All posts
June 18, 20263 min read

Putting access controls around ChatGPT: database access for AI coding agents (on BigQuery)

When an AI coding assistant can perform unrestricted database access against a production data warehouse, a single mis‑prompt can expose personally identifiable information, inflate cloud bills, or even corrupt critical tables. The financial and reputational cost of such an incident far outweighs the convenience of handing a service account key to an LLM. Many teams today give ChatGPT‑powered agents a static credential that directly accesses BigQuery. The credential is often shared across multi

Free White Paper

AI Model Access Control + Vector Database Access Control: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

When an AI coding assistant can perform unrestricted database access against a production data warehouse, a single mis‑prompt can expose personally identifiable information, inflate cloud bills, or even corrupt critical tables. The financial and reputational cost of such an incident far outweighs the convenience of handing a service account key to an LLM.

Many teams today give ChatGPT‑powered agents a static credential that directly accesses BigQuery. The credential is often shared across multiple projects, stored in CI pipelines, or embedded in environment variables. Because the connection bypasses any control plane, there is no record of which query was run, who triggered it, or whether the result contained sensitive fields. Data exfiltration, accidental data loss, and audit failures become inevitable.

Why identity alone isn’t enough for database access

Moving to an OIDC‑based identity for the AI agent is a step forward. The agent can now present a token that proves it belongs to a specific service account, and the token can be scoped to a particular BigQuery dataset. However, the request still travels straight to BigQuery. The gateway that would normally enforce policy is missing, so the agent can still issue a DROP TABLE or retrieve an entire column of credit‑card numbers without any oversight.

Introducing hoop.dev as the enforcement point

hoop.dev sits in the data path between the AI agent and BigQuery. It validates the OIDC token, checks the request against policy, and then forwards the query to the database. Because hoop.dev is the only place the traffic passes, it can apply the full suite of controls needed for safe database access.

When a query reaches hoop.dev, the gateway can:

Continue reading? Get the full guide.

AI Model Access Control + Vector Database Access Control: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
  • Mask sensitive columns in the response, ensuring that credit‑card numbers or social‑security numbers never leave the gateway.
  • Require a human approver before executing statements that alter schema or export large data sets.
  • Block commands that match a risky pattern, such as DROP DATABASE or DELETE FROM without a WHERE clause.
  • Record the entire session, including the original query, the masked result, and the approving user, so auditors have a complete replayable trail.

All of these outcomes happen because hoop.dev is the sole proxy that the traffic traverses. Without hoop.dev in the path, none of the above controls could be guaranteed.

Architectural flow for ChatGPT‑driven BigQuery access

1. The AI agent obtains an OIDC token from the organization’s identity provider. 2. The token is presented to hoop.dev when the agent initiates a BigQuery client session. 3. hoop.dev verifies the token, extracts group membership, and determines the allowed datasets. 4. The SQL statement is inspected; if it touches a protected column, hoop.dev masks that column in the response. 5. If the statement is classified as high‑risk, hoop.dev routes it to an approval workflow before forwarding it to BigQuery. 6. The query is executed, the result is returned through hoop.dev, and the entire interaction is logged for replay.

This model provides just‑in‑time, identity‑aware access while keeping an audit trail. It also reduces blast radius because any dangerous command can be stopped before it reaches the database.

Getting started

To protect your BigQuery workloads, start by deploying the hoop.dev gateway using the official getting‑started guide. The guide walks you through installing the Docker Compose stack, configuring OIDC integration, and registering a BigQuery connection. Detailed feature explanations are available in the learn section. All source code and deployment manifests are open‑source on GitHub: https://github.com/hoophq/hoop.

FAQ

Do I need to change my existing BigQuery credentials?

No. hoop.dev stores the credential used to talk to BigQuery, so your existing service account can remain unchanged. The AI agent never sees the credential; it only presents an identity token.

Can hoop.dev mask only specific columns?

Yes. Policies can be defined per dataset or per column, allowing you to hide personally identifiable information while leaving other data visible to the AI agent.

What audit evidence does hoop.dev provide?

hoop.dev records each session, the identity that initiated it, any approvals granted, and the final masked result. This evidence can be exported for compliance reviews or incident investigations.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot