Non-human identity: what it means for your audit trail (on on-prem)

Imagine a CI pipeline that still runs a job created by an engineer who left six months ago. The job uses a hard‑coded service account token stored in a repository, and the token grants unrestricted read‑write access to a production database. No one notices that the token is still active, and the pipeline continues to issue queries that modify critical tables. Weeks later, an audit request arrives asking who changed a set of rows. The lack of an audit trail becomes obvious when the logs show only the service account name, not the human operator, and the database itself has no record of which command originated from which CI run.

This pattern is common on‑prem. Teams provision non‑human identities, service accounts, CI tokens, automation bots, once and then forget about them. The identities are often granted broad privileges to simplify scripting. Because the credential lives outside any human‑centric workflow, there is no built‑in approval step, no per‑request justification, and no reliable audit trail that ties an action back to a responsible entity.

Even when organizations adopt least‑privilege principles for these identities, the enforcement point remains the target system. The request travels directly from the automation process to the database, SSH host, or Kubernetes API. The target sees a valid credential and executes the command without any intermediate check. No session is recorded, no data is masked, and no approval gate exists. The audit trail, if any, is limited to a single line in the target’s generic log, which often lacks context such as the originating pipeline, the triggering commit, or the user who approved the change.

Why audit trail matters for non‑human identities

Regulators and internal auditors expect evidence that every privileged operation can be traced to an accountable entity. When a service account performs an action, the audit trail should include:

The identity that initiated the request (service account name, CI job ID, or automation workflow).
The exact command or query executed.
The time and source host of the request.
Any policy enforcement that occurred, such as masking of sensitive fields or a required human approval.

Without a centralized enforcement point, each backend system maintains its own logs, which are difficult to correlate. Engineers spend hours stitching together disparate log files, and critical gaps remain when a system does not log a particular attribute.

Setting up non‑human identities securely

Proper setup starts with identity provisioning. Use OIDC or SAML‑backed tokens for service accounts, rotate credentials regularly, and bind each token to a narrowly scoped role. Deploy these identities through an identity provider that can issue short‑lived assertions. This setup determines who may start a request, but on its own does not provide any audit capability.

Even with tight scopes, the request still reaches the target directly. The target validates the token, sees that the role permits the operation, and executes it. No visibility into the request’s context is captured beyond the target’s native log line.

Continue reading? Get the full guide.

Non-Human Identity Management + Audit Trail Requirements: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

hoop.dev as the data‑path enforcement layer

hoop.dev sits between the non‑human identity and the infrastructure resource. By proxying the connection, it becomes the only place where policy can be applied. hoop.dev records every session, captures the full command stream, and stores the evidence for later review. Because the gateway owns the credential, the downstream system never sees the raw token, eliminating credential leakage.

When a request arrives, hoop.dev checks the identity against the configured policy, routes risky commands to a human approver, and can mask sensitive response fields before they reach the automation process. Each of these actions is part of the audit trail that hoop.dev generates.

Enforcement outcomes you gain

hoop.dev records each session, creating a replayable audit trail that ties every command to the originating service account and CI job.
hoop.dev masks credit‑card numbers, passwords, or PII in query results, ensuring that downstream logs never contain raw secrets.
hoop.dev enforces just‑in‑time approval for high‑risk operations, inserting a human decision point that is reflected in the audit record.
hoop.dev blocks prohibited commands before they reach the target, reducing the blast radius of a compromised token.

All of these outcomes exist only because hoop.dev occupies the data path. If the gateway were removed, the same non‑human identity would connect directly to the database, and none of the above protections would be present.

Getting started

Deploy the gateway near your on‑prem resources using the Docker Compose quick‑start. Configure your service accounts in the identity provider, then register the target connections in hoop.dev. The documentation walks through setting up OIDC authentication, defining per‑resource policies, and enabling session recording.

For a step‑by‑step guide, see the getting‑started guide. To explore the full feature set, visit the learn section of the website.

FAQ

Do I need to change my existing service account credentials?

No. hoop.dev stores the credential internally and presents a short‑lived token to the downstream system, so existing credentials can be imported without code changes.

Can I still use my CI pipelines unchanged?

Yes. CI jobs connect to hoop.dev using the same client tools (psql, kubectl, ssh). The gateway transparently applies policies, so the pipeline logic remains the same.

How long are the audit records retained?

Retention is a configuration choice in the gateway. The platform is designed to keep a record for the period required by your compliance program.

Explore the open‑source code on GitHub to see how the gateway implements these controls.