All posts
June 18, 20263 min read

Nested agents: what they mean for your access reviews (on Snowflake)

Nested agents expand the attack surface and make reliable access reviews almost impossible. In many Snowflake deployments, teams delegate credentials to automation scripts, which in turn call other services that hold their own secrets. The result is a chain of impersonations – a “nested” agent model – where the original user’s identity is lost behind multiple service accounts. When a security auditor asks, “Who actually ran this query?” the answer often ends at the last service account, not the

Free White Paper

Access Reviews & Recertification + Snowflake Access Control: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

Nested agents expand the attack surface and make reliable access reviews almost impossible.

In many Snowflake deployments, teams delegate credentials to automation scripts, which in turn call other services that hold their own secrets. The result is a chain of impersonations – a “nested” agent model – where the original user’s identity is lost behind multiple service accounts. When a security auditor asks, “Who actually ran this query?” the answer often ends at the last service account, not the human who triggered the workflow.

Typical practice looks like this: a data analyst runs a scheduled notebook, the notebook authenticates with Snowflake using a shared service key, then calls a downstream ETL job that uses another key to pull data from an external API, and finally writes results back to Snowflake. Each hop is authorized in isolation, but the overall path is invisible to the organization’s access‑review process. The review team can see that the service key has permission, but they cannot trace which analyst initiated the chain, nor can they verify whether each step complied with policy.

Why the existing setup falls short for access reviews

Even when teams enforce least‑privilege policies on each individual credential, the nested model leaves three critical gaps:

  • Lost provenance: The original user identity is stripped away after the first hop, so audit logs contain only the service account that performed the final operation.
  • No single enforcement point: Each credential validates locally, meaning a malicious or mis‑configured downstream service can bypass higher‑level controls without triggering any alert.
  • Unclear approval flow: When a high‑risk query runs, there is no built‑in mechanism to require a human reviewer to approve the request before it reaches Snowflake.

These gaps make it hard to answer the core questions of an access review: who accessed what data, why, and whether the action complied with policy. Without a unified view, reviewers either over‑grant permissions to avoid false negatives, or they spend excessive manual effort stitching together disparate logs.

Introducing an identity‑aware gateway as the data‑path control

To close the gap, organizations need a Layer 7 gateway that sits between every agent – human or automated – and Snowflake. The gateway becomes the sole point where traffic is inspected, policies are enforced, and evidence is collected. This is exactly what hoop.dev provides.

When a request originates from a nested agent chain, hoop.dev intercepts the connection before it reaches Snowflake. The gateway reads the original OIDC token, extracts the human’s identity, and then applies the following enforcement outcomes:

Continue reading? Get the full guide.

Access Reviews & Recertification + Snowflake Access Control: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
  • Session recording: hoop.dev records the full Snowflake session, preserving the query text, response data, and the originating user identity for later replay.
  • Inline data masking: Sensitive columns (PII, PCI, etc.) can be masked in real time, ensuring that downstream agents never see raw values.
  • Just‑in‑time approval: For queries that match high‑risk patterns, hoop.dev routes the request to a reviewer. The operation proceeds only after explicit approval.
  • Command‑level audit: Each SQL statement is logged with the original user, the service account that forwarded it, and the decision outcome (allowed, masked, or blocked).

Because hoop.dev sits in the data path, none of these outcomes can be achieved by the nested agents themselves. If the gateway were removed, the service accounts would continue to talk directly to Snowflake, and the audit trail would revert to the opaque state described earlier.

Practical steps to integrate hoop.dev with Snowflake

1. Deploy the gateway near your Snowflake network. The quick‑start guide walks you through a Docker‑Compose deployment that includes OIDC authentication, masking configuration, and guardrails out of the box. See the getting‑started documentation for the exact steps.

2. Register Snowflake as a connection. Provide the host, port, and a service credential that the gateway will use. Users never see this credential; hoop.dev injects it on their behalf.

3. Map OIDC groups to Snowflake roles. When a user authenticates, hoop.dev reads group membership and translates it into the appropriate Snowflake role, ensuring least‑privilege access without manual key distribution.

4. Define masking and approval policies. Using the policy UI, specify which columns must be redacted and which query patterns require reviewer sign‑off. These policies are enforced on every request that passes through the gateway.

5. Run access reviews against the recorded sessions. Auditors can query hoop.dev’s audit store, filter by user, time range, or masked column, and replay any session to verify compliance.

Benefits for the access‑review lifecycle

With hoop.dev in place, the review process becomes deterministic:

  • Reviewers see a single source of truth that ties every Snowflake query back to the initiating human.
  • Masked data ensures that sensitive fields never leave the gateway, reducing the risk of accidental exposure during downstream processing.
  • Just‑in‑time approvals add a human checkpoint for high‑risk operations without slowing down routine work.
  • Full session recordings provide forensic evidence that satisfies internal governance and external audit requirements.

Because the enforcement happens at the protocol layer, even sophisticated nested‑agent chains cannot bypass these controls. The gateway’s policies are immutable from the perspective of any downstream service, guaranteeing that the access‑review evidence remains trustworthy.

Conclusion

Nested agents are convenient, but they erode the transparency needed for effective access reviews. By inserting an identity‑aware Layer 7 gateway, organizations can reclaim provenance, enforce real‑time masking, require just‑in‑time approvals, and produce audit records that are retained for compliance review. hoop.dev is the open‑source solution built to sit in the data path and deliver those outcomes.

Ready to try it? Clone the repository and follow the quick‑start guide: https://github.com/hoophq/hoop.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot