Skip to content

Blocking “Export Reports” Isn’t Enough Anymore: What AI Connectors Mean for Data Export Controls

For years, pulling the “Export Reports” permission was the go-to move for admins trying to lock down data leakage. Take it away from a profile or permission set (or better yet, never give it in the first place), and that user can no longer hit the Export button on a report and walk away with a CSV. Problem solved — or so we thought.

I was having a Pilsner (OK maybe two…) with good friends Evan Ponter and Rich Nevin at Czech Dreamin’ and we were discussing all the capabilities of AI combined with Salesforce when one concerning revelation came up.AI tools connecting to Salesforce through MCP (Model Context Protocol) servers (Claude as an example) have quietly reopened that door. Not through a bug, and not through a permission escalation. Through something much simpler: the AI is reading data the user was always allowed to read, and nothing in the platform stops it from handing that data back as a file.

What “Export Reports” Actually Controls

It’s worth being precise here, because the permission is narrower than most admins assume. Export Reports (technically ExportReport in the API) only governs one thing: the Export button inside the Reports & Dashboards UI. It does not touch:

  • Object or field-level access (CRUD/FLS)
  • Record-level access (OWD, role hierarchy, sharing rules)
  • The API Enabled permission
  • Bulk API, REST API, SOQL, or Tooling API access
  • Data Loader or any other integration pathway

In other words, Export Reports was never a data access control. It was a control on one specific UI affordance. Any user with standard read access to a queryable object could always get that same data out through Workbench, Data Loader, a custom Apex REST endpoint, or a dozen other paths — provided API Enabled was on.

Where the MCP Server Fits In

A Salesforce MCP server (whether it’s the native Salesforce-hosted MCP endpoint or a custom-built one) authenticates as a specific Salesforce user, typically through an External Client App using OAuth. Once connected, an AI agent like Claude can issue SOQL queries, call getObjectSchema, pull related records, and so on — all as that user.

This is actually the reassuring part: the connection is not a backdoor. Every query the AI runs is subject to the exact same enforcement as if the user had opened Workbench and typed the query themselves:

  • Object-level security — if the user can’t read the object, the AI can’t either.
  • Field-level security — fields hidden by FLS simply don’t come back in the result set.
  • Record-level access — OWD, sharing rules, role hierarchy, and manual shares all apply. A rep with a private OWD on Opportunities only gets their own records back, AI or no AI.

So from a pure data-governance standpoint, the MCP connection is doing exactly what it should. The AI isn’t bypassing FLS, isn’t running as an elevated service account, and isn’t reaching data the user shouldn’t see.

So Where’s the Gap?

The gap is downstream of the query, not in the query itself. Once Claude (or any MCP-connected AI) has retrieved a result set the user was fully entitled to see, there is nothing in the Salesforce permission model that governs what happens to that data after it leaves the API. If the user asks the AI to “put this into a downloadable CSV,” the AI is just formatting text — the same way it would format a table, a summary, or an email draft. That’s not an export in the Salesforce sense at all; it’s a transcription.

This means a user who has had Export Reports explicitly revoked — specifically to stop them from bulk-extracting report data — can still ask an AI connected via MCP to:

  1. Run the equivalent query behind that report,
  2. Return the records the user already has access to, and
  3. Format the output as a CSV, spreadsheet, or formatted table.

The permission that was supposed to stop the export was never actually in the request path. It only ever guarded the Export button.

This Isn’t Unique to AI — But AI Makes It Effortless

To be fair to the technology: this gap has existed since the day API Enabled and Data Loader existed. A user with API access and object read permissions could always script this. What’s changed is the effort curve. Previously, working around a revoked export permission required knowing how to use Workbench, write SOQL, or configure Data Loader — a real, if modest, technical barrier. Now it just requires typing a sentence into a chat window. The control gap was always there; AI connectors just removed the last bit of friction protecting it.

What Actually Controls This

If your goal is genuinely to prevent a user from bulk-extracting data — not just clicking Export on a report — the permission to look at is API Enabled, not Export Reports. Revoking API Enabled blocks REST, SOQL, Bulk API, Data Loader, and any MCP-based tool, because all of them authenticate through the API layer.

A few practical takeaways for admins evaluating AI connectors:

  • Treat MCP-connected AI tools like any other integration user. Review the permissions the External Client App authenticates as, not just what the human user can click in the UI.
  • API Enabled is your actual export control, not Export Reports. If a user shouldn’t be bulk-extracting data through any channel, this is the permission that matters.
  • Field- and record-level security still do their job. Don’t over-rotate into thinking AI connectors are a hole in your sharing model — they’re not. FLS, OWD, and sharing rules are enforced exactly as designed.
  • Monitor, don’t just restrict. Event Monitoring (or Shield) can surface unusual query volume or API activity tied to a connected app, which is a more realistic control than trying to block every downstream formatting behavior.
  • Scope the External Client App narrowly. If you’re standing up a Salesforce MCP server for a subset of users, give it its own connected app with deliberate OAuth scopes rather than reusing a broad existing integration user.
  • Revisit least-privilege at the object/field level. Since the AI can only ever surface what the underlying user is entitled to, the permission model itself — not the export button — is your real line of defense.

The Bigger Picture

None of this is a knock on Claude, MCP, or AI connectors generally — the access model is behaving exactly as designed, respecting the same FLS and sharing rules any well-built integration should. The lesson is really about permission hygiene: Export Reports was always a thin, UI-specific control, and treating it as a data-loss-prevention mechanism was a mistake that predates AI. AI connectors didn’t create the gap; they just made it obvious enough that it’s finally worth fixing.

If your org has been leaning on Export Reports as a security control, now’s a good time to audit API Enabled across your profiles and permission sets — especially for any user or connected app now sitting behind an AI integration. Decide whether the risk is worth the reward for your business when considering using the AI connectors. Identify those in the business who need to understand these capabilities (Compliance, Legal etc) and make sure whoever is giving the approval to connect these tools to your Salesforce org do so in writing. These exports are not data breaches, you are explicitly providing approval for them to happen, make sure your business, partners and customers are all on the same page with this.

Aaron Crear's avatar

Aaron Crear View All

Aaron is a Salesforce MVP and Founder of Hat-Trick Consulting. He works with companies around the world to help them achieve their Salesforce goals through administration, development and architectural services. A former sales director, Mr. Crear has extensive functional and technical expertise translating business requirements to technical solutions. Aaron currently holds 10 Salesforce certifications including Salesforce Certified Data Architect, Sharing & Visibility Architect, Sales Cloud Consultant, Service Cloud Consultant, Community Cloud Consultant, Platform App Builder, User Experience Designer, Advanced Administrator, Administrator and AI Associate.

He is also the leader of the Lowell, MA Admins Community Group and is a co-organizer of Northeast Dreamin’. Mr. Crear is a frequent speaker, having presented at Dreamforce, Albania Dreamin', Big Sky Dreamin’, Cairo Dreamin', Czech Dreamin’, dreamOle’, Dubai Dreamin', Florida Dreamin', French Touch Dreamin’, London's Calling, Midwest Dreamin’, North Africa Dreamin', Phillyforce, Polish Dreamin', Portugal Dreamin', Snowforce, Southeast Dreamin’, True North Dreamin, YearLeadin’and Salesforce World Tours.

Leave a comment