Structured fields are easier to classify, but unstructured case notes, attachments, and chat histories often contain the most sensitive information. If teams rely only on field-based scanning or regex matching, they miss context-rich records that drive real exposure. Governance has to cover both because the risk moves across formats, not just databases.
Why This Matters for Security Teams
Salesforce governance fails when teams assume the same control set can handle both fields and free-text content. Structured fields are easier to classify, validate, and restrict, but case notes, chat transcripts, attachments, and email bodies often hold the highest-value secrets, including customer data, tokens, and incident details. The operational risk is not just leakage at rest, but uncontrolled propagation through search, exports, automations, and AI-assisted workflows.
Current guidance suggests treating content type as a control boundary, not just a storage detail. That means policy needs to follow the record shape, the sensitivity of the text, and how the data is reused downstream. The NIST Cybersecurity Framework 2.0 is useful here because it emphasises governance, data protection, and continuous oversight rather than one-time classification. NHIMG research on the Salesloft OAuth token breach shows how identity and token exposure can turn SaaS content into a broad access event.
NHI Mgmt Group data also shows that 96% of organisations store secrets outside secrets managers in vulnerable locations, which is exactly the kind of exposure that unstructured content tends to hide. In practice, many security teams discover this only after a shared record, attachment, or transcript has already been replicated into multiple downstream systems.
How It Works in Practice
The practical control model starts by separating detection and enforcement for structured and unstructured Salesforce data. Structured fields can usually be governed with field-level security, validation rules, masking, and deterministic classification. Unstructured content needs different controls because the risk sits in context, not just column names. That includes attachments, long-form case notes, emails, chatbot logs, and synced documents that may contain credentials, health data, contracts, or incident details.
A workable approach is layered:
- Classify structured fields with schema-aware rules and explicit labels.
- Scan unstructured text with content inspection that understands context, not only regex.
- Apply different retention, export, and sharing policies to each content type.
- Limit who can search, preview, download, or bulk export sensitive cases.
- Log downstream use, including integrations that copy data into analytics or AI tools.
This is where records governance overlaps with NHI security. If an integration token, service account, or connected app can read both structured fields and unstructured content, a single compromise can expose far more than the original business user could see. The Ultimate Guide to NHIs - Standards is relevant because it frames the need for rotation, visibility, and least privilege across machine identities. For implementation patterns, teams often align with NIST Cybersecurity Framework 2.0 and use workflow-specific controls for each data path.
NHIMG’s research on the ASP.NET machine keys RCE attack is a reminder that secrets and tokens embedded in operational systems can become an execution path, not just a disclosure issue. These controls tend to break down when unstructured content is exported into multiple SaaS tools because the original classification rarely survives the copy.
Common Variations and Edge Cases
Tighter content controls often increase workflow friction, requiring organisations to balance user productivity against leakage prevention. That tradeoff is real in sales, support, and legal operations, where staff need fast access to full case context.
Best practice is evolving for AI-assisted Salesforce workflows. If an AI agent summarises or routes cases, it can amplify the risk by consuming both structured and unstructured inputs at once. There is no universal standard for this yet, but current guidance suggests treating the agent as a privileged consumer with its own access boundaries, audit trail, and data minimisation rules.
Two edge cases matter most. First, attachments and embedded files may bypass field-based controls entirely, so document-level inspection is needed. Second, sync jobs and ETL pipelines can strip original labels when moving data into data lakes, ticketing systems, or LLM tools. In those paths, context-sensitive classification must be re-applied rather than assumed. For governance baselines, Ultimate Guide to NHIs - Standards helps anchor machine-identity controls, while NIST CSF 2.0 supports the broader control mapping.
Structured fields and unstructured content should therefore be governed as different risk surfaces, even when they live in the same record. The right control depends on how the content is created, searched, exported, and reused, not just where it is stored.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Unstructured content often exposes long-lived secrets and tokens. |
| NIST CSF 2.0 | PR.DS-1 | Data protection must differ for structured fields and free text. |
| NIST CSF 2.0 | PR.AC-4 | Access control must limit who can view or export each content type. |
Inventory where secrets appear in Salesforce content and rotate or remove them on a fixed cadence.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 7, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
