How Notion Built Security into Custom Agents with a Build-from-Nothing Permission Model
AI agents in collaborative multi-user environments need fundamentally different permission models than single-user agents — overly broad access is dangerous, yet agents with no access are useless, requiring a careful balance.
Early alpha versions of Custom Agents were too permissive, leading users to grant broad write access to Slack; agents then posted unintentionally to company-wide channels such as #general.
Notion shipped a layered security architecture for Custom Agents combining build-from-nothing defaults, granular resource-level permissions, runtime prompt-injection mitigations, and a warning/remediation system, validated in an alpha program that produced more than 3,000 internal agents and more than 25,000 customer-created agents.
Frequently asked questions
What did this team achieve with this AI workflow?
Notion shipped a layered security architecture for Custom Agents combining build-from-nothing defaults, granular resource-level permissions, runtime prompt-injection mitigations, and a warning/remediation system, vali…
What tools did this team use?
MCP, Slack.
What results were reported?
internal Custom Agents created during alpha: more than 3,000; alpha customer Custom Agents created: more than 25,000 (source-reported, not independently verified).
What failed first in this deployment?
Early alpha versions of Custom Agents were too permissive, leading users to grant broad write access to Slack; agents then posted unintentionally to company-wide channels such as #general.
How is this compliance monitoring AI workflow structured?
Build-from-nothing permission start → User grants resource permissions → Runtime prompt injection check → Risky action human confirmation → Owner remediation.