Knowledge Vault Permissions: Granular Access Control for AI Agents

What This Update Actually Is

Knowledge vaults store the content your AI agents draw from when answering questions, routing tickets, or supporting humans in a conversation. Before this update, vault access was all-or-nothing at the portal level.

Now, admins can assign two distinct permission types to each vault: Manage and Use. Those permissions can be granted to specific humans or entire teams. And super admins always have full access regardless of vault-level settings.

The two permission types work like this:

• Manage: grants full control to create, edit, delete content, and manage vault permissions for other humans
• Use: grants read-only access so a human can view the vault and attach it to agents, but can't modify anything inside it

This is available on all hubs and all tiers. No tier gate. No hub restriction. If you use knowledge vaults today, you get this now.

Why HubSpot Shipped This

Vault sprawl is real. As organizations build more AI agents to handle support, sales assist, or onboarding workflows, the number of vaults compounds quickly. A support vault, a product FAQ vault, a partner enablement vault, a compliance vault. Each one serving a different audience.

Without permission controls, every builder in the portal could see and edit every vault. That creates two painful problems. First, accidental edits or deletions. Second, sensitive content getting exposed to humans who shouldn't have access.

This update solves both. It also starts to address compliance requirements for organizations in regulated industries, where access to certain knowledge bases needs to be logged and limited.

How to Use It Step by Step

Setup is straightforward. Here's exactly how to configure vault-level permissions:

1. Navigate to an existing knowledge vault inside your HubSpot portal (or create a new one if you're starting fresh).
2. Click the three-dot menu in the top corner of the vault.
3. Select "Manage access" from the dropdown.
4. Choose a permission level: Manage or Use. Then assign it to specific humans or entire teams.
5. Repeat for every vault that needs restricted or scoped access.

One thing to know up front: super admins bypass vault-level permissions entirely. They always have full access. If that's a concern for your compliance posture, factor it into how you structure your admin roles.

What It Touches in Your HubSpot Strategy

This update touches more than just your AI agent setup. Here's where the ripples go:

• Service Hub and Breeze AI agents: any agent pulling from a knowledge vault is now subject to vault-level access rules. Audit your agents now to confirm they're still attached to the vaults they need.
• Team structures: if you've organized your portal by business unit or department, vault permissions can mirror that structure. Marketing owns the marketing vault. Support owns the support vault. Neither touches the other.
• Compliance and data governance: for organizations subject to privacy regulations or internal data handling policies, this is a meaningful control layer. Document your permission structure the same way you'd document CRM property access.
• Portal hygiene: fewer humans seeing irrelevant vaults means less confusion, fewer accidental edits, and cleaner workspaces for the humans who actually own that content.

This connects directly to broader thinking about how AI agents serve different audiences in HubSpot. If you've been following Customer Agent Segments, vault permissions are the access-control layer that makes segmented agents truly secure, not just functionally distinct.

It's also worth thinking about this in the context of your overall data model. The more intentional you are about who owns what in HubSpot, the better your governance scales. If you haven't yet audited how your portal objects and records are structured, the Centralized Data Model Management update is a good companion read.

Who Should Care Most

Not every portal needs this right now. But some absolutely do. Here's who should move fast:

• Portals with multiple AI agents: if you've built more than one Breeze agent pulling from different vaults, this is how you enforce proper knowledge boundaries between them.
• Marketing ops and RevOps leaders: if you own portal governance, vault permissions belong in your access-control documentation alongside property permissions and team assignments.
• Organizations in regulated industries: healthcare, finance, legal, and similar sectors where data access must be intentional and auditable should treat this as a required configuration step.
• Growing companies scaling their service or support teams: as headcount grows, the window for accidental edits to shared knowledge bases gets wider. Locking that down now costs almost nothing.
• HubSpot admins managing multi-team or multi-brand portals: vault permissions let you replicate your team structure inside your knowledge architecture without workarounds.

George's Take

I've seen this pattern in portal after portal. A team builds their first AI agent, they're excited, they throw everything into one vault. Then they build a second agent. Then a third. Before long, nobody's sure which vault belongs to which agent, a contractor edited something they shouldn't have, and a customer-facing agent is answering from internal-only content. Vault permissions don't eliminate that risk on their own, but they give you the infrastructure to finally enforce what you've been trying to manage with naming conventions and hope. Configure it now, before the vault list gets any longer.

If you're not sure how your current vault setup stacks up, or if you're building your first knowledge-powered agent and want to get the architecture right from the start, let's talk. Book a strategy call with the Sidekick team and we'll walk through your portal together.

Frequently Asked Questions

What are HubSpot Knowledge Vault Permissions?

Knowledge Vault Permissions let HubSpot admins assign Manage or Use access to specific humans or teams on each knowledge vault. Manage grants full control including editing and permission management. Use allows viewing and attaching a vault to agents without modifying its content. This applies at both the portal and individual vault level.

Who can access knowledge vaults in HubSpot regardless of permissions?

Super admins always have full access to every knowledge vault in the portal, regardless of vault-level permission settings. This bypass can't be overridden by vault owners. If your compliance requirements are strict, document this behavior as part of your access-control policy.

What is the difference between Manage and Use permissions in HubSpot knowledge vaults?

Manage permission gives a human or team full control: they can create, edit, delete vault content, and manage other users' access. Use permission is read-only access: the human can view the vault and attach it to AI agents, but they can't change any content or settings inside it.

Which HubSpot hubs and tiers include Knowledge Vault Permissions?

Knowledge Vault Permissions are available on all HubSpot hubs and all tiers, including free accounts. There's no tier gate on this feature. If your portal already uses knowledge vaults, you can configure vault-level permissions right now without upgrading.

How do Knowledge Vault Permissions affect HubSpot AI agents?

Any Breeze AI agent that pulls from a knowledge vault is subject to the vault's permission settings. If a builder loses Use or Manage access to a vault, they won't be able to attach it to an agent. After configuring permissions, audit your existing agents to confirm they're still connected to the vaults they need.

How do I set up permissions on a HubSpot knowledge vault?

Open the knowledge vault, click the three-dot menu in the top corner, and select Manage access. From there, choose a permission level (Manage or Use) and assign it to specific humans or teams. Repeat this for each vault that needs access controls. The whole process takes under two minutes per vault.