All posts
June 16, 20263 min read

Putting access controls around ChatGPT: guardrails for AI coding agents

A ChatGPT agent with a standing credential has one guardrail: hope. It can reach whatever the credential allows, whenever it likes, for as long as the credential lives. Swap that for scoped, per-task access and the guardrails become structural: the agent can only reach what this task needs, only while the task runs. What is being guarded here is the infrastructure connection, not the model. hoop.dev does not read or constrain what ChatGPT generates. It governs the queries and commands the agent

Free White Paper

AI Guardrails + GCP VPC Service Controls: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

A ChatGPT agent with a standing credential has one guardrail: hope. It can reach whatever the credential allows, whenever it likes, for as long as the credential lives. Swap that for scoped, per-task access and the guardrails become structural: the agent can only reach what this task needs, only while the task runs.

What is being guarded here is the infrastructure connection, not the model. hoop.dev does not read or constrain what ChatGPT generates. It governs the queries and commands the agent runs against real systems.

Standing access has no real guardrail

When access is permanent and broad, every control you add is a patch on top of an open door. The agent already holds the keys; you are just watching what it does with them. Per-task access flips the default. The door is closed until the task opens it, narrowly, and it shuts again after.

One arrangement trusts a long-lived credential to behave. The other grants only what the task needs and revokes it on completion. The second is a guardrail. The first is a log.

Why the guardrails sit outside the agent

A scope rule the agent stores is a rule the agent can rewrite. The boundary has to be enforced where the agent cannot reach it. hoop.dev, an open-source Layer 7 gateway, sits in the connection path: the ChatGPT agent reaches infrastructure through it, and scope, time limits, and command approvals are enforced on the wire.

Continue reading? Get the full guide.

AI Guardrails + GCP VPC Service Controls: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

What per-task access changes in practice

The shift from standing to per-task access changes who carries the risk between tasks. With a standing credential, the risk is constant and silent: the agent holds production reach every hour of every day, whether it is working or idle, and an attacker who compromises it inherits all of that immediately. With per-task access, the idle state carries no reach at all. There is nothing to steal between tasks, because the grant does not exist between tasks. The agent is only as dangerous as its current, scoped, time-bounded session, and that session is recorded.

That is the strongest version of a guardrail: not a rule that catches bad behavior, but a structure where the bad behavior has nothing to act on. You are not trusting the agent to stay in bounds. You are making the out-of-bounds region empty.

Steps to per-task guardrails

  1. Strip standing credentials from the agent.
  2. Define per-task access: which connection, which scope, how long.
  3. Bind the agent to a named identity via your IdP.
  4. Gate destructive commands with approval.
  5. Record sessions and confirm out-of-scope actions are refused.
# per-task grant defines the boundary
# task=fix-index scope=db:analytics:read ttl=20m identity=chatgpt-agent
# anything outside analytics, or any write, is refused at the gateway

Pitfalls

  • Per-task in name only. If the window is effectively permanent, you still have standing access.
  • Shared identity across tasks. Per-task scope needs per-agent identity to attribute and bound.
  • Prompt-level rules. A control the model is asked to honor is not enforced. Put it on the connection.

Watch the renewal pattern too. If every task quietly re-grants the same broad scope without anyone looking, you have rebuilt standing access out of a series of per-task grants. The grant should reflect what the task in front of the agent needs, not a default template that happens to allow everything because that was convenient once.

FAQ

Do these guardrails change ChatGPT's responses?

No. They govern the agent's infrastructure connections, not the model. The output is untouched.

Why is per-task access a stronger guardrail than standing access?

It closes the access window to the task, so the agent cannot reach systems outside the work in front of it, and the boundary is enforced at the gateway rather than trusted to the agent.

How is this different from just using a narrow service account?

A narrow account is still standing access; it leaks more slowly but it never closes. Per-task access removes the standing grant entirely, so between tasks there is nothing for an attacker or a misfire to use, and each grant ties to a recorded session.

Set per-task controls with the open-source gateway on GitHub. The hoop.dev learn hub covers just-in-time access, and the getting started guide walks the first scoped connection.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot