All posts
June 18, 20264 min read

Nested agents: what they mean for your blast radius (on Snowflake)

An offboarded contractor’s CI pipeline still runs nightly data‑export jobs that authenticate with a service account, which in turn spins up a Snowflake session through a second‑level automation script. The resulting blast radius can extend across every downstream Snowflake query the chain triggers. The contractor no longer has a direct login, yet the chain of agents still carries the original privileges deep into the data warehouse. When that service account is compromised, the attacker inherits

Free White Paper

Blast Radius Reduction + Single Sign-On (SSO): The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

An offboarded contractor’s CI pipeline still runs nightly data‑export jobs that authenticate with a service account, which in turn spins up a Snowflake session through a second‑level automation script. The resulting blast radius can extend across every downstream Snowflake query the chain triggers. The contractor no longer has a direct login, yet the chain of agents still carries the original privileges deep into the data warehouse. When that service account is compromised, the attacker inherits every permission that the original contractor held, and the impact spreads far beyond the single credential that was thought to be retired.

Most organizations build these chains unintentionally. A developer creates a long‑lived Snowflake user for a data‑science notebook, then grants that user to a CI service account so the notebook can be refreshed automatically. Later, the same service account is reused by a monitoring bot that needs to query audit tables. Each reuse adds a new “nested agent” – a process that authenticates to another process – without any visibility into who actually triggered the final Snowflake query. The result is a sprawling blast radius where a single compromised token can reach every downstream workload.

Switching to federated identity and short‑lived tokens reduces the chance of a static secret leaking, but it does not eliminate the core problem. The request still travels from the outermost agent straight to Snowflake, bypassing any central enforcement point. No component records the full command chain, no inline data masking is applied, and no approval workflow can interrupt a risky operation. In other words, the blast radius remains large even after the identity upgrade.

hoop.dev provides the missing enforcement layer. It sits as a Layer 7 gateway between any identity source and the Snowflake endpoint, intercepting every protocol exchange. Because hoop.dev is the only place where traffic passes, it can enforce just‑in‑time approvals, block disallowed commands, apply real‑time masking to sensitive columns, and record the entire session for replay. All of those outcomes exist solely because hoop.dev occupies the data path.

Understanding blast radius with nested agents

When an outer agent initiates a Snowflake connection, hoop.dev captures the identity token, validates it against the organization’s OIDC provider, and then forwards the request to the internal Snowflake proxy agent. If that proxy agent itself launches a secondary script that opens another Snowflake session, hoop.dev remains in the path for the second hop as well. By centralising the inspection point, hoop.dev collapses the multi‑hop chain into a single, auditable flow.

Because hoop.dev records each command before it reaches Snowflake, security teams can see exactly which outer agent triggered a query, what intermediate scripts were involved, and the final SQL statement that executed. This visibility shrinks the blast radius: a compromised service account no longer gives unchecked access to the data warehouse; every action must pass through hoop.dev’s policy engine.

How hoop.dev limits the impact of a compromised nested agent

  • Session recording – hoop.dev stores a replayable log of every Snowflake interaction, so investigators can trace the full chain of events after an incident.
  • Inline masking – sensitive columns such as credit‑card numbers are redacted in real time, preventing downstream tools from leaking data even if they are compromised.
  • Just‑in‑time approval – high‑risk queries (e.g., bulk exports) trigger an approval workflow before execution, adding a human checkpoint.
  • Command blocking – dangerous statements like DROP DATABASE can be denied outright by hoop.dev’s policy engine.

All of these enforcement outcomes are possible only because hoop.dev is positioned in the data path. The setup – federated identity, service accounts, and Snowflake configuration – determines who may start a request, but it does not enforce any of the controls listed above.

Continue reading? Get the full guide.

Blast Radius Reduction + Single Sign-On (SSO): Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

What to watch for when using nested agents

Even with hoop.dev in place, teams should audit the creation of new automation scripts. Each script that authenticates to another service becomes a potential nested agent and should be reviewed for least‑privilege permissions. Ensure that the identity used by the outermost agent has only the scopes required for its specific job, and let hoop.dev enforce tighter policies on the inner hops.

Regularly rotate service‑account credentials and retire any scripts that are no longer needed. Because hoop.dev records every session, you can identify rarely used or overly permissive agents by analysing the audit logs. Removing unnecessary agents further reduces the blast radius.

Getting started with hoop.dev for Snowflake

To protect Snowflake workloads from the risks of nested agents, deploy hoop.dev as the gateway in front of your Snowflake endpoint. The quick‑start guide walks you through installing the gateway, configuring OIDC authentication, and registering a Snowflake connection. Once the gateway is running, all Snowflake clients – whether they are notebooks, CI jobs, or monitoring bots – must connect through hoop.dev.

For detailed steps, see the getting‑started documentation. The broader feature set, including policy authoring and session replay, is covered in the learn section. Both resources assume you have an OIDC identity provider already in place; hoop.dev consumes the tokens and applies its controls in the data path.

FAQ

What is a nested agent? A nested agent is a process that authenticates to another process, creating a chain of indirect accesses. In Snowflake, this often looks like a CI job launching a script that then opens a Snowflake session.

How does hoop.dev reduce blast radius? By sitting in the data path, hoop.dev records every command, can mask sensitive results, and can require approvals before high‑risk actions. This centralised enforcement prevents a single compromised credential from propagating unchecked.

Do I still need my existing identity provider? Yes. The identity provider determines who may start a request (the setup layer). hoop.dev validates those tokens but provides the enforcement outcomes that the provider alone cannot deliver.

Explore the source code, contribute improvements, and see the full implementation on GitHub.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot