Enterprise
For most of the AI-coding era, "enterprise" meant a Copilot license and a security review. The agent lived in the editor, touched the repo, and stopped at the company firewall. In 2026 that wall came down in a specific, consequential way: enterprise platforms began letting AI agents act inside them. Not read about them. Not generate integration code for them. Act inside them — query real data, deploy real metadata, run real business logic. That's a different animal, and it deserves a clear-eyed look at both the capability and the governance bill it hands you.
The concrete example: Salesforce Headless 360
The clearest instance is Salesforce Headless 360, which exposes the platform so AI agents can query its data, deploy metadata, and run Apex — Salesforce's server-side language for business logic. And crucially, this isn't a captive Salesforce-only agent. General-purpose coding tools like Claude Code and Cursor are gaining that access, which means the agent your developers already use to write code can now reach into the CRM that runs the sales org's daily life.
Sit with what that composes into. An agent that can read customer records, change the platform's configuration, and execute logic that touches money and contracts is no longer a coding assistant. It's an operator inside a system of record. That's a real capability — the kind that genuinely collapses work that used to require a specialist and a change ticket. It's also a real responsibility, and the two arrive together whether you planned for it or not.
Why this is genuinely useful
Let's not undersell it, because the upside is legitimate. A developer debugging a broken automation can have the agent inspect the actual data and the actual metadata rather than a stale export. A migration that used to mean hand-editing configuration across dozens of objects can be drafted, checked, and applied by an agent that sees the live schema. The perennial gap between "the code" and "the platform state the code runs against" — the source of a huge share of enterprise bugs — narrows when the agent can see both. This is the same win MCP delivered for databases and browsers, now extended to a full business platform.
Why it raises the stakes
Now the bill. Everything that makes coding agents risky gets multiplied when the target is a system of record instead of a git repo:
- The blast radius is production data. A bad diff in a repo reverts. A bad Apex run against live records may not. There's no clean "git reset" for a customer's billing state.
- Prompt injection now has a business target. An agent that reads a customer-submitted field — a support case, a form note — and then runs logic is an agent that can be instructed by an attacker's text to act on data it shouldn't. The injection surface moved from "the agent's shell" to "your customers' contracts."
- Permissions are org-shaped, not folder-shaped. "Least privilege" in a CRM means field-level security, object permissions, sharing rules, and API scopes — a far richer, easier-to-get-wrong permission model than a filesystem path.
- Audit and compliance are non-optional. Regulated data means every agent action needs to be attributable, reviewable, and reversible where possible. "The AI did it" is not an answer an auditor accepts.
What governance actually looks like here
The controls are the familiar security list, raised to enterprise altitude. Scope the agent's platform access to the minimum objects, fields, and operations the job needs — never the admin profile because it's convenient. Route destructive or production-touching actions through confirmation, ideally through the platform's own change-management path rather than around it. Keep credentials in a secrets store, not in the agent's context. Log everything the agent does in a form your compliance team can audit. And verify externally: agent changes to metadata or logic should pass the same validation, sandbox testing, and review gates a human's changes would — because a model grading its own change is exactly the trust these systems can't afford.
| Access an agent might get | What breaks if it's over-scoped |
|---|---|
| Query data | Customer-data exposure, privacy breach |
| Deploy metadata | Silent config drift across the org |
| Run Apex / business logic | Irreversible action on live records |
| Admin-level scope | All of the above, at once |
The pattern beyond Salesforce
Salesforce is the vivid example, but it's an instance of a category. Expect every major enterprise platform — ERPs, ticketing systems, data warehouses, internal tooling — to expose agent-actionable surfaces over the next stretch, because the demand is obvious and the plumbing (largely MCP-shaped) already exists. The teams that do well won't be the ones who adopt fastest; they'll be the ones who treat each new agent-actionable surface as a new privileged account and govern it before the first incident, not after.
This is squarely why we build The Vibe Father around external verification and Keychain-held, confirm-before-risk connections: when an agent can reach a system of record, the harness's job is to keep secrets out of context, ask before the irreversible action, and gate "done" on your real checks rather than the agent's word. The capability is worth having; the guardrails are what make it survivable.
For the underlying risk categories that all of this inherits, read the AI coding attack-surface piece and run the security checklist before you grant an agent platform access. The standard doing most of the connective work is covered in what MCP is. Live model scores stay at /benchmarks.