All posts
June 18, 20264 min read

Keeping Non-Human Identities PHI-Compliant

A CI pipeline runs nightly to refresh a data warehouse. The job uses a service account whose secret lives in a git‑managed configuration file. The same credential also powers a batch script that extracts patient records for a research study. When the contractor who wrote the script leaves, the secret remains untouched, and the automation continues to pull raw PHI into an unsecured bucket. No one can tell which run accessed which record, because the system never logged the query, never masked the

Free White Paper

Non-Human Identity Management + Managed Identities: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

A CI pipeline runs nightly to refresh a data warehouse. The job uses a service account whose secret lives in a git‑managed configuration file. The same credential also powers a batch script that extracts patient records for a research study. When the contractor who wrote the script leaves, the secret remains untouched, and the automation continues to pull raw PHI into an unsecured bucket. No one can tell which run accessed which record, because the system never logged the query, never masked the identifiers, and never required an approval step.

This pattern is common. Teams treat non‑human identities, service accounts, CI tokens, automated bots, as static keys that grant broad access. The identities are provisioned once, given far‑more privileges than needed, and then forgotten. Because the gateway sits directly on the target, there is no central point to enforce audit, data minimization, or just‑in‑time approval. The result is a blind spot for PHI compliance.

Why phi matters for non‑human identities

Regulators expect every access to protected health information to be traceable, purpose‑limited, and auditable. Human users can be trained to request approvals, but automated agents cannot. When a service account can query a database without any oversight, an organization loses the ability to prove who accessed what, when, and why. That gap makes it difficult to demonstrate compliance with HIPAA’s audit and integrity safeguards, even though the standard itself is not a product certification.

Three practical gaps appear in most pipelines:

  • Over‑scoped permissions. A single token may read, write, and delete across multiple tables, far beyond the job’s actual need.
  • No query‑level audit. Logs are either missing or aggregated in a way that cannot be tied back to a specific automated run.
  • Unmasked data exposure. Responses that contain patient identifiers flow to downstream systems without redaction, increasing the blast radius of a breach.

What a compliant architecture must include

The first step is to treat the identity provisioning process as a setup concern only. OIDC or SAML tokens, service‑account definitions, and least‑privilege role bindings decide who the automation is, but they do not enforce any protection on the data path. The enforcement point must be a dedicated gateway that sits between the non‑human identity and the target system. Only that data path can reliably inspect each request, apply masks, and record the interaction.

When the gateway sits at Layer 7, it can enforce three core outcomes that satisfy PHI requirements:

  • Session recording. hoop.dev captures the full request and response stream for every automated connection, producing a replayable record that auditors can review.
  • Inline masking. Sensitive fields such as Social Security numbers or medical record numbers are stripped or tokenized before they leave the database, ensuring downstream services never see raw identifiers.
  • Just‑in‑time approval. Before a high‑risk query runs, hoop.dev can pause the request and require a human approver to confirm the purpose, then automatically revoke the permission after the operation completes.

All three outcomes are possible only because hoop.dev is the active subject in the data path. If the gateway were removed, none of these protections would exist, even though the service account and role bindings remain unchanged.

Continue reading? Get the full guide.

Non-Human Identity Management + Managed Identities: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

How hoop.dev fits the non‑human identity workflow

In a typical deployment, an organization registers each automated target, PostgreSQL, MySQL, or an internal HTTP API, as a connection in hoop.dev. The gateway holds the credential, so the CI job never sees the secret. When the job initiates a connection, hoop.dev authenticates the OIDC token presented by the pipeline, maps it to the registered service account, and then enforces the policy defined for that identity.

Because the gateway operates at the protocol level, it can inspect SQL statements, HTTP payloads, or SSH commands in real time. If a statement attempts to read a PHI column that is not allowed for that job, hoop.dev masks the column before returning the result. If the statement matches a high‑risk pattern, such as a bulk export of patient records, hoop.dev triggers an approval workflow, logs the request, and only proceeds after a designated reviewer signs off.

All session data, including timestamps, user identifiers, and the exact query text, is stored in a secure audit log that can be exported for compliance reporting. The log is stored securely and can be reviewed by auditors as needed.

Getting started with a PHI‑focused deployment

Deploying the gateway is straightforward. The official getting‑started guide walks you through a Docker Compose or Kubernetes installation, OIDC configuration, and connection registration. Once the gateway is running, define a policy that scopes the service account to the minimum set of tables needed for the CI job, enable inline masking for PHI columns, and turn on session recording.

For deeper guidance on masking strategies, policy composition, and audit‑log integration, see the learn section. Those resources provide concrete examples of how to express PHI‑specific rules without exposing any code snippets in this article.

FAQ

Does hoop.dev store PHI itself?

No. hoop.dev only proxies traffic and records metadata about each session. The raw PHI never resides in the gateway’s storage; it is either masked before leaving the target or retained only in the audit log for compliance purposes.

Can I use hoop.dev with existing CI pipelines?

Yes. Because the gateway presents the same network endpoint as the underlying database or API, you can point your existing CI configuration to the hoop.dev address without changing application code. The CI job continues to use its OIDC token for authentication, while hoop.dev enforces the PHI policies.

What happens if a non‑human identity tries to bypass the gateway?

Since the credential is stored only inside hoop.dev, the service account cannot connect directly to the target. Any attempt to reach the database without going through the gateway will fail authentication, ensuring that all PHI accesses are subject to the enforced controls.

By treating the gateway as the mandatory data path, organizations can turn a sprawling set of automated secrets into a single, auditable, and PHI‑safe surface. hoop.dev makes that transformation possible without rewriting existing automation scripts.

Explore the open‑source repository to see the full implementation details and contribute to the project.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot