Governance Is What Separates Good Orgs From Struggling Ones
Being a Salesforce admin in 2026 means managing more complexity than ever. More integrations, more users, more automation, more regulatory requirements, and higher expectations from stakeholders who want real-time, trustworthy data. The admins who thrive in this environment are the ones who treat governance as a daily practice, not an annual project.
This checklist is drawn from our team's experience assessing and remediating Salesforce orgs across industries. Every item on this list is something we've seen neglected — and something we've seen cause real damage when it was.
Security and Access Management
Enforce MFA for all users, no exceptions
Multi-factor authentication is no longer optional. Salesforce has been enforcing MFA requirements, but many orgs still have legacy exemptions or workarounds in place. Audit your MFA coverage quarterly and close any gaps. This is your single most effective control against unauthorized access.
Conduct quarterly permission reviews
Permissions drift. People change roles. Projects end. Contractors leave. If you're not reviewing permission set assignments, profile configurations, and sharing rules every quarter, you're accumulating access risk. Pay special attention to system-level permissions like Modify All Data, View All Data, and Manage Users.
Implement least-privilege access as a default
New users should start with the minimum access required for their role, with additional permissions granted through documented requests. If your default approach is to clone an existing user's profile, you're propagating whatever access drift that user accumulated over their tenure.
Review login history and session settings monthly
Check for anomalous login patterns — logins from unexpected geographies, logins outside business hours, or users who haven't logged in for 90+ days but still have active licenses. Deactivate unused accounts promptly. Every active license with no legitimate user is an attack surface.
Automation Standards
Consolidate all automation to Flow
Workflow Rules and Process Builder are in maintenance mode. If you still have active Workflow Rules or Process Builders, create a migration plan and execute it. Having automation split across three frameworks makes your org unpredictable and difficult to troubleshoot. Flow is the standard — commit to it fully.
Document every automation
Every Flow, every Apex trigger, every scheduled action should have a corresponding entry in your documentation that explains: what it does, why it exists, which objects it operates on, who requested it, and when it was last reviewed. Undocumented automation is a liability. When the admin who built it leaves, the knowledge leaves with them.
Implement error handling in every Flow
Flows that fail without graceful error handling create a terrible user experience and make debugging painful. Every Flow should include fault paths that capture the error, notify an admin, and present a user-friendly message. This is non-negotiable for production automations.
Test automation in sandbox before every deployment
This seems obvious, but we still encounter orgs where admins modify production Flows directly. Every change should be built and tested in a sandbox, validated with realistic data volumes, and deployed through a change set or CI/CD pipeline. No exceptions.
Data Quality Controls
Run duplicate detection on Accounts, Contacts, and Leads monthly
Duplicates accumulate faster than most admins realize. A monthly duplicate scan — with automated merging for high-confidence matches and human review for lower-confidence ones — keeps the problem manageable. Waiting for an annual cleanup means the problem is already entrenched.
Enforce data completeness with validation rules
Critical fields should be required at the right point in the process. An Opportunity shouldn't reach Closed Won without a populated Close Date, Amount, and primary Contact Role. A new Account shouldn't be created without at minimum a Website or Phone number. Define your data completeness standards and enforce them in configuration, not in policy documents that nobody reads.
Standardize picklist values and retire legacy options
Picklist sprawl is a data quality killer. Review your picklists annually. Retire values that are no longer used. Merge values that mean the same thing. Ensure that picklist values are consistent across objects — if "Financial Services" is an Industry value on Account, it should be spelled the same way everywhere it appears.
Implement data enrichment and decay monitoring
Data goes stale. Contacts change jobs. Companies move offices. Phone numbers get disconnected. Establish a process for monitoring data decay on your most critical records and refreshing it on a regular cadence. Even a simple quarterly report showing records with bounced emails or disconnected phones is better than nothing.
Change Management
Maintain a sandbox strategy
At minimum, you need a Developer sandbox for building, a Partial Copy sandbox for testing with realistic data, and a Full Copy sandbox for UAT and training. Refresh sandboxes on a documented schedule — stale sandboxes produce unreliable test results.
Use change sets or a deployment pipeline for every change
Manual changes in production are the leading cause of org instability. Even small changes should go through your deployment process. This creates an audit trail, enables rollback, and ensures that changes are tested before they reach users.
Log every change with business context
Salesforce Setup Audit Trail tells you what changed and who changed it, but not why. Maintain a change log — a simple shared document or a custom object in Salesforce — where every deployment is recorded with the business reason, the requester, and the expected impact. When something breaks six months later, this log is invaluable.
Establish a release cadence
Don't deploy reactively. Establish a regular release schedule — biweekly or monthly — where changes are batched, tested together, and deployed in a controlled window. Emergency changes should be rare and documented as exceptions. A predictable release cadence reduces risk and makes planning possible.
Monitoring and Maintenance
Review the Salesforce Optimizer report quarterly
Salesforce provides a free Optimizer report in Setup that flags common issues — unused features, limits approaching thresholds, deprecated configurations. It's not comprehensive, but it's a solid starting point that takes five minutes to run. Make it part of your quarterly governance routine.
Monitor API usage and governor limits
Track your org's API call consumption, storage usage, and any governor limits that integrations or batch processes are approaching. Hitting a limit in production is always an emergency. Monitoring trends lets you address capacity issues before they become outages.
Archive old data proactively
Records that are no longer operationally relevant — closed Opportunities from five years ago, resolved Cases from former customers, Activities from deactivated users — should be archived according to your retention policy. This improves query performance, reduces storage costs, and makes your active dataset more manageable.
Conduct an annual org health assessment
Even if you follow every practice on this list, an annual third-party assessment provides an objective baseline and catches issues that internal familiarity can obscure. It's the governance equivalent of an annual financial audit — not because you expect to find fraud, but because independent review is a best practice.
User Enablement
Streamline page layouts by role
Users should see the fields and related lists relevant to their job, not every field on the object. Review page layouts at least twice a year and remove fields that aren't being used. Dynamic Forms (on Lightning Record Pages) gives you even more control over field visibility based on context.
Maintain a Salesforce knowledge base for your org
Document your org's specific conventions, processes, and configurations in a place your users can access. This isn't Salesforce's generic help documentation — it's your org's playbook. How do we create an Opportunity? What do the stages mean? Who do I contact when something isn't working?
Solicit user feedback regularly
Your users are the best source of information about what's working and what isn't. A quarterly survey, a dedicated Chatter group, or regular office hours give users a channel to report friction. Many of the most impactful improvements we've implemented for clients started with a user complaint that nobody had a mechanism to surface.
Make Governance a Habit
No single item on this checklist is difficult. What's difficult is doing all of them consistently, quarter after quarter, while also handling the daily demands of admin work — user requests, bug fixes, new feature builds, and vendor management.
That's where having a governance partner makes a difference. Our practice works alongside internal admin teams to handle the systematic, recurring governance work that's essential but often deprioritized. If you'd like our team to assess your org, reach out at contact@orgdoc.dev.
Need a second opinion on your Salesforce org? Request a diagnostic.
Top comments (0)