Agent Fabric Expansion May 2026 | Salesforce Dictionary

Salesforce promoted three core Agent Fabric components to general availability this week and opened the public beta of Agent Broker, the orchestration brain that ties every Agentforce, Bedrock, Vertex, and Copilot agent in your estate to a single control plane. The story behind the press release is bigger than the feature list. With this drop, Salesforce is publicly conceding that fully autonomous multi-agent orchestration is not enterprise-ready yet, and is repositioning around a model it now calls Guided Determinism.

For architects and security leads, the implications land this month, not next quarter. AI Gateway, MCP Bridge, and Trusted Agent Identity are GA today. Agent Broker beta is open. The full Agent Broker GA, including the visual authoring canvas and Salesforce-model support, is scheduled for June 2026, which means the next sandbox you spin up will likely ship with the control plane already lit.

Here is what changed, why it matters, and the work it puts on your plate.

What actually shipped this week

The expansion announcement bundles four moves into one release. They are easier to reason about separately.

AI Gateway is GA. This is the centralized policy and observability layer for every large language model call leaving your Salesforce estate, whether the model is Atlas, Claude, GPT-5, Gemini, or a private Bedrock deployment. It standardizes token accounting, applies per-team quotas, redacts PII before egress, and writes a single audit log that auditors can query. The new LLM Governance capability inside AI Gateway gives finance teams a real number for what each model is costing per business unit, which is the metric every CIO has been asking for since Agentforce 360 went live.

MCP Bridge is GA. The bridge turns the Model Context Protocol from a developer-tools convention into a governed enterprise pattern. Agentforce agents can call any MCP server with trusted authentication, scoped permissions, and Trust Layer enforcement on the way out and on the way back. Per InfoWorld's writeup, automated discovery in Agent Scanners now covers MCP servers, Amazon Bedrock, Microsoft Foundry, and GoDaddy, with OAuth coverage arriving in June.

Trusted Agent Identity is GA, with mobile authorization for high-risk actions. Every agent invocation now carries a verifiable identity, and any action flagged as high-risk (a refund above a threshold, a contract change, a production data export) can require a step-up confirmation on the requesting user's phone before it runs. This is the piece that finally lets regulated industries sign off on agentic workflows in production, because the audit story now has a human-in-the-loop primitive that does not depend on a rep paying attention to a Slack notification.

Agent Broker beta opens, with Agent Script. Agent Broker is the orchestration engine for cross-vendor agent workflows. Agent Script, an open-source language Salesforce now maintains on GitHub, lets you declare fixed handoff rules between agents, state, execution flow, string templates, and deterministic hooks for every transition. Between the hooks, LLMs do what LLMs do well: reason, summarize, ask clarifying questions. The hooks themselves run as code.

Guided Determinism: the actual thesis

The vocabulary is new. The architecture is not.

Salesforce's engineering blog on Agent Graph frames Guided Determinism as a hybrid orchestration model. You define the seams where money moves, data leaves the perimeter, or a regulated action fires. At those seams, the system runs deterministic code. In between the seams, the system runs an LLM. The result is a workflow that is predictable where it has to be and flexible where flexibility is cheap.

This matters because the alternative was eating Salesforce's lunch. Fully autonomous multi-agent setups looked great in demos and broke in production. A refund agent and a fraud agent disagreeing about whether to release funds is a slack-channel incident, not an enterprise feature. Guided Determinism says: write the handoff in a script file, let the agents reason inside their lanes, and never let two LLMs negotiate a refund without a deterministic checkpoint.

For Salesforce architects, the practical change is that Agent Script becomes a real artifact in the repo. It will sit next to your Flow XML and your Apex classes. It will need code review. It will need tests. The Salesforce Diary playbook on Agent Fabric frames the discipline as treating agents the way you treated managed packages five years ago: discover them, register them, version them, and never deploy one to prod without a security review.

Why this lands now

The timing is not accidental. Three things converged this month.

First, the Summer '26 release shipped Multi-Agent Orchestration to production, and customers immediately started asking the obvious question: what happens when a Summer '26 Agentforce workflow calls an MCP server hosted on a model the Trust Layer cannot inspect. AI Gateway and MCP Bridge are the answer.

Second, every CIO procurement deck in Q1 included a line item for "AI governance tooling." The Futurum Group's analysis of the announcement points out that Salesforce is trying to occupy the same control-plane real estate that Databricks Unity AI Gateway and standalone MCP gateway vendors have been carving out. Shipping AI Gateway as part of the platform, rather than as a paid add-on, is the move that closes that door.

Third, Q1 FY27 earnings hit on May 27. With CRM down roughly 30% year to date, the company needs to show that the agentic story has a moat. A governed multi-vendor control plane is a much harder thing for a competitor to replicate than a single-vendor agent platform. The expansion is calibrated to be on the earnings slide.

What admins should do this month

Most of the work this week is inventory, not configuration.

1. Run an Agent Scanner sweep across every connected platform. If you have any Amazon Bedrock or Microsoft Foundry deployments outside Salesforce's view, register them now. The Agent Scanner discovery flow is the easiest it will be, because the GA window is when defaults are most permissive.
2. Identify your high-risk agent actions. Anything that moves money, modifies customer records in regulated objects, or triggers an external API write should be flagged for mobile authorization through Trusted Agent Identity. Build the list before you turn on the policy.
3. Pick one cross-vendor workflow to migrate to Agent Broker beta. A common pattern is a sales agent that needs to call a Bedrock model for a specialized lookup. That is a perfect first Agent Script.
4. Audit your Connected App and External Client App inventory. With the May 11 deadline now past, the integrations that survived the cutover are the ones MCP Bridge will inherit. Make sure scopes are still minimum-necessary.
5. Add Agent Script to your version control standards. If you have a CI pipeline that runs scratch org create for every PR, Agent Script files need to be part of the deploy bundle. Add a lint step.

The harder question: enforcement vs. visibility

The Sirocco Group analysis raises the test that the Salesforce announcement does not fully answer. AI Gateway can see every call. MCP Bridge can authenticate every call. Agent Broker can orchestrate every handoff. The open question is enforcement.

If an agent running on a third-party LLM decides, in the middle of a reasoning chain, to call an unregistered MCP server, does AI Gateway block the call or just log it? If a Bedrock agent calls an Agentforce action with an expired Trusted Agent Identity token, does MCP Bridge refuse the call or surface a warning?

The GA documentation suggests both behaviors are configurable. The default posture is logging-first with optional hard enforcement, which is the right call for an ecosystem this young but the wrong call for a regulated industry. Security teams should pick their enforcement defaults early, in writing, and revisit them at the end of each fiscal quarter.

This is also where the Trust Layer narrative gets stress-tested. The Trust Layer is a Salesforce-internal construct. The moment an agent reasons across a Salesforce model and a non-Salesforce model in the same workflow, the Trust Layer's guarantees apply only to the Salesforce-side hop. AI Gateway extends the policy story across vendors, but the Trust Layer itself does not follow the call into Bedrock. Architects should plan accordingly.

What to watch between now and Dreamforce

Three milestones between now and September will determine whether this expansion lands.

Agent Broker GA in June 2026. The visual authoring canvas is the piece that decides whether Agent Script stays a developer artifact or becomes an admin tool. If the canvas reads and writes the same Agent Script files developers commit, you will have a real low-code-to-pro-code path. If it generates a parallel representation, you will have a sync problem.

OAuth support in Agent Scanners. Slated for June. Without OAuth, registering agents that live behind enterprise SSO requires a workaround. With it, the discovery story becomes a one-day project instead of a quarter-long one.

MuleSoft Omni Gateway positioning. Salesforce has been quietly aligning the MuleSoft and Agent Fabric stories. Expect the Omni Gateway and AI Gateway to converge into a single product narrative by Dreamforce. If you are renewing a MuleSoft contract in Q2, ask the rep where AI Gateway sits in the SKU tree.

Bottom line

The Summer '26 release was the feature announcement. The Agent Fabric expansion is the architecture announcement. Together they say that Salesforce is no longer selling Agentforce as a single-vendor agent platform. They are selling Salesforce as the control plane for a multi-vendor agentic enterprise, with Guided Determinism as the operating model and Agent Script as the artifact.

If you have agents in production today and you have not started inventorying them, that is the next task on your list. The window where this work is cheap is open right now. By the time Agent Broker hits GA in June, every team in your org will have its own agent, and retrofitting governance is always more expensive than deploying it.

About the Author

Dipojjal Chakrabarti is a B2C Solution Architect with 29 Salesforce certifications and over 13 years in the Salesforce ecosystem. He runs salesforcedictionary.com to help admins, developers, architects, and cert/interview candidates sharpen their fundamentals. More about Dipojjal.