All posts
June 18, 20264 min read

FFIEC for non-human identities: governing machine access end to end (on Postgres)

An offboarded contractor’s CI pipeline still holds a service account that can execute arbitrary SQL against the production Postgres cluster. The team once used the token for a limited build step, yet the credential lives in a shared secret store and no one knows which jobs still use it. When a new compliance audit arrives, the auditors ask for evidence that the organization authorized, recorded, and scoped every machine‑initiated query according to FFIEC expectations. The answer is often “we don

Free White Paper

End-to-End Encryption + Non-Human Identity Management: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

An offboarded contractor’s CI pipeline still holds a service account that can execute arbitrary SQL against the production Postgres cluster. The team once used the token for a limited build step, yet the credential lives in a shared secret store and no one knows which jobs still use it. When a new compliance audit arrives, the auditors ask for evidence that the organization authorized, recorded, and scoped every machine‑initiated query according to FFIEC expectations. The answer is often “we don’t have that level of visibility.” That gap results from how organizations traditionally manage non‑human identities.

Why machine access is a blind spot for FFIEC

FFIEC guidance emphasizes continuous monitoring, least‑privilege access, and audit trails for all entities that touch sensitive financial data. Human users are easy to track because they log in with federated identities, and existing SIEM solutions can record their sessions. Machines, however, typically use long‑lived API keys or static database passwords. Organizations provision those credentials once, rotate them rarely, and grant them broader privileges than the job actually needs. The result is two problems:

  • Auditors cannot prove that a particular automated job was the source of a data‑modifying statement.
  • When a breach occurs, the lack of per‑request evidence makes it hard to contain the blast radius.

Both issues run counter to FFIEC’s requirement for real‑time evidence that teams can present without additional engineering effort.

FFIEC requirements and machine identities

The core FFIEC controls relevant to machine‑driven database access are:

  • Authentication and authorization must be tied to a unique, verifiable identity.
  • All privileged commands must be logged with recorded timestamps and user context.
  • Access must be granted on a just‑in‑time basis, with explicit approval for high‑risk actions.
  • Sensitive data returned to the caller should be masked unless the requester has a documented need‑to‑know.

Traditional setups satisfy the first point by using a service account, but they fall short on the remaining three. The missing piece is a control point that can inspect each SQL statement, enforce policy, and generate the evidence that FFIEC expects.

The missing control: a data‑path gateway

Placing enforcement logic inside the application or the database itself is fragile. The database cannot differentiate a machine‑initiated request from a human‑initiated one, and any policy changes require a database restart or a risky schema migration. What teams need is a dedicated gateway that sits between the identity provider and the Postgres endpoint. The gateway examines every packet, makes decisions, and records evidence.

When a non‑human identity presents a token, the gateway validates it against the organization’s IdP, maps the token to a scoped role, and then forwards the request to Postgres using its own credential. Because the gateway holds the credential, the downstream database never sees the original secret, eliminating credential leakage risk.

Continue reading? Get the full guide.

End-to-End Encryption + Non-Human Identity Management: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

How hoop.dev provides continuous evidence

hoop.dev implements exactly the data‑path gateway described above. It intercepts each PostgreSQL wire‑protocol message, applies FFIEC‑aligned policies, and records the outcome. The enforcement outcomes are:

  • Session recording: hoop.dev stores every query, response, and metadata (timestamp, source identity) in an audit log.
  • Inline masking: hoop.dev redacts columns marked as sensitive in real time unless the requestor’s role includes an explicit need‑to‑know.
  • Just‑in‑time approval: hoop.dev triggers a workflow that demands a human approver before executing high‑risk statements such as DROP DATABASE or ALTER ROLE.
  • Command blocking: hoop.dev rejects dangerous patterns automatically, preventing accidental data exposure.
  • Identity‑aware proxy: The gateway maps each machine token to a least‑privilege role, ensuring the downstream credential only has the permissions required for that specific job.

Because hoop.dev sits in the data path, it enforces all of these controls regardless of how the client initiates the connection, whether it is a CI job, a scheduled ETL, or an AI‑driven analytics service. hoop.dev generates an audit log that satisfies FFIEC’s demand for continuous, per‑request evidence without requiring custom instrumentation inside each application.

Key enforcement outcomes for FFIEC compliance

When auditors request proof of compliance, the organization can produce:

  • A chronological list of every machine‑initiated SQL statement, including the originating service account, the exact query text, and the decision taken (allowed, masked, blocked).
  • Approval records that show who authorized each high‑risk operation, with timestamps and justification.
  • Masked data samples that demonstrate the system’s ability to hide PII in query results.
  • Evidence that no credential ever left the gateway, reducing the attack surface for credential theft.

hoop.dev generates all of these artifacts automatically, meaning the compliance team does not need to build bespoke logging pipelines.

Getting started with hoop.dev for Postgres

To adopt this approach, begin by deploying the gateway in the same network segment as your PostgreSQL cluster. The official getting‑started guide walks you through a Docker‑Compose launch, OIDC configuration, and the creation of a Postgres connection profile. Once the gateway is running, register each non‑human identity in your IdP, map it to a scoped role in the gateway, and enable the built‑in approval workflow for privileged commands. The learn site provides detailed feature documentation, where you can explore masking policies, session replay, and audit‑log export formats. For an overview of all supported connectors, visit the hoop.dev product page.

FAQ

Q: Does hoop.dev replace existing database authentication?
A: No. The gateway authenticates the client against the IdP, then uses its own service credential to talk to Postgres.

Q: How is the audit log protected from tampering?
A: hoop.dev writes the log after each request and can ship it to a storage backend of your choice. The integrity of the log forms part of the evidence that FFIEC expects.

Q: Can I apply different masking rules per service?
A: You define masking policies in the gateway and can scope them to specific identities, roles, or even individual SQL statements.

View the source code and contribute on GitHub: https://github.com/hoophq/hoop

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot