In the context of Agentforce AI, grounding and data security are paramount. Salesforce AI agents, including Employee Agents, respect the existing security model of the Salesforce organization1. This means that the most effective way to prevent an agent from accessing or disclosing sensitive information, such as a CEO's private health plan, is to leverage Field-Level Security (FLS) and user permissions2. When an agent "grounds" its response, it only considers data that the running user (or the agent's service user) has the permission to view3. If the CEO's health records are stored in fields or records that are restricted via FLS or Sharing Settings from the profiles or permission sets used by the agent's context, the agent will simply not "see" that data during its retrieval phase4. While modifying instructions and guardrails (Option C) provides an additional layer of safety, it is not as foolproof as the underlying security architecture5. Training the agent (Option D) is not a standard configuration step for preventing specific record access in a production environment6. Therefore, maintaining a robust security model is the critical prerequisite for ensuring that AI agents provide accurate and safe responses without leaking confidential business information.