All posts
June 18, 20264 min read

Non-human identity: what it means for your access reviews (on on-prem)

Many teams assume that a service account is just another user and that reviewing its permissions is no different from reviewing a human login. The reality is that non‑human identities behave like permanent keys: engineers rarely rotate them, they share them across scripts, and they often evade the regular access‑review cycle. These gaps undermine access reviews, which depend on accurate, timely data about who used which credential. When a service account is created, engineers typically embed it

Free White Paper

Non-Human Identity Management + Access Reviews & Recertification: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

Many teams assume that a service account is just another user and that reviewing its permissions is no different from reviewing a human login. The reality is that non‑human identities behave like permanent keys: engineers rarely rotate them, they share them across scripts, and they often evade the regular access‑review cycle. These gaps undermine access reviews, which depend on accurate, timely data about who used which credential.

When a service account is created, engineers typically embed its secret in configuration files or CI pipelines. The credential sits for months, sometimes years, while the code that uses it changes dozens of times. No one looks at who actually invoked the account, what commands were run, or whether the secret was ever revoked. The result is a blind spot in the audit trail and a high‑risk vector for lateral movement.

Even when an organization enforces a policy that every non‑human identity must be provisioned through a central IAM system, the request still travels directly to the target database, Kubernetes node, or SSH host. The gateway that could enforce policy sits outside the request, but the request bypasses it. At that point the system can see that a connection was made, but it cannot enforce just‑in‑time approval, mask sensitive fields, or record the session for later review. Access reviews therefore lack the granularity needed to answer questions like “who ran this destructive command?” or “did this query expose PII?”.

Why access reviews matter for non‑human identities

Access reviews aim to ensure that every principal has only the permissions it needs at any given time. For a human user, reviewers can tie changes to role updates, onboarding, or offboarding events. For a service account, engineers often decouple the lifecycle from any human action, allowing the account to accumulate privileges long after its original purpose has faded. Without a mechanism that can intercept and log each request, reviewers must rely on static credential inventories that quickly become outdated.

In practice this gap shows up in three ways:

  • Stale permissions: A script that once needed read‑only access may later be used for migrations, but the credential still carries only read‑only scopes, causing failures or, conversely, unchecked writes if engineers broaden the scope without a review.
  • Untracked activity: When a CI job runs a database migration, the audit log often records only the service account name, not the specific SQL statements executed. This makes forensic analysis painful.
  • Credential sprawl: Secrets appear in multiple repos, Docker images, and environment variables, creating duplicate attack surfaces that reviewers cannot see.

Addressing these issues requires a control point that sits on the data path – the exact place where the request reaches the target resource.

hoop.dev as the data‑path enforcement layer

Enter hoop.dev. It is a Layer 7 gateway that proxies connections to on‑prem resources such as databases, Kubernetes clusters, SSH hosts, and internal HTTP services. By placing hoop.dev between the identity provider and the target, every request passes through a single enforcement point.

In the setup phase, the system federates identities – including service accounts – via OIDC or SAML. The gateway validates the token, extracts group membership, and decides whether the principal may start a session. This step decides *who* the request is, but it does not enforce any policy on its own.

Continue reading? Get the full guide.

Non-Human Identity Management + Access Reviews & Recertification: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

The data path is where hoop.dev inserts its guardrails. Because the gateway terminates the wire‑protocol, it can inspect each command before it reaches the backend. At this point hoop.dev can:

  • Record the full session for replay, providing the evidence needed for thorough access reviews.
  • Apply inline masking to responses that contain personally identifiable information, ensuring that downstream logs never leak sensitive data.
  • Require just‑in‑time approval for high‑risk commands, pausing execution until an authorized reviewer signs off.
  • Block disallowed statements outright, preventing accidental or malicious destructive actions.

hoop.dev creates these enforcement outcomes by sitting in the data path. If the gateway were removed, the same service account would still connect directly, and none of the above controls would apply.

How this changes the access‑review workflow

With hoop.dev in place, reviewers no longer guess which service accounts touched a database or which commands were run. The audit log now contains a per‑session record that includes the identity, timestamp, and exact statements executed. Reviewers can filter by risk level, see which sessions required manual approval, and verify that masking was applied to any PII fields.

Because the gateway holds the credential, engineers never see the raw secret. This reduces credential sprawl and eliminates the need to rotate shared keys manually. When engineers decommission a service account, hoop.dev simply revokes the associated token, instantly cutting off access without touching the underlying resource.

The just‑in‑time model means that a service account only receives the privileges it needs for the duration of a specific task. After the task completes, the session ends and the elevated rights disappear, dramatically shrinking the attack surface.

Getting started

To try this approach on your own infrastructure, follow the getting‑started guide. The documentation walks you through deploying the gateway, registering an on‑prem resource, and configuring OIDC federation for your service accounts. All of the enforcement features are available out of the box and are governed by policy files that live alongside your existing CI pipelines.

FAQ

Do I need to change my existing service‑account credentials?

No. hoop.dev can store the existing secret and present it to the target on behalf of the caller. The only change is that applications connect to hoop.dev instead of directly to the backend.

Can hoop.dev be used with multiple identity providers?

Yes. Because it acts as an OIDC/SAML relying party, you can federate users and service accounts from any provider that issues standards‑based tokens.

Will using hoop.dev add latency to my workloads?

The gateway operates at the protocol layer and adds only the minimal overhead of inspection and logging. In most environments the added latency measures in milliseconds and is outweighed by the security benefits.

Explore the source code and contribute to the project on GitHub.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot