Generative AI has a reliability problem. It is powerful, but unpredictable. Ask the same question twice and you may get two very different answers. In a consumer setting, that unpredictability might be tolerable. In an enterprise setting, where compliance, security, and customer trust are at stake, it becomes a liability.
The stakes are real. United Airlines’ chatbot is reported to have redirected a customer to a human agent after being tricked by a fake transcript claiming Global Services status. In another case, lawyers relying on ChatGPT presented entirely fabricated case precedents in court. A third example, from a major airline, saw a chatbot promise bereavement fare refunds against company policy, leaving the airline with no choice but to honour the error. Each case reveals the same gap: AI systems without constraints can quickly move from novelty to operational risk.
That risk is why Agentforce, Salesforce’s GenAI framework, includes tools for adding determinism back into the system. At Aquiva Labs, we’ve delivered more than ten Agentforce projects in the past year. What we’ve learned is simple: the difference between vulnerability and value lies in control. Variables and filters are two of the most important mechanisms to achieve that control.
The Case for Structure
Variables in Agentforce act as structured memory. They capture context, such as a customer ID verified through multi-factor authentication, and make it available across actions. Instead of hardcoding rules, teams can pass validated data between steps in a process. For example, retrieving a customer record and then creating a booking can be tied together by a verified ID variable. Filters provide the second layer of control. They are conditional gates applied to agent actions, dictating whether a step can run. In practice, this means we can build solutions whereby, for example, an airline’s chatbot will only apply a birthday discount if a filter confirms the date falls within the permitted window. Without the filter, the agent may hallucinate discount eligibility. With it, the agent behaves perfectly predictably and in line with business rules.
The combination of variables and filters gives enterprises the guardrails they need. They mitigate some of the risks of prompt injection, hallucinations, and compliance breaches, problems already flagged as top risks for AI in 2025 by security bodies like OWASP.
More on Variables
Variables in Agentforce function as secure data containers. They provide the memory that agents need to maintain context across a session and enforce deterministic outcomes. Without them, responses risk becoming inconsistent or ungoverned. With them, developers can control when and how actions execute, reducing the chance of policy breaches or security lapses.
There are two main types of variables.
Context variables are generated automatically when an agent connects to customer messaging channels, whilst several system fields are pre-populated, others can be populated by developers through Pre-Chat forms. They map directly to fields on the Messaging Session object and are prefixed with $Context. These are read-only by default and include details such as the user’s language or associated contact record. For example, developers can instruct an agent to “Always respond in {!$Context.EndUserLanguage},” ensuring language consistency from the start of a conversation.
Custom variables are scoped to the agent itself and exist only during a live interaction. They can be system-provided or defined by developers, with supported data types of text, boolean, or number. A common pattern is mapping an action’s output to a custom (aka conversational) variable (such as a verified customer ID), which can then be used as an input to subsequent actions or checked against a filter before execution. This design creates a secure flow of information between steps.
You can also send Agent Variables with the Agent API to control how an agent processes and retains contextual data during a session. Many variables are read-only and can only be defined in the start session request, while editable ones can be updated later through a send message call. When referencing variables derived from Salesforce custom fields, the __c suffix is omitted (for example, Conversation_Key__c becomes $Context.Conversation_Key). Variables are configured either in Agentforce Builder (with the “Allow value to be set by API” option enabled) or through the Metadata API using ConversationVariable within BotVersion or BotTemplate, and ConversationContextVariable within Bot or BotTemplate. Each variable definition includes attributes like dataType (Text, Number, Boolean, Object, Date, DateTime, Currency, Id), visibility (internal or external), includeInPrompt, and developerName, which must start with a letter and avoid spaces or trailing underscores. For example, a custom Boolean variable such as birthdayWithin30Days can be sent through the API and then evaluated by a filter before an action executes, ensuring that business logic remains data-driven and compliant across sessions.
Combining context variables for session-level metadata and custom conversation variables for business logic allows developers to tie actions tightly to conditions. For instance, an airline might map a “birthday within 30 days” boolean to a custom variable and apply a filter so discounts are applied only when that variable is true. This is where Agentforce gets closer to determinism in GenAI: actions run only when the data supports them, not when the model improvises.
More on Filters
Filters in Agentforce provide the logic layer that determines whether an action or topic is allowed to execute. They rely on variables to enforce conditions, giving developers fine-grained control over agent behaviour. A filter might be as simple as requiring a Boolean flag to be true before proceeding, or as complex as checking multiple values together. This conditional gating is what makes agent behaviour predictable and compliant with business rules rather than dependent on model improvisation.
Take the birthday discount scenario we used in the Aquiva Airlines demo. Here, a custom variable called BirthdayWithin30Days is created as a Boolean, populated by an Apex action that checks the customer’s date of birth. A filter named Birthday_Eligible is then defined to evaluate whether this variable equals true. Finally, that filter is attached to the Apply Discount action. Because of this, the agent will only apply a discount if the verified customer’s birthday falls within 30 days. Without the filter, the agent might hallucinate eligibility and grant discounts against policy; with it, the logic is enforced consistently every time.
The value of filters extends beyond promotions or bookings – think about account updates, reservations, or data retrieval. By conditioning those actions on verified inputs (such as a validated customer ID, email confirmation, or date check), filters prevent agents from executing workflows when the prerequisites are not met. In practice, this shifts control back to the business: actions fire only when the right conditions hold true, ensuring reliability across use cases and protecting against both accidental and adversarial misuse.
Why This Matters
Agentforce adoption is accelerating across industries. Financial services firms use it to manage customer queries under strict compliance rules. Travel companies are deploying it for loyalty and booking workflows. Healthcare providers are exploring its use for patient engagement. Across each vertical, the same tension emerges: AI introduces speed and scale, but without constraints, it creates risk.
Aquiva Labs has seen this first-hand. As one of the largest Salesforce PDOs and a Summit SI, we’ve helped to build over 100 AppExchange products and supported enterprises from Asana to IHG Hotels. In Agentforce, our focus is on building not just functionality, but trust. Guardrails like variables and filters ensure agents act consistently, preserve compliance, and protect customer experience at scale.
AI needs governance. And in Agentforce, governance begins with simple yet powerful tools: variables that retain memory and filters that enforce rules.
In our work, these mechanisms have proven to be the difference between a speculative demo and a production-grade system. They don’t eliminate the risks of AI, but they make them manageable. And in the world of enterprise technology, “manageable” is what earns trust, scales adoption, and drives real value.
Ready to reduce opportunity costs?
Most organizations have hidden capacity tied up in legacy work. AI can unlock it—but only if you reframe efficiency as reinvestment.
