Compliance monitoring · Production

How Notion Built Security into Custom Agents with a Build-from-Nothing Permission Model

The problem

AI agents in collaborative multi-user environments need fundamentally different permission models than single-user agents — overly broad access is dangerous, yet agents with no access are useless, requiring a careful balance.

First attempt

Early alpha versions of Custom Agents were too permissive, leading users to grant broad write access to Slack; agents then posted unintentionally to company-wide channels such as #general.

Workflow diagram · grounded in source
1
Build-from-nothing permission start
validation
“Custom Agents use a build-from-nothing security model where agents start without access to most resources, meaning no permissions to read, write, or interact with anything.”
2
User grants resource permissions
trigger
“Page-level granularity for permissions: Users can grant view or edit access to specific pages, not just broad workspace access”
3
Runtime prompt injection check
validation
“we have layered controls to block the impact of prompt injection while paying special attention to tagging and monitoring external data to identify potential attacks. In the event that something looks suspicious or the agent performs act…”
4
Risky action human confirmation
human_review
“When the agent does something risky during runtime, we force it to confirm that action with an owner of the custom agent.”
5
Owner remediation
output
“If an agent does mess up, like if it posts something incorrect to Slack, the agent owner can delete that message.”
Reported outcome

Notion shipped a layered security architecture for Custom Agents combining build-from-nothing defaults, granular resource-level permissions, runtime prompt-injection mitigations, and a warning/remediation system, validated in an alpha program that produced more than 3,000 internal agents and more than 25,000 customer-created agents.

Reported metrics
internal Custom Agents created during alphamore than 3,000
alpha customer Custom Agents createdmore than 25,000
Reported stack
MCPSlack
Source
https://www.notion.com/blog/how-we-built-security-into-custom-agents
Read source ↗

Frequently asked questions

What did this team achieve with this AI workflow?

Notion shipped a layered security architecture for Custom Agents combining build-from-nothing defaults, granular resource-level permissions, runtime prompt-injection mitigations, and a warning/remediation system, vali…

What tools did this team use?

MCP, Slack.

What results were reported?

internal Custom Agents created during alpha: more than 3,000; alpha customer Custom Agents created: more than 25,000 (source-reported, not independently verified).

What failed first in this deployment?

Early alpha versions of Custom Agents were too permissive, leading users to grant broad write access to Slack; agents then posted unintentionally to company-wide channels such as #general.

How is this compliance monitoring AI workflow structured?

Build-from-nothing permission start → User grants resource permissions → Runtime prompt injection check → Risky action human confirmation → Owner remediation.