A row in the production database changed at 2 a.m. You open the audit log to find out who did it. Every action for the past hour carries one engineer's name. She was asleep. The queries came from an agent she started Friday afternoon and left running.
When an AI agent runs on a human's credentials, your audit log records the person, not the process.
Why does my audit log show a person when an agent made the change?
The agent authenticated with that person's credentials, and most agents do. A coding assistant or a local MCP server picks up the developer's database login from the environment and connects downstream as them. A staff security engineer at a fintech: "all it's doing is inheriting your credentials, and then going downstream and making an action."
The credential is the identity. Your audit log keys every action to whoever owns the credential, so the human becomes the actor of record for everything the agent runs. When you reconstruct the incident later, you cannot separate the person's queries from the agent's, because both arrived under the same login.
What is a machine identity?
A machine identity is a credential issued to a non-human consumer, a CI job, an ETL pipeline, a BI tool, or an agent, kept separate from any person. It carries its own scope, its own audit trail, and its own revocation.
hoop.dev issues one per consumer and ties each credential to a resource role rather than to a user. You create, rotate, and revoke it from one screen, and every action the consumer takes records under that identity instead of under a developer's login.
How do I watch what an agent is doing in real time?
Open the session in the audit view and the statements stream in as the agent runs them. hoop.dev sends each machine session to the browser over server-sent events, and the client decodes the Postgres wire protocol locally, so you read the actual SQL rather than a byte count. A status indicator tracks the session from Connecting to Live to Ended, alongside a running query count and a text filter over the statements. When the session ends, the same view replays the decoded history.
The reason this runs live and not as a morning report is throughput. An agent can issue hundreds of statements in the time a person takes to scroll a log export, so a reviewer needs to see the session while it is open and still has somewhere to intervene.
Can a policy block a risky action before it runs?
Yes. When an agent runs a command or an HTTP request through hoop.dev, a rule checks it before it executes. An AI analyzer scores the risk and either allows the action, blocks it, or holds it for a human to approve. A guardrail does the same with deny lists and regular expressions. Both decide before the action reaches the resource, so a blocked command returns an error instead of a result. This applies to the commands and requests an agent issues through the gateway, not to each statement inside a native database session.
Can I stop an agent mid-session?
Revoke its credential and every live proxy session using it ends at once, across Postgres, SSH, HTTP, and RDP, not only the next connection. Rotation runs the same path in a single call: it revokes the old credential, drops its in-flight sessions, and issues a replacement. You do this by hand when you need to, or you let the policy above act for you. A security lead at a crypto exchange: "we need to kill a running agent."
Do humans and agents need separate access systems?
No. A person authenticates once and receives a persistent credential through the same path a machine identity uses, and human sessions now stream and persist incrementally the way machine sessions already did. One model covers both, with the same policies, the same audit trail, and the same revocation.
What machine identities do not fix
A machine identity changes who the audit log names and what a credential can reach. Three gaps remain, and they matter more named than buried.
Live decoding currently understands the Postgres wire protocol. SSH and HTTP sessions stream as readable text, and other database protocols render as raw bytes until their decoders ship. The stream also runs inside a single gateway process, so a multi-replica deployment cannot yet follow one session across instances. None of this blocks the feature for a standard deployment, but it bounds where the live view is fully readable today.
A machine identity governs access that passes through the gateway and nothing else. An agent a developer runs on a personal laptop, against a tool you never provisioned, never touches it. A director of enterprise architecture at a compliance-software company: "if somebody breaks out their phone and has a third-party AI tool on their phone and types in a question, there's more or less nothing I can do about that."
Scoping an identity also does not stop prompt injection. It bounds what an agent can reach once an attack succeeds, but it does not inspect the prompt or the model's output. A fintech security engineer still needs separate detection for direct and indirect injection and for model poisoning. That work lives in a different layer, and a machine identity does not pretend to cover it.
The point
Give an agent your credentials and you have handed it your name. Give it a machine identity and it answers to its own. The next time a row changes at 2 a.m., the log will name what ran, not only who to wake.