All posts
June 18, 20263 min read

Just-in-time access for AI coding agents on Entra

When an AI coding agent is added to a CI pipeline, the most convenient way to let it talk to a production database is to embed a service‑account token issued by Entra. Without just-in-time access controls, that token often carries wide‑range privileges because the agent needs to compile, test, and sometimes migrate schemas. The result is a standing credential that lives forever in the pipeline configuration. That static credential creates three hidden problems. First, any compromise of the pipe

Free White Paper

Just-in-Time Access + AI Human-in-the-Loop Oversight: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

When an AI coding agent is added to a CI pipeline, the most convenient way to let it talk to a production database is to embed a service‑account token issued by Entra. Without just-in-time access controls, that token often carries wide‑range privileges because the agent needs to compile, test, and sometimes migrate schemas. The result is a standing credential that lives forever in the pipeline configuration.

That static credential creates three hidden problems. First, any compromise of the pipeline gives an attacker immediate, long‑lived access to the database. Second, the agent can run arbitrary queries without any human oversight, which makes data exfiltration or destructive commands trivial. Third, because the connection bypasses any gatekeeper, there is no record of which queries were executed, no way to mask sensitive columns, and no opportunity to require an approval before a risky operation.

Just-in-time access means granting the smallest possible set of permissions for the shortest possible time, and only after a policy decision has been satisfied. In practice, the agent presents an Entra‑issued OIDC token, the system checks that the token belongs to a known non‑human identity, and then a temporary, scoped credential is issued for the exact operation the agent needs to perform.

Entra already supplies the identity plumbing. By creating a dedicated service principal for the AI agent, you can enforce least‑privilege scopes at token issuance time. However, the token alone does not enforce the "just‑in-time" part. The request still travels straight from the CI runner to the database, carrying the token’s privileges, without any intermediate enforcement point.

This missing enforcement layer leaves the three risks described above unchecked. Without a gateway, you cannot:

  • Intercept a query and require a human or policy‑based approval before it runs.
  • Mask columns that contain secrets or personally identifiable information in real time.
  • Record a replayable session that auditors can review later.

hoop.dev fills that gap by sitting in the data path between the Entra‑issued identity and the target infrastructure. The gateway validates the OIDC token, extracts the user or service principal information, and then proxies the connection to the database. Because the traffic passes through hoop.dev, the platform can enforce just‑in-time access policies, block disallowed commands, apply inline masking, and capture a complete audit trail for every session.

Continue reading? Get the full guide.

Just-in-Time Access + AI Human-in-the-Loop Oversight: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

When the AI agent initiates a connection, hoop.dev checks the policy engine. If the request matches a just‑in-time rule, the gateway creates a short‑lived credential that is scoped only to the requested operation. The credential is never exposed to the agent; hoop.dev presents it to the database on the agent’s behalf. If the policy requires approval, the request is paused and routed to a designated approver before the gateway forwards it. All responses flow back through the same path, allowing hoop.dev to mask sensitive fields before they reach the agent.

Deploying this architecture starts with the standard hoop.dev quick‑start. The getting‑started guide walks you through launching the gateway in Docker Compose or Kubernetes, configuring Entra as the OIDC identity provider, and registering a database connection. Once the gateway is running, you define just‑in-time policies in the learn section, specifying which service principals can request which operations and what approval workflow to trigger.

With hoop.dev in place, you gain:

  • Full session recordings that can be replayed for forensic analysis.
  • Real‑time data masking that protects secrets even when the AI agent processes them.
  • Granular, just‑in-time credential issuance that eliminates standing access.
  • Audit logs that satisfy internal governance and external audit requirements.

FAQ

How does hoop.dev handle token refresh for long‑running jobs?

hoop.dev validates each request against the current Entra token. When a job runs longer than the token’s lifetime, the gateway automatically re‑validates the token before issuing a new short‑lived credential, ensuring continuous enforcement without manual intervention.

Can I use hoop.dev with multiple Entra tenants?

Yes. The gateway can be configured with multiple OIDC providers, each mapped to a distinct set of policies. This lets you isolate AI agents that belong to different business units or projects.

What happens if an approval is denied?

hoop.dev aborts the proxied request and returns a clear error to the agent. The denied attempt is still recorded, providing evidence of the attempted operation.

Explore the source code, contribute improvements, or spin up your own instance by visiting the GitHub repository.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot