Agentforce
June 13, 2026
Two Bets on the Same Frontier: Agentforce Coworker and the Governance Divide in Managed AI Agents
Salesforce Agentforce Coworker and the general-purpose agents from Anthropic and OpenAI are solving the same knowledge worker problem through fundamentally different architectures. The difference encodes a governance bet — and a CIO has to choose.
Two vendors are racing to put an agent at the seat of every knowledge worker. They are solving the same problem — "talk to your work" — but through fundamentally different designs, each choice encoding a bet about which risks matter most.
Anthropic and OpenAI are tackling the enterprise from the endpoint. Their unit of deployment is one computer, one user, one session at a time. It is an agent scoped to whatever the human in front of the keyboard can already do. Salesforce starts from the opposite premise: a multi-tenant cloud platform where identity, permissions, and data governance are the substrate, not a wrapper.
The frontier is betting on broad capability: give the model a human-style session and let it navigate anything a human can. Salesforce's new Agentforce Coworker bets on narrow, governed capability: operate the agentic layer as a managed-user in the platform, giving more freedom and capability than a single agent ver could, but not opening up the entire computer and the platform for general use together.
What ultimately matters isn't just which model is smarter; it’s where each model breaks, and which one a CIO can defend when asked about data exposure.
Two Answers to the Same Question
Knowledge workers spend a measurable amount of their day tab-switching between CRMs, Slack, Google Drive, and Jira. Both approaches pitch a conversational surface that collapses that loop, but they do it by moving the data-access boundary to different places.
The Anthropic and OpenAI route gives the model an operating environment to drive. The model sees what a human sees and acts with human range: opening files, submitting forms, clicking buttons. The advantage is coverage. If it's on the screen, the agent can touch it. But this means the agent inherits a session's permissions—including things the human can reach but an automated process probably shouldn't.
The Salesforce route keeps the model on the data plane the platform already governs. The model doesn't click around, it taps existing processes as the user directly and hands off to downstream managed agents for actual work. It separates the retrieval concern from the action concern. Most importantly, it inherits a user's policy, evaluated at the server layer before a single row of data ever reaches the model's context window.
The Governance Posture, Condensed
Agentforce Coworker treats governance as a prerequisite. Rather than relying on prompt-level instructions to keep the AI in bounds, it relies on a coherent, platform-level threat model built on three pillars:
1. Default-Deny Security and Source-Level Access Unlike computer-use agents that can read whatever is in an active browser session, Coworker redacts URLs and external data by default until an admin explicitly allowlists them. Furthermore, it automatically applies the existing access policies of connected sources (like Google Drive or SharePoint). If a user doesn't have permission to view a Slack thread in Slack, the model won't pull it into Salesforce.
2. Server-Side Identity and Role-Based Governance Identity stitching happens at the platform layer, mapping a user across different tools at setup. Governance is evaluated in SQL at the data-model layer, not through non-deterministic LLM instructions. Crucially, enterprise admins control Coworker access using the exact same Permission Set Groups they already use for Salesforce—meaning no new RBAC system or audit trails for the security team to learn.
3. Hard Rate Limits and Blast Control To prevent runaway automated processes from scale-testing downstream systems, the platform enforces hard per-user limits (such as capping the Search Agent at 100 requests per minute). It limits the blast radius structurally rather than hoping the model behaves.
The Core Comparison
When you strip away the marketing, the choice between an computer-use agent and a platform agent boils down to two rows on an enterprise architect's scorecard:
- Data-Access Model: Computer-use agents inherit a human's session credentials across all available surfaces at once. Coworker inherits a user's policy given explicitly configured access controls.
- Audit Surface: Computer-use agents leave behind model logs and session traces. Coworker leaves a structured event-log trail directly integrated with an enterprise's existing SIEM stack.
Where Each Model Breaks
Both approaches have real ceilings.
Platform Agent (Coworker) Ceilings: It relies heavily on its library of 270+ connectors. If your critical data lives in a legacy internal system with no connector, the agent is blind. Furthermore, because Coworker routes tasks rather than acting on them, its usefulness is bottlenecked by whether the right downstream agent has been built. Finally, hard rate limits will bound damage, but they may also throttle high-concurrency enterprise rollouts.
Computer-Use Agent Ceilings: The model sees only what the user sees, with no explicit filtering before the prompt. This creates a massive blast radius: a compromised agent session can act as the user across every authenticated surface. Furthermore, computer-use agents don't distinguish between a human's valid access to systems that are not intended to communicate or work with each other. If it is accessible to the human on the computer, it is accessible by default.
The Boundary That's Emerging
The realistic enterprise outcome isn't a winner-take-all choice. It's a division of labor.
Computer-use agents will own the long tail: personal SaaS tools, internal apps without APIs, and individual-productivity scenarios where the risk is bounded. Managed platform agents will own the regulated surface: CRM, customer support, and anything touching governed records where auditability is worth the ergonomic cost.
The next 12 months of tooling investment will focus on the connective tissue: how does an organization define which agent gets which task at the boundary between these two surfaces?
What to Watch
Three indicators will determine how this market shakes out:
- Does the retrieval/action separation catch on? If Coworker's choice to separate routing from doing proves durable, expect competitors to copy it. If it proves too rigid, expect the frontier-lab model to absorb more work.
- Will the major labs ship enterprise governance? The frontier players have already started to introduce this idea. Notably, Anthropic's managed agents define clear boundaries for what the agent can access, denying everything else by default. These are only available through the more expensive per-token billing option and must run on Anthropic-managed infrastructure, limiting how enterprises with strict compliance requirements can use them.
- Are connectors a moat or a commodity? If cloud-native identity tools and universal API connectors commoditize the data-access problem, Salesforce’s structural advantage gets much thinner.
Agentforce Coworker is not trying to out-perform frontier computer-use agents. It is trying to be the answer a CIO gives the board when asked: "What did the model access and why was it allowed to do that?"
The Salesforce bet is that enterprises will pay for governance they can audit. The frontier bet is that governance primitives will eventually catch up to capability and be trusted to do their part. The unresolved question isn't which approach wins, but which constraint proves more expensive to close.
Agentforce Coworker is a new product with limited public documentation. Salesforce products are evolving faster than ever and you should always explore the most up-to-date information before making any purchases. Similarly, frontier models and computer-use agents are evolving at a rapid pace. An informed decision is one made with the latest information available.