All posts
June 15, 20263 min read

Putting access controls around Claude: audit trails for AI coding agents

A reviewer points at a line in your logs and asks who let a coding agent into the production database last Tuesday, what it read, and what stopped it from reading more. If the honest answer is that the agent had a standing credential and kept its own notes, the finding writes itself. Audit trails are what let you answer those questions without flinching, and for an AI coding agent like Claude they have to be built before the review, not assembled the week of it. Walk this from the review backwa

Free White Paper

AI Audit Trails + GCP VPC Service Controls: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

A reviewer points at a line in your logs and asks who let a coding agent into the production database last Tuesday, what it read, and what stopped it from reading more. If the honest answer is that the agent had a standing credential and kept its own notes, the finding writes itself. Audit trails are what let you answer those questions without flinching, and for an AI coding agent like Claude they have to be built before the review, not assembled the week of it.

Walk this from the review backward. Start with what a reviewer wants to see, then build the audit trails that produce it.

The questions a review actually asks

A review of an agent's access to your systems comes down to a short set of questions:

  • Who, specifically, had access, and was it a distinct agent identity or a shared account?
  • What could the agent reach, and was it the least the task required?
  • When did access begin and end, and why did it end when it did?
  • Who or what approved it?
  • What did the agent do during the session, and was sensitive data masked on the way back?
  • Where do these records live, and can the agent alter them?

Standing credentials answer almost none of these cleanly. A shared account that the agent assumes cannot say who or why, and a credential that never expires cannot say when access ended.

How real audit trails answer them

Good audit trails turn each question into a recorded fact. Access is requested by a named agent identity, scoped to the task, granted for a window, approved by policy or a person, and the session is recorded with sensitive data masked inline. The review stops being an archaeology project and becomes a query: pull the agent's connections for that system and that day, and every one carries its identity, scope, duration, approver, and recording.

This only holds if the audit trails are produced by something the agent does not control. If Claude issues its own access and writes its own log, the reviewer is reading the suspect's diary. The issuing and recording layer has to sit outside the agent process, where the agent can connect through it but cannot rewrite what it says. That is the architectural requirement that makes audit trails worth presenting.

Continue reading? Get the full guide.

AI Audit Trails + GCP VPC Service Controls: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

hoop.dev is built to that requirement. Claude reaches your databases, hosts, and services through hoop.dev, a Layer 7 access gateway, instead of holding credentials. Access is granted per task against the agent identity, data is masked inline on the response, and each session is recorded on the gateway side where the agent has no write path. The audit trail accumulates as the work happens, in one place, outside the thing being reviewed. The learn pages explain the access and recording model, and the getting-started docs cover fronting the systems the agent uses.

A walkthrough of one request under review

Trace a single grant the way a reviewer would. The agent requested read access to a production table at 14:02. Policy matched the agent identity to an allowed scope and opened a connection to that one database, set to close at 14:12. The session recording shows the query and the masked rows that came back, and nothing else. The connection closed on schedule. Every question above is answered by that one record, and none of the answers depend on trusting the agent.

Notice what the reviewer did not have to do. They did not cross-reference three systems to figure out which agent was behind a shared account. They did not ask an engineer to remember why access was granted. They did not accept the agent's own log as proof. The grant carried its own justification, and the recording sat next to it.

What changes for the team being reviewed

The quieter benefit is that audit trails built this way turn the review from an event you brace for into a property of the system. When every connection is already scoped, time-boxed, approved, masked, and recorded outside the agent, there is no scramble to assemble evidence, because the evidence was correct the day it was written. A review becomes a query against records you can trust.

FAQ

Do audit trails replace our existing logging?

No, they strengthen it. Audit trails at the access boundary make each connection a discrete, attributable event tied to identity and task, which is what gives the rest of your logging something precise to corroborate.

What is the single most important property of an agent's audit trail?

That the agent cannot alter it. A record inside the agent's reach fails in precisely the scenario you keep audit trails for. Keep it outside the agent process.

hoop.dev is open source. To build audit trails around every connection your coding agent makes, start with the repository on GitHub.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot