All posts
June 18, 20264 min read

Approval workflows for AI coding agents on Entra

A newly created AI coding agent receives an OIDC token from Entra and immediately starts generating pull requests, running test suites, and invoking internal build pipelines. Because the token is a valid Entra identity, the platform treats the agent like any other service account and lets it reach the target systems without a second look, bypassing any approval workflows. That convenience hides a serious gap. If the agent’s model is compromised, or if its training data contains a bad pattern, i

Free White Paper

AI Agent Security + Access Request Workflows: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

A newly created AI coding agent receives an OIDC token from Entra and immediately starts generating pull requests, running test suites, and invoking internal build pipelines. Because the token is a valid Entra identity, the platform treats the agent like any other service account and lets it reach the target systems without a second look, bypassing any approval workflows.

That convenience hides a serious gap. If the agent’s model is compromised, or if its training data contains a bad pattern, it can push malicious changes, exfiltrate secrets, or trigger costly rollbacks, all without a human ever seeing the command. No audit trail exists for the exact queries the agent sent, and there is no checkpoint where a senior engineer can say, “I approve this change.” The result is a blind spot where automated code can cause production‑level damage.

Entra does a great job at authenticating the agent and confirming that the request originates from a known identity. What it does not provide is a gate that can examine each operation, request a human sign‑off for risky actions, and record the interaction for later review. The request still travels directly to the code repository, CI system, or database, bypassing any enforcement layer.

Why approval workflows matter for AI agents

AI agents operate at speed. They can produce dozens of commits per minute and trigger pipelines that touch live services. Without a control point, every change is implicitly trusted because the identity token is valid. Approval workflows introduce a deliberate pause for high‑risk operations, ensuring that a human reviews the intent before the command reaches the target. This reduces the blast radius of a compromised model, provides evidence for post‑incident analysis, and aligns automated development with governance policies.

How hoop.dev enforces approval workflows

hoop.dev sits in the data path between the Entra‑issued identity and the infrastructure the agent wants to reach. When the agent opens a connection, hoop.dev validates the token, extracts group membership, and then applies policy rules before any traffic is forwarded.

  • Just‑in‑time gating: hoop.dev checks each request against a policy that marks certain commands, such as database schema changes, production deployments, or secret rotations, as requiring explicit human approval. If a request matches a gated pattern, hoop.dev pauses the flow and creates an approval ticket.
  • Human approval loop: An authorized reviewer receives a notification with the exact command the agent attempted. The reviewer can approve, deny, or modify the request. Only after approval does hoop.dev release the traffic to the target system.
  • Session recording: hoop.dev records every byte that passes through the gateway, creating a replay log. This log includes the original request, the approval decision, and the response from the backend.
  • Audit and evidence: Because hoop.dev is the only point that can see the traffic, it generates a complete audit trail that shows who (the Entra identity), what (the command), when (timestamp), and whether it was approved. These records satisfy internal compliance checks and support external audits.

All of these enforcement outcomes exist only because hoop.dev is positioned in the data path. The Entra token alone cannot block a command, mask a response, or create an audit record. By placing the gateway in front of the target, hoop.dev becomes the authoritative enforcement engine for approval workflows.

Setup: Entra identity for AI agents

The first step is to register the AI agent as a non‑human principal in Entra. Assign it only the scopes it needs to request tokens for the gateway. This setup decides who the request is and whether it may start, but it does not enforce any policy on its own.

Deploying the gateway

Deploy hoop.dev using the provided Docker Compose quick‑start or a Kubernetes manifest. The deployment includes a network‑resident agent that sits next to the resources the AI agent will access, databases, CI runners, or internal HTTP services. The gateway holds the credentials for those resources, so the AI never sees them.

Continue reading? Get the full guide.

AI Agent Security + Access Request Workflows: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

During deployment, configure the gateway to trust Entra as the OIDC provider. hoop.dev will verify incoming tokens and map group claims to policy decisions. Detailed steps are covered in the getting‑started guide.

Defining approval policies

Policy definitions live in hoop.dev’s configuration. You can mark any command pattern, HTTP method, or Kubernetes verb as requiring approval. For AI coding agents, typical policies include:

  • Any push to the main branch of a production repository.
  • Execution of migration scripts against a production database.
  • Creation or deletion of cloud resources via the AWS CLI connector.

When a gated request arrives, hoop.dev creates an approval request that appears in your existing ticketing system or in the built‑in approval UI. The reviewer sees the exact command, the originating Entra identity, and any contextual metadata.

Benefits of the gateway approach

Because hoop.dev is the single point of control, you gain a unified view of all AI‑driven activity across disparate backends. You no longer need separate logging solutions for databases, CI pipelines, and Kubernetes clusters; the gateway aggregates everything. The consistent enforcement model also means you can extend the same approval workflow to new services simply by adding a connector, without rewriting policy logic.

In addition to approval, hoop.dev can mask sensitive fields in responses, such as API keys returned from a secret store, so that even a compromised agent never sees the raw secret. This masking happens inline, before the data reaches the agent, further reducing risk.

Getting started

To try this pattern, follow the learn section for a walkthrough of Entra integration, policy definition, and approval UI usage. The documentation shows how to tie the approval notifications into Slack or email, and how to view session replays.

When you’re ready to explore the source code, contribute, or run a self‑hosted instance, visit the GitHub repository: hoop.dev on GitHub.

FAQ

Do I need to change my existing CI pipelines?

No. The pipelines continue to use their standard clients. The only change is that traffic is routed through hoop.dev, which injects the approval step when required.

Can I use a different identity provider?

Yes. hoop.dev supports any OIDC or SAML provider that can issue tokens. The same approval workflow logic applies regardless of the IdP.

What happens if the approval request is never answered?

hoop.dev will keep the request pending and will not forward the gated command. You can configure a timeout policy that either denies the request or escalates it to a higher‑level approver.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot