All posts
June 16, 20263 min read

Agent impersonation: what it means for your access reviews

Access reviews assume one thing above all: that the identity on a grant is the identity that will use it. Agent impersonation attacks that assumption. To defend it, separate the part of the problem that is old and familiar from the part that is genuinely new, because they need different fixes. This is defensive, server-side framing throughout. The goal is to keep access reviews meaningful when one of the actors is an agent that could be made to act under the wrong identity, not to describe how

Free White Paper

Access Reviews & Recertification + Open Policy Agent (OPA): The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

Access reviews assume one thing above all: that the identity on a grant is the identity that will use it. Agent impersonation attacks that assumption. To defend it, separate the part of the problem that is old and familiar from the part that is genuinely new, because they need different fixes.

This is defensive, server-side framing throughout. The goal is to keep access reviews meaningful when one of the actors is an agent that could be made to act under the wrong identity, not to describe how that spoofing is done.

The familiar problem

The old, well-known issue is shared or over-broad credentials. If several agents, or an agent and a batch job, run under one service account, your access reviews see a single identity and cannot tell who actually did what. This is the same mess teams have had with shared accounts for decades. The fix is also familiar: give each actor its own identity, scope it, and stop sharing credentials. A review can only be honest when each line maps to one real actor.

The genuinely new problem

What agents add is that the actor is software whose identity may be asserted rather than verified at the boundary. If an agent declares which identity it is acting as, or holds a token it can pass along, then something that can drive or stand in for that agent can present itself as a reviewed, approved identity. Your access reviews sign off on identity A's narrow, reasonable access, and a different process exercises it.

This means a clean review is not enough on its own. The review describes what should be true. Whether it stays true depends on whether identity is enforced at the moment of access, not just recorded on paper.

Continue reading? Get the full guide.

Access Reviews & Recertification + Open Policy Agent (OPA): Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

The distinction worth holding onto is between a review as a document and a review as a guarantee. A spreadsheet that says identity A has read access to one schema is a document. It is only a guarantee if, at the moment A connects, the system confirms that the thing connecting really is A and really is held to that one schema. If identity is asserted by the agent, the document and the guarantee come apart, and the review degrades into a record of intentions rather than a statement of fact. Reviews are worth doing only when the access model makes the document and the guarantee the same thing.

Keeping reviews real

  • Give every agent its own identity, authenticated against your identity provider. No shared service accounts standing in for many actors.
  • Enforce that identity at the connection, so an agent acts only as the identity it actually authenticated as.
  • Keep credentials out of the agent, so it has nothing to lend to another process.
  • Scope and time-bound the access, so the review surface is small and current rather than a pile of standing grants.

The architecture behind a meaningful review

A review is trustworthy when the access model enforces identity at runtime, so what you signed off on is what actually happens. hoop.dev is an identity-aware proxy that provides this. Each agent authenticates through your OIDC or SAML provider, hoop.dev verifies that identity and opens the infrastructure connection under a controlled credential the agent never holds, and it scopes access just in time.

So an access review of agents connected through hoop.dev is reviewing verified identities with narrow, expiring scopes, not self-asserted names attached to standing credentials. The thing you approve is the thing the boundary enforces. See how scoped, identity-bound access is configured and the wider model in hoop.dev's runtime governance writing.

FAQ

Why does agent impersonation matter for access reviews?

A review assumes the identity on a grant is the one that uses it. If an agent can act under a name it merely asserts, the review approves access that a different process can exercise.

What is the old part versus the new part?

The old part is shared and over-broad credentials, fixed by per-actor identities and scoping. The new part is self-asserted agent identity, fixed by enforcing authenticated identity at the connection.

Does hoop.dev manage my identity provider?

No. hoop.dev consumes your OIDC or SAML provider to authenticate identities into the gateway, then uses that verified identity to authorize and record access to infrastructure.

The gateway is open source. Clone the hoop.dev repository on GitHub and make your agents' access something a review can actually trust.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot