All posts
June 22, 20264 min read

A Guide to Non-Human Identities in CrewAI

How do you keep an AI‑driven crew from becoming a blind spot in your security stack? When you grant a non-human identity a static API key, you create a hidden attack surface that can be exploited without anyone noticing. Teams that adopt CrewAI often start by giving the agents a static API key or a long‑lived service account. The key is checked into code repositories, duplicated across pipelines, and shared among multiple bots. Because the credential is static, any compromise instantly grants u

Free White Paper

Human-in-the-Loop Approvals + Non-Human Identity Management: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

How do you keep an AI‑driven crew from becoming a blind spot in your security stack? When you grant a non-human identity a static API key, you create a hidden attack surface that can be exploited without anyone noticing.

Teams that adopt CrewAI often start by giving the agents a static API key or a long‑lived service account. The key is checked into code repositories, duplicated across pipelines, and shared among multiple bots. Because the credential is static, any compromise instantly grants unrestricted access to databases, Kubernetes clusters, or internal HTTP services. Worse, the activity of the bots is invisible to existing audit pipelines – there is no session record, no command‑level log, and no way to mask sensitive data that the AI might inadvertently surface.

This reality is the first beat of the problem: a non‑human identity is treated like a human password, stored in plain text, and used to open direct connections to critical infrastructure. The result is a high‑risk blast radius that grows with each new crew member added to the system.

Why non-human identity requires strict enforcement

Switching to a dedicated non‑human identity (service account, OIDC client, or AI‑specific token) solves the credential‑sharing issue, but it does not close the other gaps. The request still travels straight from the CrewAI process to the target service. The gateway that would normally enforce policies – such as just‑in‑time approval, inline data masking, or command blocking – is missing. Consequently, the following weaknesses remain:

  • Unrestricted standing access: the token can be used at any time without a fresh approval workflow.
  • No audit trail: without a session recorder, security teams cannot reconstruct what the AI queried or modified.
  • Data leakage risk: responses that contain personally identifiable information or secrets are sent back to the AI unfiltered.
  • No real‑time guardrails: dangerous commands such as DROP DATABASE or kubectl delete namespace are executed without a safety net.

These gaps exist because the enforcement point – the data path – is still the target service itself. The setup that authenticates the AI (the OIDC client, the service account, the IAM role) only decides who may start a connection. It does not provide the runtime checks that turn a non‑human identity into a controlled, auditable actor.

hoop.dev as the data‑path gateway for CrewAI

hoop.dev is built to sit in the data path between any identity and the infrastructure it reaches. When CrewAI routes its traffic through hoop.dev, every request is inspected at the protocol layer. hoop.dev then applies the controls that were missing in the direct‑connect model.

Setup remains unchanged: you still provision a service account or OIDC client for the AI, assign the minimal set of groups or roles, and configure the identity provider (Okta, Azure AD, Google Workspace, etc.). This step decides who the AI is, but it does not enforce what the AI can do.

The data path is where hoop.dev intervenes. The gateway runs an agent inside your network, proxies the connection, and becomes the only point where traffic can be examined. Because the gateway is outside the AI process, it cannot be tampered with by the AI itself.

Enforcement outcomes are delivered by hoop.dev:

Continue reading? Get the full guide.

Human-in-the-Loop Approvals + Non-Human Identity Management: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
  • Session recording: each CrewAI interaction is captured for replay and forensic analysis.
  • Inline masking: fields that match PII patterns are redacted before they reach the AI, preventing accidental data exfiltration.
  • Just‑in‑time approval: high‑risk commands trigger a workflow that requires a human approver before execution.
  • Command blocking: dangerous statements are rejected automatically, protecting downstream systems.

Because hoop.dev owns the gateway, these outcomes exist only while the gateway is present. Remove hoop.dev and the enforcement disappears, confirming that the gateway is the essential control point.

Practical steps to secure non-human identities with hoop.dev

1. Define a dedicated AI service account. In your identity provider, create a client that represents CrewAI. Assign it only the groups needed for the workloads it will manage.

2. Deploy the hoop.dev gateway near the resources you want to protect. The quick‑start guide walks you through a Docker‑Compose deployment that includes OIDC verification, masking, and guardrails out of the box. See the getting‑started documentation for the exact steps.

3. Register each target (PostgreSQL, Kubernetes, HTTP API, etc.) in hoop.dev. The gateway stores the credential needed to reach the target, so the AI never sees it.

4. Configure policy rules that match your risk appetite. For example, require approval for any DELETE statement on a database, or mask columns named password or ssn.

5. Update CrewAI to point at the gateway instead of the raw endpoint. The AI continues to use its normal client libraries (psql, kubectl, HTTP client) – the only change is the host and port of the hoop.dev proxy.

6. Monitor and iterate. Use the session replay UI to verify that masking works as intended and that approval workflows are not causing unnecessary friction.

All of these actions are described in detail in the learn section. The repository contains the full source and sample configurations, so you can adapt the deployment to your environment.

FAQ

Do I still need to rotate the AI service account secret?

Yes. The gateway stores the secret, but rotation remains a best practice. hoop.dev will pick up the new secret on the next reload without disrupting existing sessions.

Can I use hoop.dev for multiple AI agents simultaneously?

Absolutely. Each agent can present its own OIDC token, and hoop.dev will enforce policies based on the groups attached to that token.

What happens if an AI tries to exfiltrate data that is not explicitly masked?

hoop.dev can be configured with pattern‑based masking rules that cover common sensitive fields. If a field falls outside those patterns, it will be logged in the session record, giving you visibility to adjust the policy.

Ready to see the code in action? Explore the source on GitHub.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot