All posts
June 18, 20264 min read

Non-human identity vs shared service accounts: which actually controls AI agent risk (on CI/CD pipelines)

Achieving secure CI/CD with AI agents starts with using a non-human identity for every job. When AI agents run in a CI/CD pipeline, the ideal state is a short-lived, purpose-built non-human identity that is granted exactly the permissions needed for the specific build step, and the system logs every command, masks any secret data that appears in output, and requires a human approval before any risky operation. In that world the pipeline never relies on a static credential, there is no secret lea

Free White Paper

Non-Human Identity Management + CI/CD Credential Management: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

Achieving secure CI/CD with AI agents starts with using a non-human identity for every job. When AI agents run in a CI/CD pipeline, the ideal state is a short-lived, purpose-built non-human identity that is granted exactly the permissions needed for the specific build step, and the system logs every command, masks any secret data that appears in output, and requires a human approval before any risky operation. In that world the pipeline never relies on a static credential, there is no secret leakage, and auditors can trace who did what, when, and why.

In practice, most teams still use a handful of shared service accounts. Those accounts are hard-coded into build scripts, stored in secret managers, and rotated on a schedule that rarely matches the pace of development. The same credential is reused across dozens of jobs, across multiple repositories, and often across environments. When an AI agent is given that credential, it inherits every permission the account holds, regardless of the task at hand. The result is a blast radius that expands with each new pipeline addition, and a lack of visibility that makes post-mortems a guessing game.

Current practice: shared service accounts

Shared service accounts are attractive because they are simple to create and they work with any tool that expects a username and password or a static API key. Teams embed them in CI configuration files, reference them from secret stores, and grant them broad roles that cover all downstream resources. The downside is threefold:

  • Over-privilege. A single credential can reach production databases, cloud resources, and internal services, even when the job only needs to push a Docker image.
  • Lack of audit. When a build fails or a data leak occurs, there is no per-job log that ties the action to a specific identity.
  • Credential churn. Rotating the account forces a coordinated update across every pipeline, which is error-prone and often delayed.

Because the credential travels directly from the CI runner to the target system, there is no place to inspect the traffic, enforce policies, or redact secrets that appear in command output.

Why non-human identity alone isn’t enough

Switching to non-human identity means issuing a unique OIDC or SAML token for each CI job, or for each AI-driven step. The token can be scoped to a specific role, and the identity provider can enforce short lifetimes. This eliminates the static secret, but it does not automatically give you the controls needed to manage risk:

  • The CI job still connects straight to the database or cloud API. If the token is over-scoped, the agent can still perform destructive actions.
  • There is no built-in mechanism to record the exact commands the AI agent runs, nor to mask sensitive fields that appear in logs.
  • Approval workflows are missing; the pipeline proceeds without any human checkpoint, even for high-risk operations.

In other words, non-human identity fixes the credential problem but leaves the enforcement gap wide open. The request still reaches the target directly, and the pipeline retains full control without any observable guardrails.

Putting non-human identity on the access path

To close the gap, the identity-aware proxy must sit in the data path between the CI runner and the target system. That proxy inspects every protocol exchange, applies policy checks, and records the session for later replay. This is exactly what hoop.dev provides.

Continue reading? Get the full guide.

Non-Human Identity Management + CI/CD Credential Management: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

hoop.dev sits as a Layer 7 gateway. When an AI agent initiates a connection, hoop.dev validates the non-human identity token, looks up the associated role, and then forwards the traffic to the backend only after the request has passed the configured guardrails. Because hoop.dev is the only point that can see the clear-text traffic, it can enforce the following outcomes:

  • Session recording. hoop.dev records each command and its response, creating an immutable audit trail that auditors can replay.
  • Inline masking. hoop.dev redacts fields such as passwords or API keys that appear in command output, ensuring logs never leak secrets.
  • Just-in-time approval. For commands that match a high-risk pattern, hoop.dev pauses execution and routes the request to an approver before continuing.
  • Command blocking. hoop.dev can reject dangerous statements, such as DROP DATABASE, before they reach the backend.

All of these controls are driven by the non-human identity that initiated the request, so the enforcement is always tied to a verifiable, short-lived credential. The CI pipeline never holds the backend credential, and the AI agent never sees any secret it does not need.

Deploying hoop.dev is straightforward: the quick-start guide walks you through a Docker Compose deployment that includes OIDC authentication, masking, and guardrails out of the box. Once the gateway is running, you point your CI jobs at the hoop.dev endpoint instead of the raw target, and the rest of the policy enforcement happens automatically.

Getting started

Review the getting-started documentation to see how to spin up the gateway, register a database or cloud service as a connection, and configure non-human identity providers. The open-source repository contains the compose file and example policies that you can adapt to your pipeline.

FAQ

Does hoop.dev replace my existing CI secrets manager?

No. hoop.dev stores the credentials needed to reach the backend resource, while your secrets manager can continue to hold any other secrets your build needs. The key difference is that the CI runner never sees the backend credential; hoop.dev injects it only after the request is authorized.

Can I still use existing service accounts for low-risk jobs?

Yes, but the gateway will treat them like any other credential. If you choose to route low-risk traffic through hoop.dev, you still gain session recording and auditability without changing your existing CI scripts.

How does hoop.dev handle scaling for many concurrent CI jobs?

The gateway is stateless with respect to the traffic it proxies. You can run multiple instances behind a load balancer, and each instance will enforce the same policies based on the token presented by the job.

By moving non-human identity onto the access path, you gain the visibility, control, and safety needed for AI-driven CI/CD pipelines. hoop.dev provides the single enforcement point that turns a token into a fully governed session.

Explore the source code on GitHub to see how the gateway is built and to contribute improvements.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot