Your chat app just got promoted. Nobody updated its background check.
This week, Slack connected Slackbot — the assistant built into every workspace — to the entire Salesforce platform. From a single chat message, Slackbot can now pull a customer's CRM history, generate a live Tableau chart, update pipeline records, and send a DocuSign envelope for signature. No tabs, no logins, no custom code. Salesforce's own IT team says the architecture saved its 1,500-plus engineers thousands of custom coding hours annually.
As a convenience story, it's excellent. As a security story, it's the quietest expansion of business-critical access most companies will experience this year. Every one of those new capabilities is a new authorization edge — a path from a conversational interface to a system of record — and almost nobody has threat-modeled their chat app as the front door to their CRM and their contract execution. The identity that used to be able to embarrass you in #general can now touch revenue data and legally binding documents.
I'm not going to tell you to turn it off. The productivity is real, and this direction is irreversible. I'm going to tell you how to audit it — because the blast radius of a compromised or over-scoped chat identity just changed categorically, and the audit is very doable once you see the shape of it.
Key Takeaways
- Slackbot now connects to Salesforce CRM data, Tableau analytics, Data 360 customer profiles, and DocuSign through dedicated MCP servers — every capability is a new authorization edge.
- The permission model is real but partial: Slackbot respects each user's existing Salesforce permissions, which means it faithfully inherits every over-scoped permission you already have.
- A compromised chat identity is no longer a messaging problem — it's potential CRM read/write access and contract-sending capability in one session.
- The four-step audit: map what the bot can touch, inventory connected-app scopes, define which actions require human approval, and log and review agent actions on a schedule.
- This isn't just Slack — OpenAI's ChatGPT Work connected agents to email and calendars the same week. Chat-to-everything is the new architecture; a gateway between chat and systems of record is the control point.
What Can Slackbot Actually Do Now?
The mechanics matter, so let's be precise. As VentureBeat reported, Salesforce has exposed its platform — CRM records, Tableau visualizations, Data 360 customer profiles, Agentforce agents — as a set of Model Context Protocol (MCP) servers. Slackbot acts as an MCP client: when you ask it about a customer, it discovers which tools are relevant, calls them, and synthesizes the results into a single chat response. Slack CMO Ryan Gavin calls the strategy “multiplayer AI” — agent actions happen in shared channels where colleagues can see, redirect, and build on them.
The scope is broader than Salesforce's own products. The MCP-native partner ecosystem includes Atlassian, Box, DocuSign, Canva, Lucid, Zoom, and more than 25 additional companies whose agents can be added to channels like teammates, on top of Slack's 2,600-plus existing app integrations. Salesforce's announcement is explicit about the ambition: sales reps closing deals without opening the opportunity record, service agents routing cases, anyone in the company querying unified customer profiles “with a simple question to Slackbot.”
And this is the consumer-visible edge of a deeper architectural shift. Salesforce's Headless 360 initiative, announced in April, repackages the entire platform as APIs, MCP tools, and CLI commands so that agents — not just humans — can execute business processes directly. Salesforce says custom AI agents on Slack have grown 300% since January. The browser tab is being deprecated as the interface to your business systems. The chat message is replacing it.

What Does the Permission Model Cover — and What Doesn't It?
Credit where due: Salesforce built this on the right foundation. Slackbot respects each user's existing Salesforce permissions — validation rules, field-level security, and org-wide data boundaries carry over automatically. A marketing coordinator can't suddenly see sales pipeline data they weren't authorized for. Salesforce Ben's coverage confirms the integration maps custom objects and permission structures automatically, with the MCP servers generally available for Enterprise Edition orgs and above.
Now the honest part — what “respects existing permissions” does not cover:
| Covered by the vendor model | Not covered — yours to govern |
|---|---|
| User-level Salesforce permissions carry into Slackbot | Whether those permissions were right to begin with — agents inherit your over-scoping at conversational speed |
| Field-level security and validation rules | A compromised Slack session wielding the user's full legitimate access |
| Org-wide data boundary configurations | Prompt-injection-style instructions arriving through channel content |
| Admin UI to discover, install, and govern MCP servers | Third-party partner agents in channels, each with its own scopes and data handling |
| Automatic authentication via existing Slack–Salesforce connection | Which actions should require a human click — approval policy is your call, not a default |
| — | Review cadence: who reads the log of what agents actually did |
The first row on the right side is the one that bites. Most mid-market Salesforce orgs have years of accumulated permission drift — profiles cloned from profiles, “temporary” access that calcified. Yesterday that drift was latent, because acting on it required a human to log in and click. Today an agent exercises the full permission set instantly and conversationally. This is the pattern we called out in the OAuth scope blind spot: connected-app authorization, not authentication, is where AI risk concentrates. Your MFA is fine. Your authorization layer is the gap.
Two open questions deserve a spot on your risk register. Pricing: Info-Tech Research Group analyst Scott Bickley cautioned that “Salesforce's MO seems to be to announce new capabilities that require SKUs. CIOs should be asking about pricing now.” And scale mechanics: one technical analysis cited by VentureBeat noted an MCP server exposing 300 tools can consume 5,000–10,000 context tokens per session before any useful work — meaning vendors will be filtering and segmenting which tools agents see, which is itself a governance surface you'll want visibility into.

What's the Four-Step Connected-App Scope Audit?
Here's the playbook we run. It fits in a spreadsheet and a standing 30-minute monthly meeting, and it works for Slack, Teams, or any chat platform growing agent capabilities.
Step 1 — Map what the bot can touch. List every system now reachable from chat: CRM objects, analytics, document signing, project tools, partner agents in channels. For each, record read vs. write vs. execute. The output is your actual audit surface — most teams are surprised by its size, which is precisely the problem.
Step 2 — Inventory connected-app scopes. For every connected app and MCP server, pull the granted scopes and map them to the users who hold them. Flag the intersection of broad Salesforce permissions × active Slack usage — those are your highest-blast-radius identities. This is the same discipline as our agent authorization audit playbook, applied to a chat surface.
Step 3 — Define which actions need a human. Reads of data the user could already see: let the agent run. Writes to systems of record: decide deliberately. Externally visible or legally binding actions — sending a DocuSign envelope, emailing a customer, changing a deal stage: require an explicit human approval, always. Write the tiers down; defaults are a vendor's opinion, not a policy.
Step 4 — Log and review. “Every action is visible in the channel” is genuinely useful — Salesforce is right that multiplayer visibility beats solo agent chats — but visibility is not review. Someone must own reading the agent activity log monthly: what did agents do, which actions were approved by whom, what looks anomalous. Fifteen minutes of log review per month is the cheapest security control in this whole stack.
If you want a control point rather than a policy document, this is exactly what a secure AI gateway is for: one governed chokepoint between conversational interfaces and systems of record, where scopes, approval rules, and logging live in a place you own — regardless of which vendor's agent is asking.

Is This Just a Slackbot Problem?
No — and that's the point. The same week Slackbot got CRM hands, OpenAI launched ChatGPT Work, a cloud agent that reaches into email, calendars, Slack, and GitHub to execute multi-step tasks autonomously. Microsoft shipped Copilot Cowork in June. Anthropic's Claude Tag works inside Slack channels as a persistent teammate. Every major vendor is converging on the same architecture: an agent, addressed conversationally, with authenticated reach into your systems of record.
The competitive dynamics guarantee the pace won't slow. Microsoft Teams claims more than 320 million monthly active users with Copilot embedded across the Office suite, Google keeps weaving Gemini deeper into Workspace, and VentureBeat notes The Information's report that some smaller companies are now bypassing platform vendors entirely — one Atlanta property-management firm of about 55 employees reportedly saved around $100,000 a year by replacing its CRM with a custom build on Claude Code. Whichever way that competition breaks, every contender wins by giving agents more reach into your systems, faster than the last release. Vendors compete on capability; nobody competes on your governance. That asymmetry is permanent, and it's why the control point has to live on your side of the boundary.
That means the audit above isn't a one-time Slack project. It's a standing capability your business needs — because the next authorization edge ships next quarter, from a different vendor, into a different tool your team already uses. The companies that treat “what can our agents touch, and who approved it?” as a monthly operational question will absorb this era's productivity gains safely. The ones that don't will find out about their audit surface from an incident report.
Who Owns This Audit in a Northeast Indiana Company Without a Security Team?
Most Fort Wayne and Northeast Indiana businesses running Slack or Teams don't have a CISO — and this audit can't wait for one. Here's the ownership model that works at 20–200 employees:
- The ops manager or office administrator owns the inventory (Steps 1–2). They already know which tools the business runs; the connected-app list is an extension of that knowledge, not a technical specialty.
- The owner or GM owns the approval policy (Step 3). Deciding that contracts never go out without a human click is a business judgment, not an IT setting — it belongs to whoever owns the risk.
- Your IT provider or MSP owns the log review (Step 4) — put it in the monthly service agreement explicitly, by name: “review AI agent and connected-app activity.” If your MSP doesn't know what that means yet, that's worth knowing now rather than later.
For a DeKalb or Allen County professional-services firm, the whole first pass is a half-day: an afternoon to build the inventory, an hour to set approval tiers, a recurring calendar invite for review. If you'd rather not run it alone — or you want the gateway architecture that makes Steps 3 and 4 automatic instead of procedural — talk to Cloud Radix. Securing agent access is literally what we build.

Frequently Asked Questions
Q1.What new capabilities did Slackbot just get?
Through dedicated Salesforce MCP servers, Slackbot can now query CRM records and deal history, surface live Tableau visualizations, access Data 360 unified customer profiles, update Salesforce records, and coordinate actions across partner apps including DocuSign, Atlassian, Box, Canva, Lucid, and Zoom — all from natural-language chat messages, with no custom integration code.
Q2.Does Slackbot bypass our Salesforce permissions?
No. Slackbot respects each user's existing Salesforce permissions, including field-level security, validation rules, and org-wide data boundaries. The risk isn't bypass — it's inheritance. The agent exercises whatever access each user already holds, so years of accumulated permission over-scoping become instantly actionable from a chat window.
Q3.What is the "audit surface" of an AI agent in a chat app?
It's the complete set of systems, data, and actions reachable through the agent: what it can read, what it can write, and what it can execute — multiplied across every user and every connected app. When a chat assistant gains CRM and contract capabilities, the chat platform's audit surface expands to include those downstream systems, whether or not anyone updated the security review.
Q4.How do we audit connected-app permissions in Slack?
Four steps: map every system reachable from chat and classify read/write/execute access; inventory the OAuth scopes and MCP servers granted per app and per user; define which action types require explicit human approval, in writing; and assign a named owner to review agent activity logs on a monthly cadence. A first pass takes about half a day for a mid-sized business.
Q5.Should we require human approval for agent actions like sending DocuSign envelopes?
Yes — externally visible and legally binding actions should always require an explicit human approval, regardless of vendor defaults. A useful three-tier policy: agent-autonomous for reads the user could already see, deliberate case-by-case decisions for writes to systems of record, and mandatory human sign-off for anything that leaves the company or binds it.
Q6.Is a secure AI gateway overkill for a smaller business?
Not once agents can act on systems of record. A gateway gives you one place — that you own, not the vendor — where agent scopes, approval rules, and activity logs are enforced across every AI tool your team adopts. It converts the audit from a recurring manual project into standing infrastructure, which is usually cheaper than the second incident.
Q7.Who should own a Slackbot and connected-app audit at a Fort Wayne business without security staff?
Split it three ways. The ops manager or office administrator owns the inventory of what agents can touch and which scopes are granted; the owner or GM sets the human-approval policy, because deciding what needs a human click is a business judgment; and your IT provider or MSP takes the monthly activity-log review, written into the service agreement by name. For most Northeast Indiana businesses at 20–200 employees, the first full pass takes about half a day.
Sources & Further Reading
- VentureBeat: venturebeat.com/orchestration/slacks-slackbot-can-now-pull-your-crm-data — Slack's Slackbot can now pull your CRM data, generate charts, and send DocuSigns — all from a chat message.
- Salesforce: salesforce.com/slack/new-mcp-servers-ai-data-in-slack — Salesforce MCP Servers: AI, Data & Analytics for Tableau & Data 360 in Slack.
- Salesforce Ben: salesforceben.com/never-log-into-salesforce-again — Never Log Into Salesforce Again? Slackbot ‘Now Does Anything CRM Can’.
- UC Today: uctoday.com/unified-communications/salesforce-deepens-slackbot-integration — Salesforce Deepens Slackbot Integration to Position Slack as the Enterprise AI Orchestration Layer.
- Salesforce: salesforce.com/news/stories/salesforce-headless-360-announcement — Introducing Salesforce Headless 360. No Browser Required.
- VentureBeat: venturebeat.com/technology/openai-introduces-chatgpt-work — OpenAI introduces ChatGPT Work, a cloud-based AI agent that manages tasks across email, Slack and calendars.
Know What Your Agents Can Touch
We'll run the connected-app scope audit with you — or build the secure AI gateway that makes approval rules and activity logging standing infrastructure instead of a recurring project.
Schedule a Free ConsultationNo contracts. No pressure. Just an honest conversation about what would help your business.




