Nested agents: what they mean for your access reviews (on Postgres)

An offboarded contractor’s CI job still runs every night, opening a PostgreSQL connection through a nested agent that lives inside the production network. The job writes logs, pulls data, and exits without a human ever seeing the credentials. Because the pipeline is automated, the stale access often goes unnoticed until a security audit surfaces unexpected data extracts, complicating access reviews.

Understanding nested agents

Nested agents are processes that a primary gateway agent spawns to reach a target service. Instead of a single hop from the user to the database, the request travels through a parent agent, which then starts a child agent that holds the database credential and speaks the PostgreSQL wire protocol. This pattern lets automation run without embedding secrets in source code, but it also creates an extra layer that is invisible to traditional access‑review tools. The child agent inherits the credential from the gateway, not from the original user, so the observable connection chain is longer than it appears.

Why access reviews become tricky

Typical access reviews enumerate who can connect to Postgres and what role they hold. When a nested agent is involved, the reviewer sees only the parent identity – the CI service account – and may miss the fact that the child agent can issue any query allowed by the stored credential. The indirect path means that revoking the parent token does not automatically stop the child agent if its credential persists in the gateway’s store. Audit logs that capture only the outermost TCP handshake hide the inner query stream, making it hard to prove that a privileged command never ran.

What to watch for during access reviews

To keep reviews accurate, teams should watch for the following signals:

The gateway may cache credentials that survive after you disable the parent identity.
Automation pipelines that trigger nested agents on a schedule, especially when the schedule is managed outside of the gateway’s policy engine.
Roles assigned to the child agent that exceed the principle of least privilege, such as superuser rights when only read‑only access is needed.
Audit logs that often record only the outermost connection, which hides the inner query stream and any data‑masking actions.

Introducing a data‑path control plane

hoop.dev provides the data‑path control needed to surface every nested‑agent interaction. It sits between the identity provider and the PostgreSQL server, intercepting traffic at the wire‑protocol level. Because the gateway owns the credential, it can enforce policies even when a child agent is created, and it can terminate the session if a policy violation is detected.

Continue reading? Get the full guide.

Access Reviews & Recertification + Single Sign-On (SSO): Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Enforcement outcomes that only a gateway can deliver

hoop.dev records each session, ties every query back to the original OIDC token, and stores the replayable log outside the agent’s process. It can mask columns that contain personal data in real time, block commands that attempt to drop tables, and route high‑risk queries to an approval workflow before they reach the database. All of these outcomes exist only because hoop.dev occupies the data path; the IdP alone cannot see or stop the inner query.

Practical steps to make access reviews reliable

Deploy hoop.dev’s PostgreSQL connector and enable session recording. Turn on inline masking for any column that holds PII or secrets, and configure just‑in‑time access so that a nested agent receives a short‑lived credential only after an approver signs off. Use the getting‑started guide to provision the gateway, and consult the learn section for detailed explanations of masking, approvals, and replay capabilities. Once the gateway is in place, every access‑review cycle can query the replay store to verify that no stale child‑agent credential remains active.

Summary

By surfacing the hidden child‑agent layer, hoop.dev turns a blind spot into a searchable audit trail, letting reviewers verify that no stale credential remains active and that every privileged query is accounted for. The source code and contribution guide are available on GitHub.

FAQ

Do access reviews need to change when I adopt nested agents?

Yes. Reviewers must include the credential lifecycle managed by the gateway, not just the parent service account. hoop.dev makes that lifecycle visible, so you can confirm that no hidden child agent can act beyond its intended scope.

Can I still use my existing IdP for authentication?

Absolutely. hoop.dev acts as a relying party for OIDC or SAML tokens, so your current IdP continues to decide who may start a session. The gateway then adds the enforcement layer needed for accurate access reviews.

What happens if a nested agent is compromised?

hoop.dev can terminate the session in real time, block further commands, and record the full transcript for forensic analysis. The replayable log gives investigators a complete picture of what the compromised agent attempted to do.