compliance_monitoring · saas · workflow
How Notion Built Security into Custom Agents with a Build-from-Nothing Permission Model
AI agents in collaborative multi-user environments need fundamentally different permission models than single-user agents — overly broad access is dangerous, yet agents with no access are useless, requiring a careful balance.
How it works
Common implementation structure
How this type of workflow is generally built, generalized across documented cases — not tied to any one vendor's stack. Click any stage to read what happens there. Specific products that implement these stages appear in “Tools commonly seen” below.
Stage 1 · Build-from-nothing permission start
Custom Agents start without access to most resources, meaning no permissions to read, write, or interact with anything.
Tools used
MCP
Outcome
Notion shipped a layered security architecture for Custom Agents combining build-from-nothing defaults, granular resource-level permissions, runtime prompt-injection mitigations, and a warning/remediation system, validated in an alpha program that produced more than 3,000 internal agents and more than 25,000 customer-created agents.
What failed first
Early alpha versions of Custom Agents were too permissive, leading users to grant broad write access to Slack; agents then posted unintentionally to company-wide channels such as #general.
Results
Volumemore than 3,000
Grounding & classification
Source type: technical build writeup
17 fields verified against source quotes.
agentic workflowai agentknowledge basebuilder submittedfailure mode describedhuman review describedmetric backedproduction runtime claimedtools describedworkflow describedsoftwarethroughput increasetechnical build writeupcompliance monitoringagentic task execution