Salesforce's native Models API isn't the only way to put an LLM behind your org — sometimes contracts, regions or a fine-tuned model of your own demand an external path. This track maps the options and builds each one hands-on: the decision, BYO LLM through Einstein Studio, production-grade raw callouts, do-it-yourself grounding and the security layer that makes it defensible.
The series
Part 1 decides which path you're on; Parts 2 and 3 build the two external paths; Parts 4 and 5 are the grounding and hardening work every external path needs. Each part stands alone, anchored in a real company scenario.
Three ways to get an LLM answer into Salesforce, one decision table — a wealth management firm walks its compliance constraints through cost, residency, trust layer and governance.
Read tutorialA pharma company plugs its own Azure OpenAI deployment into Model Builder — its contract and region, with the Einstein Trust Layer still in the path and the same Apex as the native API.
Read tutorialA manufacturer reaches its self-hosted fine-tuned model: External Credential + Named Credential setup, a production client class with retries — and the honest list of when this path is wrong.
Read tutorialThe model only knows what you send: USER_MODE queries, field allow-lists, token budgeting and anti-hallucination prompts — a travel company builds the context layer by hand.
Read tutorialOn the raw-callout path you ARE the trust layer — a lender builds PII masking before egress, output validation against injection, budget guards and a complete audit trail.
Read tutorialThe map
The full decision table lives in Part 1 — this is the short version you'll quote in the architecture meeting.
| Path | Model choice | Einstein Trust Layer | You build | Reach for it when |
|---|---|---|---|---|
| Native Models API | Salesforce-managed model list | Built in | Almost nothing — a few lines of Apex | Any current frontier model will do. Start here. |
| BYO LLM (Einstein Studio) | Your deployment on Azure OpenAI, OpenAI, Bedrock or Vertex AI | Built in | Provider setup + one registration | Your contract, region or fine-tuned model must govern — on a supported provider. |
| Direct Apex callout | Anything with an HTTP API, incl. self-hosted | None — you are the trust layer | Credentials, client, retries, masking, audit, cost controls | No platform path reaches the model, and you'll fund the hardening work. |
Keep going
The native side of this story — the first-party path this track keeps comparing against, and the platform's managed grounding.
The native path this track measures everything against — trust layer included, no keys to manage, a real summarizer build.
Read tutorialThe managed alternative to Part 4's hand-built grounding — auto-built chunks, indexes and retrievers on platform.
Read tutorialNative grounding at its most powerful: agents answering from unified customer profiles, mid-conversation.
Read tutorial