Salesforce regulated data security needs unified visibility and control

At a glance

What this is: This is an analysis of why Salesforce security must extend across Health Cloud, Service Cloud, and other clouds to find regulated data in both structured fields and unstructured records.

Why it matters: It matters because IAM and security teams need consistent visibility, policy enforcement, and audit evidence wherever sensitive data lives, including platforms that mix human workflows, NHI access, and regulated records.

By the numbers:

• 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems.

👉 Read Cyera's analysis of regulated data security across Salesforce clouds

Context

Salesforce has become a system of record for more than sales data. Service Cloud contains support cases and chat histories, Health Cloud stores patient-related workflows, and custom objects often carry regulated financial or personal information that is easy to miss without broad discovery. In identity terms, the problem is not just access to the platform, but control over who and what can reach sensitive data across multiple clouds and workflows.

When structured records and attachments are governed separately, security teams end up with blind spots that weaken classification, policy enforcement, and audit readiness. That challenge is familiar across IAM and NHI programmes: if sensitive data can be copied, attached, or embedded in workflow artefacts without consistent controls, the operating model is already fragmented.

The source article points to a practical truth for regulated environments. Visibility has to span both structured and unstructured content, otherwise compliance becomes a sampling exercise rather than a control state.

Key questions

Q: How should security teams govern regulated data in Salesforce environments?

A: Security teams should treat Salesforce as a multi-cloud data estate rather than a single application. That means discovering regulated data in standard and custom objects, extending controls to attachments and case content, and applying one policy model across Sales Cloud, Service Cloud, and Health Cloud. Without that scope, compliance becomes partial and blind spots persist.

Q: Why do structured Salesforce fields and unstructured content need different controls?

A: Structured fields are easier to classify, but unstructured case notes, attachments, and chat histories often contain the most sensitive information. If teams rely only on field-based scanning or regex matching, they miss context-rich records that drive real exposure. Governance has to cover both because the risk moves across formats, not just databases.

Q: What do security teams get wrong about Salesforce compliance?

A: They often assume compliance can be proven by controlling a few obvious records or by reviewing access to the platform itself. In practice, regulated data is scattered across custom objects, workflow artefacts, and files, so the real issue is visibility and prioritisation. If those are missing, compliance reports can look clean while exposure remains.

Q: How can organisations reduce blind spots across Salesforce clouds?

A: They should use a unified discovery and classification process that spans all major Salesforce clouds and feeds a single remediation queue. That approach makes it possible to compare risk consistently, apply policies once, and avoid piecemeal treatment of similar data in different clouds. The goal is consistent control, not separate local fixes.

Technical breakdown

Structured and custom objects hide regulated data at scale

Salesforce stores data in standard objects, custom objects, and custom fields, which makes discovery harder than scanning a single database schema. Sensitive values can be distributed across records that look operational rather than regulated, so classification must examine field content, object relationships, and business context together. In practice, the challenge is not whether data exists, but whether it can be identified quickly enough to govern. That matters because once sensitive fields are embedded in everyday workflows, manual review cannot keep pace with change.

Practical implication: build automated discovery across standard and custom objects before relying on access reviews or downstream compliance checks.

Unstructured case notes and attachments defeat regex-only classification

Case notes, uploaded files, chat transcripts, and attachments often hold the most sensitive information, but they do not behave like neat structured records. RegEx-based classification catches patterns, not meaning, so it misses context-heavy content such as clinical notes or customer service narratives. That creates a gap between where the data is stored and where the risk actually lives. Security teams need classification that handles files and workflow artefacts as first-class data sources, not exceptions.

Practical implication: extend classification and monitoring to unstructured Salesforce content instead of treating attachments and case history as lower-priority data.

Unified visibility is a governance control, not just a reporting feature

A cross-cloud view across Sales Cloud, Service Cloud, and Health Cloud changes the control model from fragmented inspection to policy consistency. That is important in regulated environments because the same data protection rule must follow the record regardless of which cloud or workflow contains it. Unified visibility also supports prioritisation, so the highest-risk data can be handled first instead of buried in separate queues. The architecture question is whether governance can be enforced as one operating model or only as a set of disconnected checks.

Practical implication: align discovery, classification, and prioritisation under one policy model across all Salesforce clouds.

Breaches seen in the wild

• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Unified visibility is the real control boundary in Salesforce governance. When regulated data is split across Service Cloud, Health Cloud, and custom objects, the control problem is not storage location but inconsistent discovery. Security teams cannot prove governance over data they cannot reliably find, classify, and prioritise. The practical conclusion is that Salesforce security must be designed as a single visibility and policy problem, not a set of cloud-specific exceptions.

Salesforce data risk is now a structured and unstructured problem at once. Traditional controls still assume sensitive information sits in clearly labelled fields or databases, but case notes, attachments, and chat transcripts carry the material exposure. That breaks the assumption that regex and object-level review are sufficient. Practitioners need to treat workflow artefacts as part of the regulated data estate, because that is where hidden exposure accumulates.

Regulated data governance in CRM platforms is converging with NHI-style control discipline. The same governance instincts that matter for service accounts and API access also apply when records move through automated workflows, integrations, and support operations. The relevant framework lens here is OWASP-NHI for non-human access paths and NIST CSF for discovery and protection discipline. The implication is that teams must govern the data path as tightly as the user path.

Data blind spots create compliance blind spots: the article illustrates how confidence in CRM controls can outpace actual visibility across regulated content. That is a governance failure, not just a tooling gap. Practitioners should assume that any environment with mixed structured and unstructured records can hide regulated data until proven otherwise.

From our research:

• 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
• Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
• For a broader control baseline, see NHI Lifecycle Management Guide for lifecycle and governance patterns that extend across non-human access paths.

What this signals

Data governance is becoming an identity problem in SaaS platforms. As regulated records spread across cloud applications, the boundary between IAM and data security keeps narrowing. Teams that already manage non-human access paths can apply the same discipline to Salesforce content, especially where automated workflows and integrations move regulated data between systems.

With 67% of organisations still relying heavily on static credentials despite the risks they pose to agentic AI deployments, governance assumptions are already under strain. That matters here because weak access discipline around the platform often correlates with weak discipline around the data inside it, especially when unstructured records are involved. The programme signal is clear: classification, policy enforcement, and lifecycle controls need to work together, not in separate queues.

Regulated CRM environments need a named control boundary for data visibility. Data visibility gap: the practical failure mode is not total absence of security controls, but inconsistent coverage across record types and clouds. That means IAM, data security, and compliance teams should align on one operating model for discovery, classification, and exception handling rather than relying on application-by-application reviews.

For practitioners

• Expand discovery across all Salesforce object types Inventory standard objects, custom objects, and custom fields together so sensitive values are not missed because they appear in business-specific schemas.
• Classify unstructured case content as regulated data Include case notes, chats, attachments, and uploaded files in the same policy scope as structured records, with review rules for PHI, PCI, and personal data.
• Prioritise the highest-risk records first Use classification results to rank records by regulatory exposure so remediation focuses on the data most likely to affect compliance and trust.
• Unify policy enforcement across Salesforce clouds Apply one security model across Sales Cloud, Service Cloud, and Health Cloud so data protection rules do not vary by workload or workflow.

Key takeaways

• Salesforce security fails when regulated data is scattered across structured fields, attachments, and workflow content without unified discovery.
• The compliance risk is scale as much as sensitivity, because blind spots grow when multiple clouds and object types are governed separately.
• Practitioners need one policy model across Salesforce clouds so visibility, classification, and remediation operate as a single control system.

Key terms

• Structured and unstructured data: Structured data lives in defined fields and records, while unstructured data sits in notes, files, chats, and attachments. In Salesforce environments, both can contain regulated information, so governance must classify content across formats rather than assuming the risk is limited to obvious database fields.
• Data visibility gap: A data visibility gap is the space between where sensitive information exists and where security teams can reliably see it. In regulated SaaS environments, the gap often appears when custom objects, files, and workflow artefacts are excluded from discovery, making compliance and remediation incomplete.
• Cross-cloud policy enforcement: Cross-cloud policy enforcement means applying the same security rule set across multiple application clouds and workflows. For Salesforce, that matters because records, attachments, and case content can move across service and health workflows while still requiring the same regulatory protections.

Deepen your knowledge

Salesforce regulated data discovery and cross-cloud governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are extending identity discipline into SaaS data estates, it is worth exploring.

This post draws on content published by Cyera: Securing Regulated Data Across Salesforce Health Cloud and Service Cloud. Read the original.