Read the screenplay: FANNIEGATE — $7 trillion. 17 years. The biggest fraud in American capital markets.
#47🤖 AI & AgentsCareer-Ending

Deploying Einstein Copilot Without Testing Its Guardrails

An AI assistant with full org access and no guardrails is a data breach waiting to happen.

What Happened

Rushed to deploy Einstein Copilot for a demo. Gave it access to all standard actions — create records, update records, run reports. Didn't test edge cases. During the live demo, a user asked Copilot to 'delete all the old test accounts.' Copilot interpreted 'old' as 'created more than a year ago' and began mass-deleting production Accounts. We killed it mid-execution but not before 150 Accounts were in the recycle bin. In the demo. In front of the CEO.

The Wrong Way

Einstein Copilot Setup:
  Actions Enabled: ALL standard actions
    ✓ Create Records
    ✓ Update Records
    ✓ Delete Records    ← why would you enable this?
    ✓ Run Reports
    ✓ Query Records

  Guardrails: None configured
  Testing: "We'll test in production during the demo"

  User: "Delete all the old test accounts"
  Copilot: "I'll delete 847 accounts created before 2024. Proceeding..."

The Right Way

// Einstein Copilot Setup - locked down

// 1. Custom Copilot Actions ONLY (no standard delete)
Copilot Actions:
  ✓ Query Records (read-only)
  ✓ Summarize Record
  ✓ Custom: "Create Task" (with required fields pre-set)
  ✓ Custom: "Update Opp Stage" (picklist values constrained)
  ✗ Delete Records (NEVER)
  ✗ Mass Update (NEVER without approval)

// 2. Copilot Instructions (system prompt guardrails):
"You are a sales assistant. You can look up records and create tasks.
You CANNOT delete records, mass update, or access financial data.
If asked to delete or modify more than 5 records, respond:
'That action requires admin approval. Please contact your Salesforce admin.'"

// 3. Test in sandbox with adversarial prompts
// 4. Monitor Copilot logs for unexpected actions
// 5. Roll out to pilot group before org-wide

The Lesson

Treat AI assistants like a new employee — least privilege, guardrails, and supervised rollout. Never give Copilot delete access. Test with adversarial prompts before going live.

Share this mistake on X

Don't make this mistake.

Hire someone who already did.

View Consulting →
Turning On Einstein Prediction Builder with Dirty DataBuilding Prompt Templates Without Grounding in Record Data

Enjoyed this? Get more like it.

Glen's Musings — AI, investing, and building things. Occasional. Free.

More AI & Agents Mistakes

Painful

Turning On Einstein Prediction Builder with Dirty Data

AI trained on garbage data gives you garbage predictions with confidence scores.

Read moreAnnoying

Building Prompt Templates Without Grounding in Record Data

An ungrounded prompt hallucinates. A grounded prompt uses your actual Salesforce data.

Read moreCareer-Ending

Letting AI Trigger Actions Without Human-in-the-Loop Approval

AI should suggest. Humans should approve. Not the other way around.

Read more