All posts
June 15, 20263 min read

Configuring AI agents access to Postgres with data masking

An analytics agent runs SELECT * FROM customers WHERE signup_date > now() - interval '7 days' and pulls back names, emails, and partial card data it never needed for the task. Nothing was misconfigured in Postgres. The agent had read access, used it, and now sensitive rows sit in a model context window and a log file. Data masking is how you keep the rows useful without handing the agent the raw values. This post configures data masking for AI agents on Postgres, with hoop.dev redacting sensiti

Free White Paper

AI Data Exfiltration Prevention + Data Masking (Static): The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

An analytics agent runs SELECT * FROM customers WHERE signup_date > now() - interval '7 days' and pulls back names, emails, and partial card data it never needed for the task. Nothing was misconfigured in Postgres. The agent had read access, used it, and now sensitive rows sit in a model context window and a log file. Data masking is how you keep the rows useful without handing the agent the raw values.

This post configures data masking for AI agents on Postgres, with hoop.dev redacting sensitive fields inline before any result reaches the agent.

Why masking has to happen on the connection

You could mask in the application, but agents do not always go through your application. You could create masked views, but that pushes policy into schema and breaks the moment a query hits the base table. The reliable place to mask is the connection every query and result already crosses.

If data masking runs on the wire between Postgres and the agent, it applies no matter what statement the agent writes, because it works on the result stream, not on a per-view basis you have to remember to maintain.

How hoop.dev runs data masking on Postgres results

hoop.dev is an open-source Layer 7 access gateway whose agent speaks the native Postgres wire protocol next to your database. As results stream back, hoop.dev sends content to a configured DLP provider, Microsoft Presidio or Google DLP, for classification, then redacts the matched fields before the rows reach the AI agent. The agent sees masked output; the database returns its rows normally.

Masking is not a fixed regex baked into the gateway. It runs at the protocol layer against a provider you configure, so what counts as sensitive is a policy decision, not a hard-coded pattern.

Continue reading? Get the full guide.

AI Data Exfiltration Prevention + Data Masking (Static): Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Inline, not after the fact

The word that matters is inline. The redaction happens in the result stream, on the way back to the agent, before any sensitive value reaches the client. That is different from scrubbing logs after the fact or masking a copy of the data in a warehouse. By the time a post-hoc process runs, the agent has already seen the cleartext and may have copied it into a prompt or a downstream store. Inline data masking closes that window because the agent never receives the protected value in the first place.

It also means the original data in Postgres is never altered. You are not maintaining a masked replica or a parallel set of views. The same table serves masked and unmasked consumers depending on which connection and policy they come through.

Steps

  1. Install the hoop.dev gateway and run its agent next to Postgres.
  2. Register the Postgres connection: host, port, database, user, password, SSL mode.
  3. Configure a DLP provider (Presidio or Google DLP) for the connection so hoop.dev has a classifier for the result stream.
  4. Enable masking on the Postgres connection and define the entity types to redact, such as emails, names, or payment identifiers.
  5. Point the AI agent at the hoop.dev endpoint, run a query against a table with sensitive columns, and confirm the returned values are redacted.

The getting started docs cover the gateway, and hoop.dev/learn explains the masking model in depth.

Pitfalls

  • Masking needs a configured DLP provider. Without one there is no classifier, so do not assume redaction is on by default.
  • Test against real-looking data. A classifier tuned for one entity type can miss another; verify the fields you care about are caught.
  • Masking and recording are separate concerns. A recorded session can capture the masked result; decide what your recordings should contain.

FAQ

Does data masking change the rows in Postgres?

No. The database returns its data unchanged. hoop.dev redacts in the result stream before it reaches the agent, so the stored data is untouched.

What classifies a field as sensitive?

The configured DLP provider, Presidio or Google DLP. hoop.dev sends streaming content for classification and redacts the matches.

Will masking slow down large result sets?

Masking adds a classification step on the stream. Scope it to connections and entity types that need it rather than masking everything.

hoop.dev is open source. See how inline masking is wired on a Postgres connection in the hoop.dev GitHub repository.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot