All posts
June 22, 20264 min read

Access Reviews in Non-Human Identities, Explained

When every service account, CI token, and machine identity is regularly examined, you know exactly which workloads have access, for how long, and whether any privilege is excessive. In that ideal world, access reviews for non‑human identities become a predictable, low‑friction part of the security lifecycle rather than a surprise audit that uncovers hidden keys. Achieving that state is difficult because non‑human identities are not tied to a person who can be asked to confirm a need. They are c

Free White Paper

Human-in-the-Loop Approvals + Non-Human Identity Management: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

When every service account, CI token, and machine identity is regularly examined, you know exactly which workloads have access, for how long, and whether any privilege is excessive. In that ideal world, access reviews for non‑human identities become a predictable, low‑friction part of the security lifecycle rather than a surprise audit that uncovers hidden keys.

Achieving that state is difficult because non‑human identities are not tied to a person who can be asked to confirm a need. They are created by automation, stored in configuration files, and often granted broad permissions that outlive the original use case. Without a systematic review process, credentials linger, permissions creep, and the attack surface expands unnoticed.

How teams actually manage service accounts today

Most organizations start with a simple approach: a developer checks a service account key into a repository, a CI pipeline references a static token, or an operations script embeds a long‑lived password. The credential is then used directly against the target resource, be it a database, a Kubernetes cluster, or an SSH host. Because the gateway sits nowhere in that flow, there is no place to enforce policy, no audit trail that shows which job issued a command, and no way to mask sensitive response fields. The result is a “wild west” of machine identities where anyone who can read the repo can impersonate a service, and the security team has no visibility into what those identities actually do.

What a proper access review process must achieve

A thorough access review for non‑human identities must answer three questions for each credential: who created it, what resource it can reach, and whether the granted permissions are still required. The process also needs to enforce a few technical controls: the request to the target must pass through a point where the organization can inspect, approve, or block the operation; every interaction should be recorded for later forensic analysis; and any sensitive data returned by the target should be hidden from the caller unless explicitly allowed.

Even when these questions are answered on paper, the actual request still travels straight from the automation job to the target. Without a data‑path enforcement layer, the organization cannot guarantee that the reviewed policy is applied at runtime. The request bypasses any audit mechanism, any inline masking, and any just‑in‑time approval workflow. In other words, the review process fixes the “who‑should‑have‑access” question but leaves the enforcement gap wide open.

Embedding access reviews in the data path

Placing a Layer 7 gateway between identities and infrastructure closes that gap. hoop.dev acts as an identity‑aware proxy that sits on the network edge, receives the request, validates the caller’s OIDC or SAML token, and then forwards the traffic to the target only after applying policy.

Setup – defining who may ask for access

In the setup phase, organizations configure OIDC or SAML providers (such as Okta, Azure AD, or Google Workspace) so that each automation job receives a short‑lived token representing a non‑human identity. The token carries group membership that maps to a role in the organization’s policy store. This step decides who the request is and whether it may start, but it does not enforce any runtime constraints.

Continue reading? Get the full guide.

Human-in-the-Loop Approvals + Non-Human Identity Management: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

The data path – the only place enforcement can happen

All traffic from service accounts, CI runners, and bots is forced to traverse hoop.dev. Because the gateway operates at the protocol layer (SQL, SSH, HTTP, etc.), it can inspect each command or query before it reaches the backend. This is the sole point where the organization can apply the reviewed policy.

Enforcement outcomes – what hoop.dev does

  • hoop.dev records every session, providing a replayable audit trail that shows exactly which automation performed which action.
  • hoop.dev requires just‑in‑time approval for high‑risk commands, ensuring that a human reviewer can veto a dangerous operation even if the credential is technically valid.
  • hoop.dev masks sensitive fields in responses, preventing secrets such as passwords or tokens from being exposed to downstream logs.
  • hoop.dev blocks disallowed commands based on the reviewed policy, reducing the blast radius of a compromised service account.
  • hoop.dev tags each request with the originating identity, making it trivial to correlate activity with the owning team during an access review.

Because the enforcement outcomes exist only because hoop.dev sits in the data path, removing the gateway instantly eliminates session recording, inline masking, and just‑in‑time approvals. The organization would revert to the insecure state described earlier.

Practical steps to get started

Begin by cataloguing every non‑human identity in your environment and mapping it to the resources it accesses. Create groups in your identity provider that reflect the least‑privilege roles you want to enforce. Then deploy hoop.dev using the getting started guide. Register each target (PostgreSQL, SSH host, Kubernetes cluster, etc.) in the gateway, and configure the gateway to read the OIDC token presented by your automation jobs.

Once the gateway is live, enable the built‑in approval workflow for any command that modifies production data, and turn on response masking for columns that contain secrets. The learn section contains deeper explanations of each feature and best‑practice patterns for continuous access reviews.

FAQ

Do I need to change my existing CI pipelines?

No. The pipelines keep using the same client binaries (psql, kubectl, ssh). The only change is that the endpoint they point to becomes the hoop.dev gateway address. The gateway forwards the traffic after applying policy.

How does hoop.dev handle credential rotation?

The gateway stores the target credentials internally, so rotation can be performed in the gateway configuration without updating every automation job. This eliminates the need to distribute new secrets to dozens of pipelines.

Can I audit past activity before installing hoop.dev?

hoop.dev cannot retroactively create logs for traffic that never passed through it. However, once deployed, it captures every subsequent session, giving you a clean baseline for future reviews.

Implementing continuous access reviews for non‑human identities is impossible without a control point that can see and act on every request. hoop.dev provides that control point, turning a scattered set of service accounts into a manageable, auditable surface.

Contribute or view the source on GitHub

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot