All posts
June 22, 20264 min read

Preventing Standing Access in Tool Use

When every tool invocation is gated by a just‑in‑time approval, no engineer can keep a permanent credential that outlives the task. In that ideal state, a user’s identity is verified at the moment of need, the request is inspected before it reaches the target system, and a complete record of what was done lives outside the user’s workstation. The risk of a credential lingering after a job finishes disappears, and auditors can prove who accessed what and when. Why standing access persists in ev

Free White Paper

Just-in-Time Access + Standing Privileges Elimination: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

When every tool invocation is gated by a just‑in‑time approval, no engineer can keep a permanent credential that outlives the task. In that ideal state, a user’s identity is verified at the moment of need, the request is inspected before it reaches the target system, and a complete record of what was done lives outside the user’s workstation. The risk of a credential lingering after a job finishes disappears, and auditors can prove who accessed what and when.

Why standing access persists in everyday workflows

Most teams start with the simplest way to get work done: a shared API key, a long‑lived SSH key, or a service account token baked into a configuration file. The credential is checked into source control, copied between environments, and used by scripts, CI pipelines, and even ad‑hoc debugging sessions. Because the key never expires, any new hire, contractor, or compromised machine can reuse it indefinitely. The connection goes straight from the user’s client to the database, Kubernetes cluster, or remote host, bypassing any intermediate check.

This pattern creates a “standing access” problem. The credential is effectively a master key that grants the same level of privilege regardless of the task, time of day, or risk level. If the key is leaked, an attacker can move laterally, extract data, or alter infrastructure without triggering any alert. Compliance frameworks that require evidence of intent‑based access quickly run into gaps because the system never sees the request as a discrete event.

What a tighter identity model alone does not solve

Many organizations respond by moving to federated identity providers, assigning each engineer an OIDC or SAML token, and scoping roles to the minimum set of permissions needed for a project. This is a crucial first step: it tells the authentication layer who the request is and whether it should be allowed to start. However, the token still travels directly to the target service. The gateway that could inspect the payload, enforce command‑level policies, or require an extra approval never sees the traffic.

In that configuration, the setup fixes the “who” problem but leaves the “how” and “when” problems wide open. A user can still launch a destructive command with a single click, and no audit trail exists outside the target system. Sensitive fields in query results are returned in clear text, and there is no way to block a command that matches a known dangerous pattern. The standing access risk remains because enforcement happens only at the perimeter of the identity provider, not on the actual data path.

How a Layer 7 gateway eliminates standing access

Placing a Layer 7 access gateway in the data path changes the equation. The gateway sits between the identity layer and the infrastructure target, intercepting every protocol‑level request. Because the gateway is the only path the traffic can take, it can enforce just‑in‑time approvals, mask sensitive fields in responses, block prohibited commands, and record the entire session for replay.

When a user launches a tool, the gateway checks the user’s OIDC token, looks up the required policy, and decides whether to allow the request to proceed. If the operation is high‑risk, the gateway can pause the flow and route the request to a human approver. Once approved, the request continues, but the gateway logs the command, the user identity, and the outcome. All logs are stored outside the target system, providing evidence that can be queried for audits.

Continue reading? Get the full guide.

Just-in-Time Access + Standing Privileges Elimination: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Because the gateway never hands the credential to the client, the “agent never sees the secret” principle holds. The credential is stored only in the gateway’s configuration, reducing the blast radius of a leak. Inline masking ensures that sensitive columns, such as credit‑card numbers or personal identifiers, are redacted before they ever reach the user’s terminal.

What to watch for in your own environment

  • Shared or hard‑coded credentials in code repositories, CI pipelines, or configuration files.
  • Long‑lived service account tokens that are not rotated on a regular schedule.
  • Direct connections from client machines to databases or clusters without an intervening proxy.
  • Absence of command‑level audit logs that can tie a specific query to an individual identity.
  • Unmasked data in query results that could expose personally identifiable information.

Identifying any of these signals is the first step toward eliminating standing access. Once you have a clear inventory, you can replace the direct path with a gateway that enforces the missing controls.

Getting started with a gateway solution

hoop.dev provides an open‑source, MIT‑licensed gateway that implements exactly this data‑path approach. It supports PostgreSQL, MySQL, SSH, Kubernetes, and many other targets out of the box. The documentation walks you through deploying the gateway with Docker Compose, configuring OIDC authentication, and registering your resources. After the gateway is in place, every tool invocation is automatically subject to the policies you define.

For a quick start, see the getting‑started guide. The learn section explains how to define masking rules, approval workflows, and session recording. The full source code and contribution guide are available on GitHub.

FAQ

Does this replace my existing identity provider?

No. The gateway consumes the identity token issued by your provider (Okta, Azure AD, Google Workspace, etc.). It adds enforcement on the data path without altering the authentication flow.

Can I still use my existing CI/CD pipelines?

Yes. CI jobs can invoke the gateway just like any other client. The gateway will apply the same policies, ensuring that automated jobs do not bypass standing‑access controls.

What evidence does the gateway provide for auditors?

Every session is recorded with the user identity, timestamp, command, and outcome. Logs are stored outside the target system, making them available for SOC 2, ISO, or any custom audit requirement.

Explore the implementation and contribute to the project on GitHub.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot