Salesforce recently announced Headless 360, exposing over 60 MCP and CLI tools that let external agents directly access Salesforce data, trigger flows, and query business intelligence. Today, we’re excited to announce that these Salesforce-hosted MCP servers are now immediately available in MuleSoft Agent Registry, part of Agent Fabric.
- SObject All: Full CRUD operations (create, read, update, delete) plus query and search across all Salesforce objects. Enables agents to manage complete data lifecycle operations while respecting field-level security and sharing rules
- SObject Reads: Read and query only, with no mutation capabilities. Provides safe access to CRM data for reporting and analytics without risk of accidental modifications
- Data 360: Query unified customer data across your entire organization. Gives agents a 360-degree view of customers by consolidating data from multiple platforms into actionable intelligence
- Tableau Next: Discover semantic models, query KPIs, and execute analytics. Enables agents to surface business intelligence and drive data-informed decisions.
All four servers enforce per-user authentication and respect Salesforce’s comprehensive security model – including field-level security, object permissions, and sharing rules for every operation.
Governance is key at scale
When agents can access Salesforce from any platform: Amazon Bedrock, Microsoft Copilot, or your own infrastructure – data that once lived within a single trust boundary now transits across multiple systems. That same agent calling Salesforce might also query Snowflake, hit your mainframe, or fetch data from Zendesk, all in a single workflow.
Salesforce’s security model works perfectly inside Salesforce with profiles, permission sets, field-level security, and sharing rules. But what happens when that data crosses the trust boundary? Once a customer record leaves Salesforce and enters a Bedrock runtime or Copilot instance, who governs what happens next?
Build policy once and apply it anywhere
With MuleSoft’s Agent Fabric, including Omni Gateway, AI Gateway, and Trusted Agent Identity, you can enforce governance policies across all your agents, regardless of which platform hosts them. For example:
- Cost attribution and spend control: Token budgeting, rate limiting, and per-agent cost tracking across all MCP calls
- PII protection: Detect and redact sensitive data before it leaves the Salesforce trust boundary
- Identity propagation: Preserve end-user identity across the full agent workflow for proper audit trails
- Access control: Define who can call which MCP tools using attribute-based policies
- Unified observability: Trace agent executions across Salesforce, Bedrock, Snowflake, and other platforms in a single view
This isn’t about recreating Salesforce’s governance model – it’s about extending governance across the multi-vendor agent estate where no single platform has visibility into the complete workflow.
How Headless 360 with Agent Fabric works
Consider an agent that scores customer health by combining data from multiple sources:
Agent request: A customer success team member asks the agent: “Is Acme Corp at risk?”
| MCP Call 1 (Salesforce): Agent calls Salesforce SObject Reads through Omni Gateway | Trusted Agent Identity propagates the CS rep’s identity |
| Omni Gateway applies ABAC policy: “CS team can call SObject Reads”; Salesforce returns account record, engagement history | |
| PII Detector scans response, flags email address for redaction | |
| MCP Call 2 (Salesforce Data 360): Agent calls Data 360 for behavioral signals | Same TAI and ABAC checks |
| Data 360 returns support ticket sentiment, product usage heatmap | |
| PII Detector blocks customer phone numbers from returning | |
| MCP Call 3 (Snowflake): Agent queries Snowflake MCP wrapper for cohort benchmarks. | AI Gateway applies rate limit check; request approved |
| Snowflake returns industry comparative KPIs |
Synthesis: Agent synthesizes signals into risk score and recommended actions.
- Prompt Decorator has already injected guardrails: “Only flag accounts >$500K ACV as critical”
- Response validation checks output format
Audit Trail: Agent Visualizer and Content Logging produce a unified trace:
- Which user initiated the request
- Which MCPs were called in sequence
- What data was accessed
- What data was blocked or redacted
- Total API calls and token consumption for chargeback
This flow would be impossible without an external governance layer.
Headless 360 is as real as it gets
Headless 360 is real. The question isn’t whether to govern – it’s where to place governance so it works across all platforms and doesn’t require rebuilding for each new agent or MCP server. MuleSoft Omni Gateway, sitting inline on MCP traffic, is the architectural answer to that question.
It’s the same pattern customers have relied on for API governance for 15 years. The protocol is different. The principle is identical. You can let every consumer hit every backend directly, or you can insert a governance layer between them. The choice is yours.
To learn more, check out the following resources:
