Putting access controls around Claude: audit trails for AI coding agents (on Snowflake)

A newly hired contractor is given access to a Claude‑powered coding assistant that automatically generates Snowflake SQL statements, but the organization lacks audit trails for those actions. The assistant runs as part of a CI pipeline, pushes queries directly to the data warehouse, and returns results to downstream jobs. No human ever sees the raw queries or the data that flows back, and the organization has no record of which statements were issued, who triggered them, or what rows were returned.

Without a centralized observation point, the team cannot answer basic forensic questions: Did the AI write a query that exposed personally identifying information? Was a privileged table accessed during a nightly batch? Did a mis‑prompt cause a costly full‑table scan? The lack of visibility makes it impossible to demonstrate compliance with internal policies or external regulations that require detailed audit trails of data access.

For AI‑driven workloads, an audit trail must capture the full request‑response cycle: the prompt sent to Claude, the generated SQL, the execution result, and any subsequent actions taken by downstream services. It should also record the identity that initiated the request, even when that identity is an automated service account, and store the information in an audit log that can be queried by auditors.

Why existing identity checks are not enough

Most organizations already enforce identity verification for service accounts that call Snowflake. An OIDC token or a short‑lived IAM role can prove that a request originates from an authorized source. However, that verification happens at the Snowflake authentication layer, after the request has already traversed the network and been processed by the database. At that point, the platform cannot retroactively apply masking, block risky commands, or insert an approval step. The request reaches the target directly, and Snowflake itself does not provide built‑in, per‑prompt audit logging for AI agents.

In other words, the identity check solves the "who is calling" question but leaves the "what did they do" and "can we intervene" questions unanswered. The system still lacks a single control surface that can enforce audit trails, inline data masking, and just‑in‑time approvals for every Claude‑generated query.

hoop.dev as the data‑path enforcement point

hoop.dev supplies a Layer 7 gateway that sits between Claude and Snowflake. The gateway acts as an identity‑aware proxy: it validates the caller’s OIDC or SAML token, maps the identity to a set of policies, and then forwards the request to Snowflake using credentials that only the gateway knows. Because the traffic passes through the gateway, hoop.dev can record each session, apply inline masking to sensitive columns, and require a human approver for queries that match risky patterns.

When a Claude agent initiates a query, hoop.dev captures the prompt, the generated SQL, and the resulting data rows. It stores this information as an audit record that includes the originating identity, timestamp, and policy decisions made (e.g., "masked column X", "approval required", "query blocked"). The gateway also supports replay of the entire session, allowing security teams to reconstruct exactly what the AI agent attempted and what Snowflake returned.

All enforcement outcomes, audit trails, masking, just‑in‑time approvals, and session recording, are possible only because hoop.dev resides in the data path. The Snowflake service never sees the raw credentials or the unmasked data; hoop.dev mediates every interaction.

Implementing audit trails for Claude on Snowflake

Start by provisioning the hoop.dev gateway in your environment. The quick‑start uses Docker Compose to launch the gateway alongside a network‑resident agent that can reach your Snowflake instance. During registration, you configure the Snowflake connection: host, port, and a service credential that the gateway will use. You also define a policy that mandates audit logging for all Claude‑originated sessions and that enables inline masking for columns marked as sensitive in your data catalog.

Next, configure your Claude integration to point at the hoop.dev endpoint instead of connecting directly to Snowflake. The Claude client continues to use its standard Snowflake driver; the only change is the network address it contacts. Because hoop.dev presents the same protocol surface, no code changes are required in the AI agent itself.

Finally, define approval workflows in hoop.dev’s policy language. For example, any query that accesses a table containing financial data can be routed to a designated reviewer before execution. If the reviewer approves, hoop.dev forwards the query; otherwise, it blocks the operation and logs the denial.

All of these steps are described in detail in the getting‑started guide and the broader learn section. The documentation shows how to map OIDC groups to policy sets, how to enable masking, and how to retrieve audit logs for downstream analysis.

FAQ

Why do I need audit trails for AI‑generated queries?
AI agents can produce unexpected or overly broad queries that expose sensitive data. An audit trail lets you trace exactly what was asked, what was returned, and who initiated the request, which is essential for compliance and incident response.

How does hoop.dev capture traffic without exposing credentials to Claude?
The gateway holds the Snowflake credential internally. Claude authenticates to hoop.dev using its own OIDC token. hoop.dev validates the token, then proxies the request to Snowflake on behalf of the agent, ensuring the agent never sees the underlying credential.

Can I keep using my existing Snowflake client tools?
Yes. Since hoop.dev speaks the same wire protocol as Snowflake, any client, psql, the Snowflake CLI, or a JDBC driver, can connect through the gateway without modification.

Get started

Explore the open‑source code on GitHub and follow the quick‑start instructions to add audit trails to your Claude‑powered Snowflake workflows today.