The Security Posture of Notion Agents: What You’re Actually Granting Access To

The 60-second version

Agents are powerful access tokens. Treating them casually is a security mistake. The correct posture: scope agent access tightly, audit access logs monthly, treat connected user accounts as security-sensitive (not convenient), and build approval gates around destructive operations. Most “AI agent caused a problem” stories trace back to over-broad access, not malicious intent.

What an agent can access

Within Notion:
– Every page the connected user can see
– Every database the connected user can edit
– Cross-workspace content if the user has multi-workspace access
Through integrations (when connected):
– Slack channels the user can see (including DMs in some configurations)
– Email content if Mail integration is on
– Calendar events including private ones
– Google Drive content the user has access to
Through Workers:
– Outbound HTTP to any pre-approved domain
– Can write to external systems via API calls

Three security postures

1. Permissive (avoid): Connect admin or executive accounts. Agents inherit broad access. High risk.
2. Functional (default for most): Connect a dedicated integration account with role-based access scoped to the agent’s purpose.
3. Restrictive (compliance-sensitive use cases): Per-task scoped accounts. Approval gates on every external action. Daily audit log review.
For most operators, functional is right. For finance, legal, healthcare, or regulated industries, lean restrictive.

Five practices that reduce risk

1. Use dedicated integration accounts. Don’t connect the founder’s account. Create an “agent-ops” user with scoped access.
2. Audit access logs monthly. Notion shows what the agent has read. Look at it. Anomalies show up fast if you check.
3. Approval gates on destructive operations. Workers that delete, send, or charge should require human confirmation.
4. Curate approved domains. Each new approved domain is new attack surface. Add deliberately.
5. Review skill scope before deployment. A skill with access to “all databases” is too broad.

Where this goes wrong

1. The “connect everything” pattern. Agents with access to every database, every integration, every approved domain. Convenient to set up; high blast radius.
2. Treating agent audit logs as theoretical. They exist for a reason. If you never look, you won’t catch the problem until it’s downstream.
3. Letting agents act on opposing-party data. Agents writing to customer-facing systems autonomously needs much higher review.