All posts
June 15, 20263 min read

Audit logging for AI agents on Entra

The postmortem question that ends careers is simple: what did the agent actually do? A week after a bad migration, someone asks for the exact commands an AI agent ran against the customer database, and the only answer is a CloudWatch line that says a connection happened. That is not an audit trail. That is a timestamp. This guide builds real audit logging for AI agents whose identity comes from Microsoft Entra, with the record produced at the connection level by hoop.dev. Set the roles straight

Free White Paper

K8s Audit Logging + AI Audit Trails: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

The postmortem question that ends careers is simple: what did the agent actually do? A week after a bad migration, someone asks for the exact commands an AI agent ran against the customer database, and the only answer is a CloudWatch line that says a connection happened. That is not an audit trail. That is a timestamp.

This guide builds real audit logging for AI agents whose identity comes from Microsoft Entra, with the record produced at the connection level by hoop.dev. Set the roles straight first. Entra is the identity provider that authenticates the agent and asserts who it is. hoop.dev is the relying party that verifies the Entra token and then records the infrastructure session the agent opens. The log is of the database or service connection, attributed to the Entra identity. hoop.dev does not record activity inside Entra and does not front Entra's APIs.

What audit logging must capture for an agent

An agent log that an auditor or an incident responder can use needs more than connection events. Use this as a checklist of what to capture:

  • The Entra identity that authenticated, including the group that authorized the connection.
  • The exact commands or queries the agent ran, in order, not a summary.
  • The target connection and the time window the session stayed open.
  • Whether any result was masked, and whether any operation was routed for approval.
  • An immutable record that the agent itself cannot edit.

That last point is the architectural one. The record has to live outside the process the agent controls. If the agent can write to the log, the log is a suggestion. hoop.dev captures the session at the gateway, on the path between the agent and the target, where the agent cannot reach to alter it.

How to wire it up

  1. Configure Entra as the OIDC provider in hoop.dev so every agent session carries a verified identity.
  2. Create the connection to the target database or service with its credential on the connection.
  3. Map the agent's Entra group to that connection and turn on session recording.
  4. Forward the session records to your SIEM for retention alongside human access logs.
connection: customer-db
  type: postgres
  access: group:billing-agents
  record: full
  export: siem

Verify the log is complete

Have the agent run a sequence of queries, then pull the session record. Every query should be present, in order, attributed to the Entra identity, with the open and close times. Try to find a gap. If the command-level log shows each statement rather than a single "session opened" line, your audit logging is doing its job. The difference between command-level audit and connection-level logging is the difference between knowing what happened and knowing only that something did.

Continue reading? Get the full guide.

K8s Audit Logging + AI Audit Trails: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Pitfalls

  • Do not rely on the database's own logs alone. They rarely tie a query back to a specific non-human identity from Entra.
  • Do not let the agent log itself. The record must originate outside the agent.
  • Do not skip export. A local record that ages out in seven days will not survive a compliance review.

Tie the record back to the Entra identity

The value of audit logging for an agent is in the join. A row deleted in production means little on its own. The same delete, attributed to a specific Entra identity, in a specific group, during a specific recorded window, with the prior queries in order, tells you the whole story. hoop.dev captures the session with the verified Entra identity attached, so the join is already done when you open the record.

That attribution is also what makes a fleet of agents manageable. When ten agents share infrastructure, connection logs alone blur together. Records keyed to the Entra identity let you filter to one agent, reconstruct exactly what it ran, and hand that to a reviewer without guesswork. The identity provider asserts who. hoop.dev records what they did at the connection.

hoop.dev is open source, so you can confirm what the session record contains by reading the code, not a brochure. The getting started guide shows how to enable recording on a connection, and the learn material covers exporting session data for audit logging.

FAQ

Does hoop.dev log what happens inside Entra?

No. Entra owns identity events. hoop.dev records the infrastructure session, attributed to the Entra identity that authorized it.

Can the agent tamper with its own audit log?

No. The session is recorded at the gateway, outside the agent process.

Where do I start?

Pull the gateway from the hoop.dev GitHub repository and enable full recording on one connection to see the audit logging output.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot