Notifications
Clear all
Topic starter
07/06/2026 9:14 pm
TL;DR: Salesforce environments in Service Cloud, Health Cloud, and Sales Cloud now concentrate PHI, PCI, customer tickets, and other regulated records across structured and unstructured data, and Cyera argues that discovery and classification at scale are required to close compliance blind spots. The real issue is not storage location but whether security teams can enforce consistent controls across the full Salesforce ecosystem.
NHIMG editorial — based on content published by Cyera: Securing Regulated Data Across Salesforce Health Cloud and Service Cloud
By the numbers:
- 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems.
Questions worth separating out
Q: How should security teams govern regulated data in Salesforce environments?
A: Security teams should treat Salesforce as a multi-cloud data estate rather than a single application.
Q: Why do structured Salesforce fields and unstructured content need different controls?
A: Structured fields are easier to classify, but unstructured case notes, attachments, and chat histories often contain the most sensitive information.
Q: What do security teams get wrong about Salesforce compliance?
A: They often assume compliance can be proven by controlling a few obvious records or by reviewing access to the platform itself.
Practitioner guidance
- Expand discovery across all Salesforce object types Inventory standard objects, custom objects, and custom fields together so sensitive values are not missed because they appear in business-specific schemas.
- Classify unstructured case content as regulated data Include case notes, chats, attachments, and uploaded files in the same policy scope as structured records, with review rules for PHI, PCI, and personal data.
- Prioritise the highest-risk records first Use classification results to rank records by regulatory exposure so remediation focuses on the data most likely to affect compliance and trust.
What's in the full article
Cyera's full article covers the operational detail this post intentionally leaves for the source:
- How Cyera maps sensitive data across Salesforce objects, custom fields, and cloud-specific workflows.
- Examples of the structured and unstructured records that typically contain PHI, PCI, and other regulated data.
- The operational case for unified classification and policy enforcement across Sales Cloud, Service Cloud, and Health Cloud.
- Why fragmented tooling creates blind spots in large Salesforce estates and how teams can reduce them.
👉 Read Cyera's analysis of regulated data security across Salesforce clouds →
Salesforce Health Cloud and Service Cloud: where do visibility gaps hide?
Explore further
08/06/2026 9:06 am
Unified visibility is the real control boundary in Salesforce governance. When regulated data is split across Service Cloud, Health Cloud, and custom objects, the control problem is not storage location but inconsistent discovery. Security teams cannot prove governance over data they cannot reliably find, classify, and prioritise. The practical conclusion is that Salesforce security must be designed as a single visibility and policy problem, not a set of cloud-specific exceptions.
A few things that frame the scale:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
A question worth separating out:
Q: How can organisations reduce blind spots across Salesforce clouds?
A: They should use a unified discovery and classification process that spans all major Salesforce clouds and feeds a single remediation queue. That approach makes it possible to compare risk consistently, apply policies once, and avoid piecemeal treatment of similar data in different clouds. The goal is consistent control, not separate local fixes.
👉 Read our full editorial: Salesforce regulated data security needs unified visibility and control
