compliance_monitoring · saas · workflow

How Notion Built Security into Custom Agents with a Build-from-Nothing Permission Model

AI agents in collaborative multi-user environments need fundamentally different permission models than single-user agents — overly broad access is dangerous, yet agents with no access are useless, requiring a careful balance.

How it works
Common implementation structure
How this type of workflow is generally built, generalized across documented cases — not tied to any one vendor's stack. Click any stage to read what happens there. Specific products that implement these stages appear in “Tools commonly seen” below.
Stage 1 · Build-from-nothing permission start
Custom Agents start without access to most resources, meaning no permissions to read, write, or interact with anything.
Tools used
MCP
Outcome

Notion shipped a layered security architecture for Custom Agents combining build-from-nothing defaults, granular resource-level permissions, runtime prompt-injection mitigations, and a warning/remediation system, validated in an alpha program that produced more than 3,000 internal agents and more than 25,000 customer-created agents.

What failed first

Early alpha versions of Custom Agents were too permissive, leading users to grant broad write access to Slack; agents then posted unintentionally to company-wide channels such as #general.

Results
Volumemore than 3,000
Source

https://www.notion.com/blog/how-we-built-security-into-custom-agents

How we source this →

Grounding & classification
Source type: technical build writeup
17 fields verified against source quotes.
agentic workflowai agentknowledge basebuilder submittedfailure mode describedhuman review describedmetric backedproduction runtime claimedtools describedworkflow describedsoftwarethroughput increasetechnical build writeupcompliance monitoringagentic task execution