All posts
June 18, 20264 min read

Nested agents: what they mean for your access reviews (on on-prem)

Many assume that nesting agents automatically simplifies access reviews, but the reality is far more nuanced. In most on‑prem environments, engineers still rely on a handful of long‑lived service accounts or shared SSH keys. Those credentials are copied to multiple bastion hosts, then used directly to reach databases, Kubernetes clusters, or internal web services. The result is a web of implicit trust: a single credential can open a chain of connections, and no central point records which user

Free White Paper

Access Reviews & Recertification + Single Sign-On (SSO): The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

Many assume that nesting agents automatically simplifies access reviews, but the reality is far more nuanced.

In most on‑prem environments, engineers still rely on a handful of long‑lived service accounts or shared SSH keys. Those credentials are copied to multiple bastion hosts, then used directly to reach databases, Kubernetes clusters, or internal web services. The result is a web of implicit trust: a single credential can open a chain of connections, and no central point records which user actually initiated the request. When an incident occurs, the audit trail ends at the first hop, leaving security teams to guess which downstream system was accessed and by whom.

Organizations often try to improve the situation by introducing non‑human identities, service accounts scoped to a specific role, or federated identities that map to minimal permissions. These steps reduce the blast radius of any single credential, but they do not change the fundamental flow. In short, the setup creates a better “who can call” boundary but leaves the “what actually happened” question unanswered.

Why nested agents complicate access reviews

A nested agent architecture means that an initial agent authenticates to a gateway, then spawns a second‑level agent that talks to the final target. The second agent often inherits the first agent’s identity, or it may be granted a separate service account. From the perspective of an access‑reviewer, the call stack looks like a black box: a user authenticates, an agent does something, and somewhere downstream a privileged command executes.

Access reviews rely on clear evidence of who accessed which resource, when, and for what purpose. Nested agents obscure that evidence in three ways:

  • They introduce an extra hop that is not always logged by the target system.
  • Credentials used by the inner agent may be static, making it impossible to distinguish between different callers.
  • Approval workflows, if any, are often implemented inside the inner agent’s code, meaning the outer layer cannot enforce or record them.

Because of these gaps, reviewers either over‑grant permissions to compensate for missing visibility, or they spend disproportionate time reconstructing logs from multiple sources. Both outcomes defeat the purpose of a rigorous access‑review process.

The missing enforcement layer

The only reliable way to close the visibility gap is to place a control point on the actual data path, a gateway that every request must traverse, regardless of how many agents are chained together. That gateway can observe the protocol, enforce policies, and produce immutable audit records that tie the outer user to the inner agent and finally to the target resource.

Setup: identity and provisioning

Identity providers such as Okta, Azure AD, or Google Workspace issue short‑lived OIDC tokens. Those tokens are mapped to roles that define which resources a user may request. Provisioning tools create service accounts with the minimum privileges needed for a given job. This setup decides who may start a request, but it does not enforce what the request can do once it reaches the resource.

The data path: where enforcement must happen

hoop.dev sits in the data path, acting as an identity‑aware proxy for every supported target, databases, Kubernetes clusters, SSH hosts, and internal HTTP services. By proxying the connection, hoop.dev can inspect each command, mask sensitive fields in responses, and require just‑in‑time approvals before a dangerous operation proceeds.

Continue reading? Get the full guide.

Access Reviews & Recertification + Single Sign-On (SSO): Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Because hoop.dev is the only point that sees the full request, it records each session in an audit log. The log includes the original user’s identity, the chain of nested agents, the exact commands issued, and the responses returned.

hoop.dev produces immutable audit records that tie the outer user to the inner agent and finally to the target resource..

hoop.dev also masks credit‑card numbers, personal identifiers, or any other regulated data before it leaves the target system. The masking occurs inline, so downstream tools never see raw values. This protects sensitive data during review while still allowing the reviewer to verify that the correct fields were accessed.

When a command is deemed risky, for example a DROP DATABASE or a privileged kubectl exec, hoop.dev blocks the command and routes it to an approval workflow. An authorized reviewer can grant or deny the request in real time, and hoop.dev records that decision alongside the session data.

Enforcement outcomes for access reviews

With hoop.dev in place, access reviews become a matter of querying a single audit store. Reviewers can filter sessions by user, by nested‑agent chain, or by resource type. They can see exactly which commands were approved, which were blocked, and which were masked. Because hoop.dev never exposes raw credentials to the user, the risk of credential leakage is eliminated.

In practice, this means that a quarterly access‑review meeting no longer requires manual correlation of SSH logs, database query logs, and Kubernetes audit events. Instead, the team runs a report against hoop.dev’s audit data, validates that each user’s permissions match the principle of least privilege, and signs off on the findings.

Getting started

To adopt this approach, begin by deploying the gateway in your on‑prem network. The official getting‑started guide walks you through a Docker Compose deployment, OIDC configuration, and registration of your first target. Once the gateway is running, register each nested‑agent‑enabled service as a connection in hoop.dev’s catalog. The learn section provides deeper explanations of masking policies, approval workflows, and session replay.

All of the configuration details, from OIDC client setup to target credentials, are documented in the repository. You can explore the source code, contribute improvements, or simply clone the project to start a pilot.

View the source on GitHub to see how the gateway implements protocol‑level inspection and audit logging.

FAQ

Do nested agents still need their own credentials?

Yes. Each agent should run with a scoped service account that limits its permissions. hoop.dev then adds an additional layer of verification and logging on top of those credentials.

Can I use hoop.dev with existing bastion hosts?

hoop.dev can proxy through bastion hosts or replace them entirely. The key is that every connection, whether direct or tunneled, passes through the gateway so that policies are enforced uniformly.

What happens to already‑collected logs?

hoop.dev does not retroactively import historic logs. However, once deployed, it provides a continuous, searchable audit trail that satisfies most compliance frameworks and simplifies future access‑review cycles.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot