Putting access controls around ChatGPT: production access for AI coding agents (on Postgres)

An offboarded contractor left the company last week, but the ChatGPT coding assistant they trained continues to run nightly data‑migration jobs against the production PostgreSQL cluster, exposing a gap in production access controls.

The assistant still holds a hard‑coded connection string and a privileged database user, and it can write to tables that store customer PII without any human ever seeing the request. Because the credential lives inside the agent’s code, the security team has no visibility into which statements are executed, when they run, or whether a developer ever reviewed the changes. The lack of audit trails and the ability for the AI to issue destructive commands directly against production violates the organization’s risk policy.

The team wants to grant the AI only the minimum rights it needs for a specific job, enforce an approval step before any schema change, mask credit‑card columns in query results, and retain a replayable record of every interaction. In other words, they need strict production access controls for an autonomous coding agent.

Why production access matters for AI coding agents

One way to identify the AI is to issue it an OIDC service‑account token that encodes its workload identity. The token can be validated by the gateway and used to look up group membership, ensuring the agent is known to the organization. However, the token alone does not change the fact that the connection still goes straight to PostgreSQL, where the database itself cannot enforce per‑query approvals, masking, or immutable logging.

How hoop.dev enforces production access

hoop.dev solves this gap by becoming the only point where traffic between the AI and the database passes. A lightweight agent runs in the same network segment as the PostgreSQL instance, while the hoop.dev gateway sits on the access path. When the AI presents its OIDC token, hoop.dev validates it, then proxies the client’s PostgreSQL protocol messages to the backend. Because the gateway holds the database credential, the AI never receives a password or TLS key.

From that position hoop.dev can enforce production access policies. It records every session, attaching the AI’s identity to each statement. It can mask columns that contain regulated data before they reach the AI’s response stream. It can require a human approver before any DDL or destructive DML operation, and it can block the command entirely if it violates a rule. All of these actions happen inside the data path, so they cannot be bypassed by changing the AI’s code.

The result is a concrete audit trail that shows who asked for what, when, and with what outcome. Replayable recordings let investigators see the exact query payload and the masked response. Because the gateway enforces just-in-time approvals, the AI can only act on data that has been explicitly authorized for the current job. This model satisfies the production access requirement without granting the AI permanent privileged credentials.

Defining production access policies for an AI

Production access begins with a clear policy document that lists the allowed SQL verbs, the maximum row count, and the specific schemas the AI may touch. hoop.dev lets you express those rules in a UI or as declarative JSON that the gateway evaluates on each incoming packet. The policy can also specify which result columns are subject to inline masking, ensuring that even if the AI is compromised it never sees raw PII.

When a rule requires human sign‑off, hoop.dev routes the request to a configurable approval channel – for example, a Slack webhook or an internal ticketing system. The request pauses at the gateway until an approver clicks “allow”. If the request is denied, hoop.dev returns a clear error to the AI and logs the denial for later review.

Replay, forensics and audit readiness

Every session is stored as a replayable stream that includes the original query, the masked result set, and any approval metadata. Security analysts can replay a session in a sandboxed environment to reproduce exactly what the AI saw and did. This capability is essential for incident response, because it provides a tamper‑evident record without relying on the database’s own logs, which the AI could have altered.

Deploying the gateway

Deploying hoop.dev follows the standard quick‑start flow. First, run the Docker Compose file that brings up the gateway and the network‑resident agent. Then register the PostgreSQL target, supply the service account that the gateway will use, and configure the masking and approval policies in the web UI. The AI continues to use its familiar PostgreSQL client libraries; the only change is the host address, which points to the gateway.

For a step‑by‑step walkthrough, see the getting‑started guide and the detailed feature documentation on the learn page. Both pages show how to create OIDC clients, define policies, and view session recordings.

FAQ

How does hoop.dev keep the database password secret from the AI?

Because the gateway stores the credential and the AI connects only to the gateway, the password never leaves the gateway process.

Can the AI still use standard PostgreSQL tools?

Yes, the gateway speaks the PostgreSQL wire protocol, so any client that works with PostgreSQL can be pointed at the gateway host.

What evidence does hoop.dev generate for auditors?

Each session is logged with the AI’s identity, the exact statements, any approvals, and a masked result set. Recordings can be replayed to demonstrate compliance with production access policies.

Can I limit which tables the AI can see?

Yes, policies can whitelist specific schemas or tables, and any attempt to query outside that list is blocked before it reaches PostgreSQL.

How are approval requests routed?

Approval channels are configurable; common choices include Slack, email, or a custom webhook that integrates with existing ticketing systems.

Explore the open‑source code on GitHub.