All posts
June 18, 20264 min read

MCP gateways: what they mean for your blast radius (on BigQuery)

When AI‑driven workloads respect strict boundaries, the worst‑case impact of a misbehaving model is contained to a single, well‑scoped query instead of a sweeping data exfiltration. Reducing the blast radius is essential, because in the ideal state each request to BigQuery is vetted, logged, and limited to the exact columns and rows needed for the task at hand. In many organizations, the reality looks very different. Teams often grant large service accounts or generic API keys to AI agents so t

Free White Paper

Blast Radius Reduction + Single Sign-On (SSO): The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

When AI‑driven workloads respect strict boundaries, the worst‑case impact of a misbehaving model is contained to a single, well‑scoped query instead of a sweeping data exfiltration. Reducing the blast radius is essential, because in the ideal state each request to BigQuery is vetted, logged, and limited to the exact columns and rows needed for the task at hand.

In many organizations, the reality looks very different. Teams often grant large service accounts or generic API keys to AI agents so that the model can explore data freely. Those credentials typically have read‑only or even read‑write privileges across an entire warehouse. The agents run without any gatekeeper, issuing ad‑hoc SQL that can scan every table, join across datasets, and return massive result sets. When a model generates an unexpected query, the blast radius can span petabytes of sensitive information, and there is no built‑in audit trail to prove who or what caused the request.

Even when an organization adopts a principle of least privilege for human engineers, the same discipline is rarely applied to machine‑generated traffic. The missing piece is a control surface that sits between the AI runtime and the data service, capable of enforcing policy, recording activity, and applying real‑time masking. Without that surface, the request reaches BigQuery directly, bypassing any approval workflow, without session replay or inline data redaction.

Why uncontrolled AI agents expand blast radius

AI agents that can issue arbitrary SQL are powerful, but they also amplify risk. A single prompt can cause the model to iterate over dozens of tables, inadvertently exposing personally identifiable information (PII) or proprietary business metrics. Because the agent runs with a credential that trusts the entire warehouse, the blast radius of any mistake is the full data set. Moreover, the lack of a central audit log means security teams cannot reconstruct the exact query chain after the fact, making forensic analysis costly and incomplete.

The missing control point for blast radius reduction

The core problem is not authentication, most teams already use OIDC or service accounts to prove identity. The gap is the enforcement layer. When a request is allowed to travel straight from the model to BigQuery, there is no place to inspect the SQL, apply column‑level masking, or require a human approver for high‑risk operations. The request bypasses any guardrail, and the system cannot enforce just‑in‑time (JIT) limits.

In a sound design, the enforcement layer must be the only point where policy decisions are made. It must sit on the data path, inspect every packet, and be able to block, mask, or log based on the organization’s rules. Only then can the blast radius be reliably bounded.

Putting the gateway in the data path

This is where an identity‑aware proxy becomes essential. By inserting a Layer 7 gateway between the AI runtime and BigQuery, every query is forced through a single, policy‑driven choke point. The gateway authenticates the caller, checks group membership, and then applies the organization’s rules before the query reaches the database.

Continue reading? Get the full guide.

Blast Radius Reduction + Single Sign-On (SSO): Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Because the gateway is the only place where traffic can be examined, it can enforce column‑level redaction, reject queries that reference disallowed tables, and trigger an approval workflow for operations that exceed a predefined risk threshold. The gateway also records the full session, enabling replay for audit or incident response.

How hoop.dev enforces limits

hoop.dev implements exactly this data‑path architecture. It proxies the connection to BigQuery, authenticates callers via OIDC or SAML, and then applies policy before forwarding the request. The enforcement outcomes are all provided by hoop.dev:

  • hoop.dev records every query and its result set, creating an audit trail that security teams can review.
  • hoop.dev masks sensitive columns in real time, ensuring that downstream consumers never see raw PII.
  • hoop.dev blocks commands that match a deny list, preventing destructive or overly broad scans.
  • hoop.dev routes high‑risk queries to a human approver, adding a just‑in‑time approval step before execution.
  • hoop.dev replays sessions on demand, giving investigators a complete view of what the AI agent did.

All of these capabilities exist because hoop.dev sits in the data path; the setup that authenticates the model (the OIDC token, the service account) only decides who may start a request. Without hoop.dev, none of the enforcement outcomes would be possible.

For teams ready to start, the getting‑started guide walks through deploying the gateway, registering a BigQuery connection, and defining masking policies. The broader feature catalog is available in the learn section, where you can explore examples of query‑level audit, inline masking, and JIT approval workflows.

Practical steps to adopt

  1. Identify the service account or token that your AI runtime currently uses to talk to BigQuery.
  2. Configure hoop.dev to act as the relying party for that identity, preserving the existing authentication flow.
  3. Register the BigQuery endpoint as a connection in hoop.dev, supplying the credential that the gateway will use.
  4. Define a policy that limits the tables and columns the model may query, and enable real‑time masking for any column marked as sensitive.
  5. Enable session recording and set up an approval workflow for queries that exceed a row‑count threshold.
  6. Test the end‑to‑end flow with a low‑risk query, verify that the audit log captures the request, and confirm that masking behaves as expected.

Once these steps are in place, the AI agent no longer talks directly to BigQuery. Every request is filtered through hoop.dev, dramatically shrinking the blast radius of any accidental or malicious query.

FAQ

Does hoop.dev replace the existing authentication mechanism?

No. Authentication remains the responsibility of the identity provider. hoop.dev simply verifies the token and then enforces policy on the data path.

Can I still use my existing BigQuery client libraries?

Yes. The gateway presents the same wire‑protocol interface, so standard clients continue to work without code changes.

What happens if an unauthorized query slips through?

Because hoop.dev records every session, you can replay the exact request and see which policy rule was bypassed. You can then tighten the rule set to prevent future occurrences.

Ready to see the code in action? Explore the source repository on GitHub.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot