how to manage Einstein Search settings in Setup. NOT for SOSL query authoring, Experience Cloud search customization, or Commerce storefront search tuning.
einstein-prediction-builder
Einstein Prediction Builder for creating custom binary classification predictions on Salesforce objects: field selection, training data requirements, model activation, score embedding, and monitoring. NOT for Einstein Discovery (Tableau CRM Analytics) or Agentforce agent creation.
einstein-next-best-action
Guide practitioners through building Einstein Next Best Action strategies using Flow Builder, configuring Recommendation records, and surfacing recommendations via the Actions & Recommendations Lightning component. Trigger keywords: next best action, NBA strategy, surface recommendations. NOT for Einstein Prediction Builder model training, Einstein Bots conversation design, or Agentforce agent topic routing.
einstein-discovery-development
Use this skill when integrating Einstein Discovery predictions into Salesforce apps, automating bulk scoring jobs, deploying stories as prediction definitions, managing models via API, or querying prediction history. Trigger keywords: Einstein Discovery, smartdatadiscovery, predict endpoint, bulk scoring job, model refresh job, prediction definition, story deployment, regression prediction, multiclass prediction, CRM Analytics ML. NOT for CRM Analytics dashboard design, TCRM dataset management, Einstein Prediction Builder binary classification (which requires no CRM Analytics license), or Einstein Next Best Action recommendation strategies.
einstein-copilot-for-service
Service-specific AI features in Service Cloud: Case Classification setup and optimization, Article Recommendations configuration, Reply Recommendations, Work Summary (After-Visit Summary), Service Replies with Einstein, Auto-Routing, and Einstein Conversation Mining. NOT for core Agentforce setup, agent topic design, Agent Builder configuration, or Einstein Trust Layer setup.
einstein-copilot-for-sales
Sales-specific AI features in Sales Cloud: Einstein Opportunity Scoring setup and optimization, Einstein Activity Capture configuration, AI email generation, Pipeline Inspection AI insights, and Einstein Relationship Insights. NOT for core Agentforce setup, agent topic design, or Einstein Trust Layer configuration.