How to Onboard an AI Agency Without Risking Your CRM (7-Day Sandbox Guide 2026)
Give AI agencies sandbox access first, not admin access. The 2026 Klue breach hit Huntress, LastPass, and OneTrust via one unmonitored OAuth token. Run 7 days: anonymized shadow pipeline, read-only scopes, audit logs, shadow-mode testing, then capped write access with a kill switch.
Don't Give Your AI Agency Admin Access on Day 1
The Klue Breach Is a Warning for Anyone Hiring an AI Agency
On June 11, 2026, attackers compromised Klue's Salesforce integration. They stole OAuth tokens. Then they used those tokens to bulk-exfiltrate CRM data from dozens of companies.
Huntress. Recorded Future. LastPass. OneTrust. All confirmed victims. All cybersecurity companies, ironically.
The attack started with a single dormant credential. One abandoned integration prototype that nobody revoked. Obsidian Security's analysis found the tokens were "over-permissioned, long-lived, poorly monitored." That's the exact same access pattern most companies hand to their AI agency on day one.
Verizon's 2026 DBIR puts the number at 39%. That's how many breaches involve credential abuse across the full attack chain. Zluri's research says 97% of non-human identities carry excessive privileges. Only 5.7% of teams have full visibility into their service accounts.
Now think about what happens when you hire an AI agency to build agents in your CRM. You give them an API key. Full read/write. No expiration. No monitoring. That's the Klue pattern. You're one compromised laptop away from the same headline.
The fix isn't avoiding AI agencies. It's making them prove they can work inside a sandbox first.
Step 1: Create a Shadow Pipeline (Days 1–2)
A shadow pipeline is a read-only copy of your production data that your AI agency builds against. They never touch your live CRM. They work on the copy.
What to do:
- Export 50–100 anonymized contact records from HubSpot or Salesforce into a sandbox instance. Both platforms offer free developer sandboxes.
- In Salesforce, spin up a Developer Edition org. In HubSpot, create a test account under your developer portal.
- Strip out real email addresses, phone numbers, and deal values. Replace them with fake data that has the same field structure.
- Give the agency access to the sandbox only. Not your production instance.
What this costs: $0. Salesforce Developer Edition is free. HubSpot's developer test accounts are free. The 2–3 hours of data prep is the only cost.
Expected outcome: Your agency builds V1 of every automation against fake data. If their agent sends 500 emails to the wrong segment, it hits nobody. If it deletes records, nothing real is lost.
Step 2: Set Least-Privilege Scopes on Every Token (Day 2)
Every CRM and email platform lets you control exactly what an API token can do. Most agencies ask for full access because it's easier. Don't give it to them.
Here's what "least privilege" looks like for common platforms:
Salesforce:
- Use a Connected App with OAuth scopes limited to `api` and `chatter_api` only
- Block `full` and `refresh_token` scopes until Day 7
- Assign a Permission Set that grants read-only access to Contacts, Leads, and Opportunities
- No access to Setup, User records, or bulk data export
HubSpot:
- Create a Private App (not a full OAuth app) scoped to `crm.objects.contacts.read` and `crm.objects.deals.read`
- Don't grant `crm.objects.contacts.write` until the agent passes sandbox testing
- Avoid the `crm.schemas.contacts.read` scope unless they need custom properties
Google Workspace:
- Use a Service Account with domain-wide delegation limited to `https://www.googleapis.com/auth/gmail.readonly` and `https://www.googleapis.com/auth/gmail.send`
- Never grant `https://www.googleapis.com/auth/gmail.modify` — that's delete access
- Restrict delegation to a single user mailbox, not the entire domain
Microsoft 365:
- Register the app in Microsoft Entra with `Mail.Read` and `Mail.Send` only
- Use application permissions with admin consent, not delegated permissions
- Microsoft just shipped Entra Agent ID (GA as of June 2026). It gives each agent its own identity, sign-in history, and kill switch. Use it.
Expected outcome: If the agency's token gets compromised, the attacker can read 100 sandbox contacts. Not export your entire pipeline.
Step 3: Turn On Audit Logs Before Anything Connects (Day 3)
If you can't see what the agent did, you can't prove it's safe. Set up logging before a single API call fires.
What to log:
| Field | Example | |-------|---------| | Timestamp | 2026-07-15T14:32:07Z | | Agent/Token ID | agency-bdr-agent-01 | | Action | GET /contacts | | Scope Used | crm.objects.contacts.read | | Records Accessed | 47 | | Source IP | 203.0.113.42 | | Response Code | 200 |
Where to find these logs:
- Salesforce: Setup → Event Monitoring (requires Shield add-on, $25/user/month, but free in Developer Edition)
- HubSpot: Settings → Account Activity → API Calls. Export as CSV.
- Google Workspace: Admin Console → Reports → Token Audit Log
- Microsoft 365: Microsoft Entra sign-in logs, filtered by the agent's identity
Retention: Keep logs for 90 days minimum. If you're working toward SOC 2, you'll need 12 months. Store them somewhere the agency can't modify — a separate cloud bucket they don't have credentials to.
Expected outcome: On Day 7, you can pull a report showing every API call the agency made, what data they touched, and from what IP. That's your evidence artifact.
Step 4: Run the Agent in Shadow Mode (Days 4–5)
Shadow mode means the agent runs against real data but takes no action. It reads your pipeline, makes decisions, drafts emails — and writes everything to a log instead of executing.
How to set this up:
- The agent queries your real CRM (with read-only scopes from Step 2)
- It generates outputs: emails to send, leads to qualify, meetings to book
- Those outputs go to a review queue — a Google Sheet, a Slack channel, or an n8n webhook — not directly to your email or CRM
- You and the agency review the outputs together
What you're looking for:
- Does the agent target the right contacts?
- Are the emails it drafts accurate and on-brand?
- Does it hallucinate company details? (That's a prompt engineering problem, not an AI problem. Fix the retrieval layer.)
- How many API calls does it make per hour? If it's hitting your rate limits in shadow mode, that's a red flag.
Expected outcome: You get 2 days of output data proving the agent works before it touches a single real contact.
Step 5: Promote to Limited Write Access With a Kill Switch (Days 6–7)
Now you've seen the shadow output. The logs look clean. The scopes are tight. Time to give limited write access.
What "limited" means:
- Upgrade HubSpot scope to `crm.objects.contacts.write` for the sandbox first, then a single production list of 50 contacts
- In Salesforce, expand the Permission Set to allow record updates on a single Record Type
- In Google Workspace, add `gmail.send` scoped to a single alias (like outreach@yourcompany.com), not your CEO's inbox
- Set a daily action cap: 50 emails, 20 CRM updates. If the agent exceeds the cap, it stops.
The kill switch:
- Microsoft Entra Agent ID lets you revoke a single agent identity without touching others. Use it.
- In Salesforce, deactivate the Connected App. Takes 10 seconds.
- In HubSpot, rotate the Private App token. Instant revocation.
Before handoff, generate these artifacts for your security team:
1. Complete API call log from Days 3–7 2. List of all scopes granted (and what was denied) 3. Shadow mode output samples with accuracy review 4. The agent's token expiration date (should be 30 days max, then re-authorize)
Expected outcome: By Day 7, you have a working agent with documented, auditable, limited access. Not a prayer that your vendor is being careful.
Why This Matters More Than You Think
The Klue breach didn't happen because Klue was incompetent. It happened because a dormant credential with broad OAuth access sat unmonitored. That's the default state of most AI agency engagements right now.
The FTC fined Cox Media Group $930,000 in May 2026 for mishandling data in their marketing stack. That was for a service that didn't even work as advertised. Imagine the number when the breach involves real customer data from your CRM.
Most AI agencies — and I include the entire AI BDR vendor category here — ask for too much access because they don't know how to work with less. They're engineers who never thought about data governance. Strategy before engineering means asking "what's the minimum access this agent needs to prove value?" before writing a single line of code.
At StoryPros, we build AI agents that book 30+ meetings a week. We don't need admin access to your CRM to do it. Any agency that insists on full permissions before showing you a working demo in a sandbox is telling you something about how they build.
FAQ
What is sandbox infrastructure for AI agents?
A sandbox for AI agents is an isolated environment — usually a free developer instance of your CRM or email platform — where the agent runs against fake or anonymized data. Salesforce Developer Edition and HubSpot developer test accounts both work. The agent builds and tests without touching production data, so mistakes cost nothing.
How should AI agents authenticate to third-party APIs?
AI agents should authenticate using scoped OAuth tokens or Private App keys with the minimum permissions needed for the current phase. StoryPros recommends starting with read-only scopes and promoting to write access only after shadow-mode testing. Microsoft Entra Agent ID, released in June 2026, gives each agent its own identity and audit trail, which is the cleanest approach for Microsoft 365 environments.
How do you enforce least privilege for AI agents?
Enforce least privilege by creating platform-specific tokens scoped to exact API endpoints. In Salesforce, use Permission Sets limiting object access. In HubSpot, use Private Apps with granular scope selection. In Google Workspace, use service accounts with domain-wide delegation restricted to a single user and specific API scopes. Review and rotate tokens every 30 days.
What audit logs should I collect for AI agent activity?
Collect timestamp, agent/token ID, API action, scope used, records accessed, source IP, and response code for every API call. Salesforce Event Monitoring, HubSpot API call logs, Google Workspace Token Audit logs, and Microsoft Entra sign-in logs all provide this data. Retain logs for 90 days minimum, or 12 months for SOC 2 compliance.
What security controls are required when onboarding an AI agency?
At minimum: a shadow pipeline with anonymized data, read-only API tokens scoped to specific objects, audit logging enabled before any API connection, shadow-mode testing for 2+ days, daily action caps on write operations, and a documented kill switch for instant token revocation. The 7-day sandbox onboarding described in this article covers all six controls.
Related Reading
How long does it take to safely onboard an AI agency before giving them CRM access?
A 7-day sandbox onboarding covers the minimum required controls. Days 1-2 build a shadow pipeline with anonymized data, Day 3 enables audit logging, Days 4-5 run shadow-mode testing, and Days 6-7 promote to limited write access with a daily cap of 50 emails and 20 CRM updates.
What does it cost to set up a sandbox for an AI agency before giving them production access?
The sandbox itself costs $0. Salesforce Developer Edition and HubSpot developer test accounts are both free. The only cost is 2-3 hours of data prep to anonymize 50-100 contact records before handing them to the agency.
What API scopes should an AI agency get on day one in HubSpot or Salesforce?
Start with read-only scopes only. In HubSpot, grant crm.objects.contacts.read and crm.objects.deals.read via a Private App. In Salesforce, limit the Connected App to api scope with a Permission Set blocking bulk export, Setup, and User records. Deny write access until shadow-mode testing passes.