All posts
June 18, 20264 min read

NIST for non-human identities: governing machine access end to end (on Postgres)

A CI pipeline runs nightly to refresh a reporting schema in a PostgreSQL instance. The job uses a service account token that was granted full read‑write access months ago. When a new table is added, the pipeline writes data without any human review, and the security team has no record of which job performed the change. Weeks later, an auditor asks for proof that only authorized automation touched the database, but the logs show only generic system events. The organization struggles to prove comp

Free White Paper

End-to-End Encryption + Non-Human Identity Management: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

A CI pipeline runs nightly to refresh a reporting schema in a PostgreSQL instance. The job uses a service account token that was granted full read‑write access months ago. When a new table is added, the pipeline writes data without any human review, and the security team has no record of which job performed the change. Weeks later, an auditor asks for proof that only authorized automation touched the database, but the logs show only generic system events. The organization struggles to prove compliance with NIST requirements for machine‑originated activity.

Non‑human identities, service accounts, CI jobs, bots, and AI agents, are essential for modern infrastructure, yet they often bypass the same controls that protect human users. NIST SP 800‑53 and the Cybersecurity Framework expect continuous, verifiable evidence that every access request, command, and data movement is authorized, recorded, and auditable. The challenge is to collect that evidence without rewriting every automation script or exposing secrets to the processes that need them.

Why NIST evidence must be continuous for machine identities

NIST defines several control families that directly affect automated access:

  • AU‑3: Content of audit records must include user or process identifiers, timestamps, and the nature of the event.
  • AC‑2: Account management requires that privileged accounts be provisioned with least‑privilege and reviewed regularly.
  • IA‑4: Identifier authentication must be tied to an identity that can be uniquely traced.
  • CM‑7: Change control must enforce approvals for configuration changes, even when performed by scripts.

When a service account connects directly to PostgreSQL, the database sees only a static credential. It cannot distinguish whether a human or a script issued a query, nor can it enforce just in time (JIT) approvals. Consequently, audit logs lack the context required for NIST compliance, and any deviation from policy goes unnoticed.

How hoop.dev provides the data‑path enforcement needed for NIST

hoop.dev acts as a Layer 7 gateway that sits between the identity provider and the PostgreSQL server. The gateway is the only place where traffic can be inspected, masked, approved, or recorded. Because the gateway holds the database credential, the downstream service never sees the secret; the service account only presents an OIDC token that hoop.dev validates.

When a non‑human identity initiates a connection, hoop.dev performs the following NIST‑aligned actions:

  • Session recording: hoop.dev records every query and response, creating a replay that satisfies AU‑3.
  • Inline data masking: Sensitive columns (e.g., SSN, credit‑card numbers) are masked in real time, reducing exposure while still providing useful results to the automation.
  • Just in time approval: If a query matches a high‑risk pattern, such as a DROP TABLE or a bulk INSERT, hoop.dev routes the request to a designated approver before execution, meeting CM‑7.
  • Command level audit: Each statement is logged with the originating service account, the OIDC subject, and the exact timestamp, fulfilling IA‑4 and AC‑2 traceability requirements.

All of these outcomes are possible only because hoop.dev resides in the data path. The identity provider alone cannot enforce command‑level policies, and the database cannot verify that a request has been approved.

Continue reading? Get the full guide.

End-to-End Encryption + Non-Human Identity Management: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Mapping NIST controls to hoop.dev capabilities

NIST Controlhoop.dev Enforcement
AU‑3 (Audit Content)Session recordings and per‑statement logs with identity context.
AC‑2 (Account Management)Least‑privilege service accounts scoped at the gateway, not the database.
IA‑4 (Identifier Authentication)OIDC token validation at the gateway, tying every request to a unique subject.
CM‑7 (Change Control)Just in time approval workflow for high‑risk commands before they reach PostgreSQL.

Deploying hoop.dev for PostgreSQL

The deployment model is intentionally simple. A Docker‑Compose file runs the gateway and a network‑resident agent close to the PostgreSQL instance. The agent holds the database credential; the gateway authenticates users and service accounts via OIDC. Detailed steps are covered in the getting‑started guide. Once the connection is registered, any client, psql, a CI job, or an AI‑assisted tool, talks to PostgreSQL through hoop.dev without code changes.

Because hoop.dev records every session, auditors can retrieve logs that show exactly which automation performed each change, when, and under which policy. The logs are stored outside the database, so even if the database is compromised, the evidence remains intact. This continuous evidence stream satisfies NIST’s requirement for “real time” auditability.

Common pitfalls and how hoop.dev avoids them

  • Static credential leakage: Storing a password in CI configuration exposes the secret to anyone with repository access. hoop.dev centralizes the credential, so pipelines never handle it directly.
  • Missing approval for destructive actions: Without a gate, a mis‑configured script can drop tables. hoop.dev’s JIT approval forces a human review for any command that matches a policy rule.
  • Insufficient audit granularity: Database logs often aggregate statements, making it hard to attribute actions. hoop.dev logs each statement with full context, providing the granularity NIST expects.

FAQ

Do I need to modify my existing CI scripts to use hoop.dev?

No. hoop.dev works as a transparent proxy. You point your client (psql, JDBC, etc.) at the gateway address and keep the same connection parameters. The gateway handles authentication and policy enforcement.

Can hoop.dev mask data for compliance without breaking my application?

Yes. Masking rules are applied to response payloads only. The underlying data remains unchanged in PostgreSQL, so downstream processes that require the full value can still access it through a separate, privileged path if needed.

Is the audit data tamper‑proof?

The audit stream is written outside the database, directly from the gateway process. While hoop.dev does not claim cryptographic immutability, storing logs separate from the target system ensures that evidence survives a compromise of the database.

Get started with hoop.dev

Explore the open‑source repository, review the architecture, and try the quick‑start to see how continuous NIST evidence can be generated for your machine identities:

https://github.com/hoophq/hoop

For deeper details on masking, approval workflows, and session replay, visit the learn section of the documentation.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot